ER-X - Use TLS Certificate for GUI

(September 28, 2016: This post was update since initial publish. Please scroll to bottom for the changes.)

I have deployed a self-signed root CA to all family devices that I manage. Partly because I use this root CA for pixelserv-tls. I also issue certificates based on this root CA for other applications like IKEv2 IPsec VPN and OpenVPN.

Reasons to issue a certificate for the web interface:

  • natural and easy for me as I have the certificate infrastructure in place.
  • can access web interface from iOS/Android devices. Don't have to deal with difficulty in accepting new certificates every time ER-X is reset or after firmware upgrade.
  • Recently in v1.9, Ubiquiti has introduced a bug that prevents users from loading the Web interface on major browsers other than Google Chrome. Users with root CA + server certificate are not affected.
  • Sweet to access the Web interface by hostname and see the green padlock.

My ER-X Dashboard

Generate a Server Certificate

For pixelserv-tls users, it's very easy to generate a server certificate. Point your host e.g. erx to pixelserv-tls listening ip, say, 192.168.1.3 in your DNS server. Then access https://erx from a browser. The certificate file, name erx is by default found in /opt/var/cache/pixelserv. This file contains both the public and private key.

For other users, you can use EasyRSA or openssl CLI. If it's your first time doing this, it takes a while. Why not try pixelserv-tls if you happen to have a device that runs Entware-ng?

How to Install the Server Certificate

Prepare the server certificate in a file named, server.pem which shall contain both the public and private key in that order but not strictly required. e.g.

-----BEGIN CERTIFICATE-----
MIICJDCCAQygAwIBAgIEVzB3qTANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxQ  
aXhlbHNlcnYgQ0EwHhcNMTYwNTA5MTE0MjMzWhcNMjYwNTA3MTE0MjMzWjAVMRMw  
BXyTJZzdfVh6FCcuK3C9iVIqUunOTFA5UkLiVTi/ISDtHSw2UfOcaKXhgpSdq1Fr  
EASjFekxNwok0j9+oAwO+UOEaXkz+1HV/HFFKG0phQMzkBGyYcbFiHrcaPstbv+/  
iz1UQgNbq2ZPPix5cbnm3jQB1P3EnETb+0eghgAMymF+TjctYnMvW7AMMmAqYnsk  
xS9mCvml/mybfF++wGkObXBUhBcqq4L2  
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALvvWhh1Q0jC6r5p  
TiLmYRkKw3wgsI2fgEThb1pFV798SLkLBCadbXLwOyQdmaV6UFjw/O+vCGYSuUhV  
v//+mwbOkG7Mk/g4bEQo4gmbVL4fLPYGB8CZMfGL9i1rZu6YwCPCI6Fp6VE+bNZu  
n6MN6QJAVtZoC4wEwyt++T/N2qzTKTwr7AxOh6PjHia1BBueu/BbWmxZPwIhn4Rq  
bSUbRCWSAJWN1VMqFeJkl65/UBtVUQJAJxc5UYbrYzZYQGqnO72D/vVJq76Zyj/B  
vUuSa6F/KwDWUts=  
-----END PRIVATE KEY-----

Step 1: Save server.pem to /config/auth/ on ER-X.

Step 2: Go to /etc/lighttpd.

sudo rm server.pem        #remove the original file  
sudo ln -s /config/auth/server.pem server.pem   #create a symbolic link  

Step 3: Bounce lighttpd to take effect.

sudo killall -SIGINT lighttpd  
sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf  

The symlink will survive reboot but most likely to go away after firmware upgrade. Let's find a proper fix for that next time.

Update: September 28, 2016

Just found out EdgeOS CLI provides commands to set the GUI's certificate. Here we go:

$ configure
$ set service gui cert-file /config/auth/server.pem 
$ commit
$ save

This way the certificate setting shall persist across reboots and firmware upgrade. Clean and neat!

Author

Stephen Yip

Something about you know. Come and share.

comments powered by Disqus