I finally got sick of seeing a certificate error when connecting to my Ubuiquiti Unifi WiFi controller.
There are a bunch of shitty howtos describing how to install a cert, and one good one. But in order to make it more copy-paste for future me when the certificate needs renewing, and because the paths are not quite the same since I run the controller in a Docker container on a raspberry pi, here are the commands (after copying fullchain.pem and privkey.pem into the stateful data dir):
host$ docker ps # make note of the docker ID host$ docker exec ID_HERE -ti bash docker$ openssl pkcs12 \ -export \ -inkey privkey.pem \ -in fullchain.pem \ -out cert.p12 \ -name unifi \ -password pass:secret docker$ keytool \ -importkeystore \ -deststorepass aircontrolenterprise \ -destkeypass aircontrolenterprise \ -destkeystore /usr/lib/unifi/data/keystore \ -srckeystore cert.p12 \ -srcstorepass secret \ -alias unifi \ -noprompt docker$ exit host$ docker stop ID_HERE host$ docker start ID_HERE
I’m mostly happy with the Ubiquiti access points. I have an AP-AC-LR and an AP-M. My complaints are:
- When I reported a bug about access to SSH on non-management interfaces, they responded by turning off management over IPv6 alltogether.
- Even their latest firmware doesn’t support UNII-3 channels, which have been allowed in UK since 2017, and DFS-free since mid-2020.
- You can’t select fallback channel when DFS channels detect radar, so you may end up with both APs on the same channel.
I solved some of the channel mess by creating two “sites”. One “in the US” running on UNII-3, and since it’s DFS-free there’s no risk of both APs ending up on the same channel.
This works great for everything except with:
- Google Pixelbook
- Google Nest
- Google Chromecast
They absolutely refuse to connect to an UNII-3 channel. Apparently because the manufacturer chose to hard code this, non-upgradable, and not simply trust the AP. So I just live with them connecting to the other AP. My home is not that big.
Apple devices, Pixel 3 phone, Lenovo etc… etc… are all fine.