October 21, 2017
Got tired of seeing the UniFi controller java service running https but not trusted on localhost.
And almost have a solution. Found a solution, but it wasn’t easy.
CertSimple: Never see localhost HTTPS warnings again
Ubiquiti Network Community: Installing an SSL Certificate
Follow the CertSimple instructions to use Mac OS X Keychain Access to generate self-signed certificates for localhost. In Step 3, make sure to export both the localhost certificate (as .pem) and the localhost private key (select .p12 from drop down and then convert as per the openssl command in Step 3 OR export as .pem) from within Keychain Access.
service unifi stop as in the Ubiquiti Network Community instructions (which are for a linux system), for Mac OS X, simply quit the UniFi app in order to stop the service. Alternatively, from the command line:
$ java -jar /Applications/UniFi.app/Contents/Java/ace.jar stop
Here are the commands that I used based on the Community page. I put the files on the Desktop for easy finding (from the command line natch).
$ sudo openssl pkcs12 -export -passout pass:aircontrolenterprise \
-in ~/Desktop/localhost-cert.pem -inkey ~/Desktop/localhost-key.pem \
-out ~/Desktop/localhost -name unifi \
-CAfile ~/Desktop/localhost_CAcert.pem -caname root
$ sudo keytool -delete -alias unifi \
-keystore ~/Library/Application\ Support/UniFi/data/keystore \
$ sudo keytool -trustcacerts -importkeystore \
-deststorepass aircontrolenterprise -destkeypass aircontrolenterprise \
-destkeystore ~/Library/Application\ Support/UniFi/data/keystore \
-srckeystore ~/Desktop/localhost -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise -alias unifi
Unfortunately, I’m running into an error where the certificate is not getting imported into the keystore.
$ sudo java -jar /Applications/UniFi.app/Contents/Java/ace.jar \
import_cert ~/Desktop/localhost-cert.pem ~/Desktop/localhost-CAcert.pem \
Unable to import the certificate into keystore
Hurrah! Found the answer.
UBNT Support Page: UniFi – SSL certificate error upon opening controller page
If the error "Unable to import certificate into keystore" appears when importing the signed certificate & intermediate certs, try the following steps:
1. Edit the certificate file and remove any blank spaces after each line of the cert.
And that did it.
$ sudo java -jar /Applications/UniFi.app/Contents/Java/ace.jar import_cert ~/Desktop/localhost-cert.pem ~/Desktop/localhost-CAcert.pem ~/Desktop/localhost
parse localhost-CAcert.pem (PEM, 1 certs): CN=localhost Certification Authority
parse localhost, 0 certs found
parse localhost-cert.pem (PEM, 1 certs): CN=localhost
Importing signed cert[localhost]
Certificates successfuly imported. Please restart the UniFi Controller.
But still doesn’t work completely because it’s self-signed. I guess if I want that green lock then I’ll have to go get a real cert.
And for reference:
$ java -jar /Applications/UniFi.app/Contents/Java/ace.jar
Usage: java -jar lib/ace.jar [...]
start : start the UniFi controller
stop : stop the UniFi controller
info : display some information
installsvc/startsvc/uninstallsvc/stopsvc : install/start/stop as a Windows service
new_cert : create new certificate (with csr)
import_cert [...] : import the signed certificate and ca cert