Blog

Working with Jamf School

I’ve been using Jamf School at work for 3 years now. This is the first year (2024) in which I believe ALL of our faculty and staff Macs are enrolled in JS. Previously to the 21-22 school year, the school paid for Jamf Pro to manage the iPads for the K-5th graders and used imaging to deploy the Macs. I arrived in 2021, and that summer we began to move our devices and configurations to Jamf School.

Pfsense Https V2

Well, well, well, exactly 90 days later (the expiration date of the previous HTTPS certificate…) I had to dig in and manually renew the cert. I believe I’m the only one using it, so the impact was quite small. This time, I started from the PfSense web GUI and just clicked “renew”. It took a really long time and I didn’t notice any popups when it was done. I eventually logged into the unit via ssh and found the log file with cat /tmp/acme/us-pfsense/acme_issuecert.

Unifi Controller HTTPS

Here’s another HTTPS certificate story. This time, a self-hosted Unifi Controller was the “invalid certificate” annoyance. Yesterday, it began with attempting to use acme.sh from GitHub on our Ubuntu 22.04.1 LTS server which has unifi running on it. I did encounter a similar error to my last story, and I had to change my DNS servers again. That probably deserves another blog post so I don’t forget how to do it next time.

A Real pfsense HTTPS Certificate

Yesterday, I learned how to get Let’s Encrypt working on our PfSense router. First I set ssh to only use public keys, then installed the sudo package and the acme.sh package in the GUI. https://gaurangpatel.net/installing-nano-in-pfsense (this was very handy, as I am a nano user.) https://jarrodstech.net/how-to-pfsense-haproxy-setup-with-acme-certificate-and-cloudflare-dns-api/ The kicker was getting /etc/resolv.conf to not use internal DNS routing. We use OpenDNS Umbrella’s free teir and we block the VPN category. acme.

Hello World

First post!

Unifi Controller HTTPS

Planted February 8, 2023

Here’s another HTTPS certificate story. This time, a self-hosted Unifi Controller was the “invalid certificate” annoyance.

unifi-logo

Yesterday, it began with attempting to use acme.sh from GitHub on our Ubuntu 22.04.1 LTS server which has unifi running on it. I did encounter a similar error to my last story, and I had to change my DNS servers again. That probably deserves another blog post so I don’t forget how to do it next time. So, I’m able to get the HTTPS certificate, but I encountered an error after running the following command.

acme.sh --deploy -d unifi.my.tld --deploy-hook unifi --debug
#output...
Could not open file or uri for loading certs of certificates from -in file from /root/.acme.sh/unifi.my.tld_ecc/unifi.my.tld.cer
807B28F96C7F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
807B28F96C7F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(/root/.acme.sh/unifi.my.tld_ecc/unifi.my.tld.cer)
Error generating pkcs12. Please re-run with --debug and report a bug

And Google seems to have a good answer to what’s going on here. The clues make it seem like openssl cannot generate the certificate for the Java process that Unifi runs in. I’m using OpenSSL 3.0.2 15 Mar 2022, which at this point is slightly out of date, so I attempt to build the latest from source. Eventually, after make install and running the binary, I get a linking error…

undefined symbol: BIO_f_zlib

I did get a search result for StackOverflow, which was promising, but unfortunately it was taken down for some reason…

At this point, I go back to my original Google search “unifi controller https let’s encrypt” and through a Reddit post, found this dude who has written a cute bash script for this very purpose. Another link to his website. I downloaded it and ran it and sure enough, it eventually works, even with a little error, too.

Despite the error message, Unable to load certificate, the script finishes and I go refresh my Unifi Controller Chrome tab. Sure enough, the certificate error shows up, but this time, it has unifi.my.tld in the Common Name!

Next up, giving our ESXi servers real HTTPS certificates…