TLS Certificate for Unifi with certbot/Let’s encrypt

I have a nifty new Unifi setup. Typically it runs on TLS with a self-signed certificate that won’t pass verification.

For things like guest network splash page, it can be quite helpful to have a TLS-capable Unifi server. In this case, the server runs on a LAN and is not by default routable from the outside world. Nor is it easy to provision a TLS cert to a private domain (e.g. nick-unifi.summerwind.local, which is what the server would ordinarily DNS by).

To do this, it was a bit of a kludge:

  1. Provision a routable domain name e.g. nick-awesome-unifi.example.org and set up DNS properly.
  2. Get a certbot certificate — set up Apache and certbot to do their magical handshake thing.
  3. I found someone who had written a handy script to slurp the Let’s Encrypt cert into Unifi, which I ran.
  4. Provision a local DNS entry such that your ordinarily public domain resolves to a local IP.

Thus the magic: your Unifi server will now sign requests on the local network under a public domain with a valid TLS certificate.

Provisioning a suitable hostname

Head on over to your DNS provider/server for a valid domain, and then set the IP there to match your public IP.

Set up forwarding through your NAT router on 80 and 443.

Then you should be able to (from outside your LAN) reach a web server.

Set up Apache

You’ll want to install apache and openssl and all the related bits. Make sure at this point you can reach the Apache server and get the test page.

Set up Certbot

I used snap to install certbot, and then ran certbot, providing it with the public domain as ready.

Run Unifi slurp script

You’ll need to modify a few of the parameters (I run Ubuntu locally, so uncomment those lines and change it to let’s encrypt mode.

Set up local DNS resolution for the public domain

This was made a little bit more annoying by my recent adoption of a Unifi security gateway as my primary router. The EdgeRouter line had a handy CLI and config tree that allowed you to easily set static mapping of domain names to IP addresses. However, although the USG has the same command line interface, it is apt to be re-provisioned by the controller at any time which will overwrite the configuration if you do it through the CLI.

The correct way to configure these options (that are not available in the CLI) is to set a special config.gateway.json file with your extra options. This file (on Ubuntu) goes in /usr/lib/unifi/data/sites/default/config.gateway.json (I had to create the ./sites/default directories), and then dump the following into the file:

{
    "system": {
         "static-host-mapping": {
             "host-name": {
                  "nick-awesome-unifi.example.org": {
                       "inet": [
                           "10.5.2.1"
                       ]
                   }
              }
         }
    }
}

Then head on over to your Unifi setup, navigate to Devices, your gateway, then gear menu and click “force provision” in the side bar:

Lower box there, under “Devices” => Your router => Gear menu

After this miraculous series of steps, try to execute a dig on your local network:

nickandre-macbookpro:~ nickandre$ dig nick-awesome-unifi.example.org

; <<>> DiG 9.10.6 <<>> nick-awesome-unifi.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62867
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nick-awesome-unifi.example.org.	IN	A

;; ANSWER SECTION:
nick-awesome-unifi.example.org.	0	IN	A	10.5.2.1

;; Query time: 139 msec
;; SERVER: 10.5.1.1#53(10.5.1.1)
;; WHEN: Thu Aug 27 15:54:12 PDT 2020
;; MSG SIZE  rcvd: 64

And you should get something like that. I had to wait a short while for my DNS cache in my browser to expire (I always set the TTL to like 600 for this reason) and then I was able to access unifi over TLS.

Now go ahead and set up Unifi for TLS splash page under Settings => Hotspot => Advanced. I checked:

  1. Use secure portal
  2. HTTPS redirection
  3. Redirect using hostname (fill out your public domain)

Then you should be good to go! Make sure to set up renewal and the crontab for the cert.

Consolidated Communications & Frontier ADSL DMT Static IP setup

I’m currently rocking it at the family beach house in Scarborough Maine, serviced by the glorious new cable conglomerate Spectrum. They have now deployed faster internet speeds in the area, offering up to gigabit plans on DOCSIS 3.1 (I believe).

