Internet, Security, technology, Web, Wi-Fi

Hosted Unifi controller with Let’s Encrypt SSL take 2!

November 16, 2018November 9, 2021 | be3n

UPDATE 11-09-21: Discovered the amazing acme.sh tool! check it out!

I visited this idea months ago, but for anyone who implemented it, it has been a nightmare. Each subsequent Unifi controller update broke the https in new and exciting ways. After remaining a very squeaky wheel with Ubiquity support, they’ve pushed out a version that should permanently resolve the problems. They even made promises of native Let’s Encrypt support. All this will prove true of false with time, but for now i wanted to share my working procedure for Unifi controller version 5.9.32.

This solution required me to become more familiar with Java’s keytool then i would have otherwise. Unifi has a hardcoded keytool path and password, don’t change that (thanks Corey F @ubnt). i don’t think alias matter, but they must be consistent. I used mykey. We start by generating a key and a code signing request for our domain. For permissions reasons, we will want to do this as root. . .
cd /var/lib/unifi keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore keystore -dname "CN=custom.domain.name" -storepass aircontrolenterprise
Now we export the csr file we will give to Let’s Encrypt.
keytool -certreq -alias mykey -keystore keystore -file custom.domain.name.csr -ext san=dns:custom.domain.name -storepass aircontrolenterprise
Now we run the interactive certbot script to prove the domain is actually yours before they hand out a cert. Follow the instructions you can use DNS or hosting a file to verify.
certbot certonly --manual --csr custom.domain.name.csr
Continue reading “Hosted Unifi controller with Let’s Encrypt SSL take 2!” →

art, Culture, hardware, Internet, Raspberry Pi, Recreation, retro, revolution, Science, Security, Software, technology, Travel, Wi-Fi

Back to reality after another amazing DEFCON!

August 15, 2018August 15, 2018 | be3n

I met a pile of incredible people. Bought some amazing toys (for science), some i’ve even got working. Saw some talks and demos. Talked to some of my heroes and listened to even more. I saw Ladar Levison talk about epoxying your ports and adding thermite to your hard drives. I played with the ECU of a fake car! now i just have finish building the DarkNet Badge! enjoy my pictures. The hat data is still being analyzed. I’ll try to build something out of it eventually.

Battlefield Las Vegas - Tank crushing car

Battlefield Las Vegas - Tank crushing car close

Continue reading →

Culture, hardware, Security, Soapbox, technology

My first purchase from a KeyMe kiosk and I have notes!

June 18, 2018July 25, 2018 | be3n

I have used MinuteKEY in the past to easily bypass DO NOT COPY keys. Today’s errand was more about a quick solution then a security bypass. I was just copying normal keys today. Here is what i learned. With MinuteKEY, you could only make batch copies of the same key. In fact, the MinuteKEY kiosk locked your key into the machine until all the copying is done. There were zero protections against DO NOT COPY keys. They do however print keys right there in a variety of styles and colors.

Continue reading “My first purchase from a KeyMe kiosk and I have notes!” →

Internet, Security, Software, technology

Hosted Unifi controller with Let’s Encrypt SSL!

April 12, 2018April 22, 2025 | be3n

UPDATE: this is all outdated, go here.

I have been consolidating some of my sites onto a single hosted Unifi controller. Documentation was outdated so I am going to post some useful info here. My original plan was to setup a basic apache2 site, use certbot to generate my certificates and then install them into the Unifi controller. The first frustration is that you cannot simply install the certs you want into the unifi controller. second frustration, java. once you get over that, it’s super easy.

I had some issues with the initial migration. i ended up having to start over. handy command to remove unifi controller with all it’s configuration and data. apt-get remove unifi --purge Just remember, you will need to reinstall Unifi after. It will be bran new and back to the wizard.