Recently though they had a 12 hour outage where the entire beach lost TV and internet. That was a bummer (everyone was wandering aimlessly about outside in tears). So I went out in search of an additional ISP to achieve redundancy.

RedZone wireless has acceptable reviews, but unfortunately they were unable to offer service to my address due to land obstruction.

This left Consolidated Communications, which still offers DSL service in the area. They’re now offering (in my area) 1.5 mbps DSL service without a phone line (life pro tip: disable ad blocker to query service for your address) for ~$23.79/mo, which seemed acceptable for a backup option, particularly to keep the IoT devices running if we want to cancel Spectrum over the winter, etc. I also had the pleasure of working over DSL service on Vashon Island outside Seattle, and it’s doable.

Configuring the DSL modem

Configuring DSL modems in static IP mode is apparently somewhat of a lost art (the tech spent literally hours on the phone trying to find the one person at the support center who still knew how to do this setup).

First note: in my location, Consolidated has a positively vintage ADSL setup which negotiates as ADSL_G.dmt. As far as I can discern, DMT is a more noise resistant mode of DSL that is limited to 8 mbps / 1.2 mbps or so. For negotiation, they’ve provided me with a static IP service. It does not use PPPoE or any such magic. Do not select PPPoE or PPPoA as it will not function or negotiate.

The simplest configuration:

  • Set the modem to ATM mode.
  • Enable modem “bridge” feature.
  • Connect computer to LAN port (with Trendnet; sometimes WAN on others like ZyXEL?)
  • Open up your computer’s (or router’s) IP settings, and provision the address they provide into the IP settings. I’m in 64.222.XXX.XXX/24 with a router at the .1 address.
  • Once you do this, your computer will route.

If the router supports IPoE, you can configure the same IP address, subnet, and default gateway into the router. However, not all DSL modems from the modern era seem to support this static IP mode.

Other miscellaneous settings (most default):

  • UBR without PCR service category
  • LLC encapsulation mode
  • VPI 0, VCI 35 (both default)
  • I believe you can enable a VLAN on your router and set the same VLAN on your router (will test)
Trendnet ADSL DMT bridge configuration

Choosing a modem

ADSL2 modems are getting hard to find. Consolidated offered to sell me one for $160 or rent for like $12/month, which seemed absurd. I attempted to buy my own, but the router I bought does not support IPoE, however any router can be used in bridge mode to a different router.

TrendNet AC750 Wireless VDSL2/ADSL2+ modem

I purchased a TrendNet AC750 Wireless VDSL2/ADSL2+ modem off of eBay. I ran into two problems with this modem:

  • No native IPoE support for DSL, so it will only work in bridge mode.
  • For some unknown reason, the noise figures on this router are far inferior to the ancient dinosaur router the tech installed (attainable rate was something like 3700 kbps as opposed to 9352 kbps on the Comtrend).

Comtrend AR-5319

The installation tech found this dinosaur somewhere in the truck. It supports IPoE and negotiates to 9352 kbps attainable rate, which would allow me to order their 3mbps service. However, the management UI has a “security check” requesting I solve a CAPTCHA which reappears every 30 seconds, which makes using the config UII maddening.

ZyXEL C1100Z

A more modern router that I just ordered on eBay. Hopefully this will get me:

  • A UI that doesn’t make me want to kill myself.
  • Higher negotiated rate.
  • Bridge mode.

I assume it doesn’t support IPoE config.

Conclusion

With the new rate plan ($24/mo without phone service for DSL in Maine) I think that this service offers a compelling Plan B internet for your residence. The config is a bit of a nightmare, so I hope this article explains what I could not find with the google XD

Miscellanea

Interestingly when trying the Trendnet I get a higher SNR but also higher attenuation:

Comtrend stats page shows 40.5 dB attenuation w/ 20.1 dB SNR
Trendnet shows 52.5 dB attenuation but 27 dB SNR; much lower attainable rate.

Same phone wire and everything…maybe I will check with the ZyXEL and report back.