Getting started with SSL, I learned mostly from here. First create a CSR with unifi through command line…cd /usr/lib/unifi java -jar lib/ace.jar new_cert <hostname> <company> <city> <state> <country>

this creates unifi_certificate.csr.der and unifi_certificate.csr.pem inside the data directory where you already are (/usr/lib/unifi/). Now we need to feed the CSR into certbot. Note that at this point, i already have apache2 installed with a very simple virutalhost and site setup with the domain i am creating a cert for. Here is the command to feed the CSR generated by Unifi into certbot to be certified:
certbot certonly --apache --csr /usr/lib/unifi/data/unifi_certificate.csr.der

Certbot will make sure that domain is yours (and your apache config is working) and then output a signed cert and a chain that is almost everything you need to install the certificate back into the Unifi controller. Still in /usr/lib/unifi/data/ 0000_cert.pem is my signed cert and 0001_chain.pem is my signed cert plus the intermediate certificate. what’s missing is Let’s Encrypt’s Root certificate to validate the intermediate certificate and thus complete the chain of trust.

Continue reading “Hosted Unifi controller with Let’s Encrypt SSL!” →

Security, Software, technology, Wi-Fi

Stepping back into Wireless Security

October 18, 2017October 19, 2017 | be3n

wifi-crack Believe it or not, my home network actually used Radius authentication many years ago. Before I got a Nest (which still cannot connect to anything that isn’t open, WEP, or WPA/WPA2). At the time, I assumed the Nest app talked directly to the thermostat. Not true. It just needs internet to talk to it’s servers where it receives the commands and preferences from the app. Armed with that knowledge and recent revelations about the security of WPA2, I set to the task of reimplementing Radius on my network. First, I needed to asses which devices, like the Nest, would be unable to make the transition. Luckily, most of these devices don’t need anything more then internet access. One was moved to a hard line and the last attached to a Radius capable wireless bridge. I added a internet only wireless network for my embedded devices and moved my privileged network to Radius authentication. It was time to change my password anyway. Stay safe!

Continue reading “Stepping back into Wireless Security” →

Corporations, Internet, Security, Soapbox, Software, technology

SSL problem, it wasn’t me!

March 21, 2017 | be3n

broken key I just assumed that the problem was related to my recent SSL renewal. Turns out, Google security recently published Distrusting WoSign and StartCom Certificates and removed them from chrome. How did I miss this? It turns out that the SSL on my site has been broken on Chrome for some time. It must be that I have been using Brave recently as my daily browser. I moved this site to letsencrypt.org and it’s working fine for everyone now. I don’t even know how much time I waisted on this one. wow.

Internet, Security, Software, technology

So my SSL is broken? Chrome seems to think so…

March 20, 2017 | be3n

Chrome-your connection is not private

Please excuse all the errors while i try and figure out what I did wrong. Brave, Firefox, and Safari users unaffected.

hardware, Internet, Security, Software, technology

Ubiquiti’s USG router steps up with dual wan support!

March 13, 2017 | be3n

I was very excited to discover this feature listed in my Unifi controller today. You can now repurpose the VOIP port to act as a WAN2. The ironic part is that i don’t believe the VOIP port serves any actual VOIP function as of yet. I’ve been recommending these USG routers since I learned of their existence. Unfortunately a lot of my clients want dual WAN and until now, the Unifi Security Gateway fell short. No longer, Ubiquiti has a really great product line with the Unifi. I am continuously discovering great new innovation with the latest update to their software, firmware, or cloud platform. I have been waiting for this!

Culture, Security, technology

I found these cleaning my office! #TBT

February 2, 2017March 19, 2020 | be3n

Multiple badges from #defcon and a program from 6! anyone recall which defcon? guessing 6-8.Â This goes back to â€™99!Â no hacking these badges, unless. . .

hardware, Security, Software, technology, Web

Played with PoisonTap network hijacking tool

November 20, 2016April 22, 2025 | be3n

@SamyKamkar made an impressive and terrifying tool. This simple USB device steals your cookies, poisons your cache, and even persists a web backdoor. On a locked machine no less! It depends much on the trust that our computers take for granted. Trusting a USB device is not up to no good. Trusting the local network not trying to confuse. We must reexamine this trust going forward. It didn’t take long to get it up and running, however once you do, you can spend hours tinkering. (i was working to combine it with @mubix’s work here)

I am also delighted to have my first Raspberry Pi as a USB device rather then host. it is certainly exciting to create some new doodads using this dangerous toolkit.

UPDATE

I have since made a version without the cache attack. I completely failed to steal the poisontap visuals, but TheCodePlayer ~~offers~~ offered a delightful matrix animation. next step is to man in the middle ssl too. I’m turning it into a device that logs everything while connected, but doesn’t persist.

somethingdotsomething

Category: Security