Create certificates offline

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: unifi.e2snail.com, grafana.e2snail.com

I ran this command: I do not have a web server serving any of the domains listed. They are all runing behind a firewall and gateway.
unifi.e2snail.com - this is a management network application, it seems to be running a custom tomcat instance, but uniti do not provide any support because it seems to be propriety software. I have managed to find a download script, which runs successfully but does not seem to update the certificate.
grafana.e2snail.com - this is a grafana instance tracking the unifi software behind the same firewall.

It produced this output: when I run the certbot commands I am told that it cannot connect to port 80, as I said before, I do not have any web server application running on the machine. I am doing port forwarding from the outside to the inside for both applications and this works.

My web server is (include version): no web server running.

The operating system my web server runs on is (include version): Ubuntu 20.04 running unifi gateway and grafana server

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

No matter what I try I cannot get my certificates renewed.
Is there any way to renew the certificates offline and put them in place?
Thanks
Lawrence

You can't get the certificates offline, as you require connectivity to the Let's Encrypt ACME server to get them in the first place. Also, the Let's Encrypt ACME server requires some connectivity on the world wide web to authorize the hostname(s) you want a certificate for. This can be through HTTP with the http-01 challenge or through the DNS system with the dns-01 challenge.

In principe, you can get a certificate on any host connected to the internet and afterwards install the cert and private key on your offline devices.

2 Likes

Exactly what I meant to say, only was not clear.
The issue that I have is that because neither unifi nor grafana use an external web server, they have it built into the application.

Lawrence

1 Like

Well, once you got your certificate, you can do anything you want with it offline. Put it on an USB drive, burn a CD-ROM if you like, heck, if you have a 5 ¼ floppy drive you can put it on there :smiley:

3 Likes

I think CSAVE and CLOAD might be even safer!
[save to cassette tape] - LOL

3 Likes

We always used BLOAD on the MSX! With cassette tape indeed :smiley:

2 Likes

I'm reasonably familiar with Unifi. If you use acme.sh rather than certbot, you'll see that it has a deployment script for the Unifi controller packaged with it (see deployhooks · acmesh-official/acme.sh Wiki · GitHub for details on its usage). That will solve the deployment issue; there's no way to do it through the Unifi interface itself (a pretty glaring omission IMO, but UBNT didn't ask me).

As to Grafana, I have my instance behind a Caddy reverse proxy (very simple to do; the complete configuration file is only a dozen lines including whitespace), which handles the certificate for me.

For both cases, if you have a compatible DNS host, DNS validation will make it easy to get the cert--I use a combination of Cloudflare and acme-dns, and between them I've been able to put certs on dozens of local devices.

4 Likes

Danb35,
Thanks for your advice. I will search for some reading to see if I can figure out what you say about grafana.
As for unifi, there are very many humble opinions that unifi support refuse to look at or accept, but that is another kettle of fish completely.

I found and downloaded a script called unifi_ssl_import.sh This works a charm and it says that the certs are updated as needed. No errors were shown, and the result is shown as successfully updated.
I then had a major issue trying to understand how to view the cert, because even after restarting the instance, I saw that my cert would expire on the 6 feb.
I eventually found that a simple command could read the keystore file. as follows.
keytool -list -v -keystore /var/lib/unifi/keystore -storepass aircontrolenterprise

What I dd then was did a grep for Valid and found that there were 4 replies back.

Valid from: Mon Nov 09 12:35:43 CET 2020 until: Sun Feb 07 12:35:43 CET 2021
Valid from: Thu Mar 17 17:40:46 CET 2016 until: Wed Mar 17 17:40:46 CET 2021
Valid from: Mon Nov 09 12:35:43 CET 2020 until: Sun Feb 07 12:35:43 CET 2021
Valid from: Thu Mar 17 17:40:46 CET 2016 until: Wed Mar 17 17:40:46 CET 2021

Looking at the results I am not clear what this means because I see am end date of 2 Feb and 17 Mar. What is the actual truth because looking at the cert on the page it says 2 Feb.

Any ideas?
Lawrence

1 Like

I'm not at all familiar with the script you mention, but one possible reason for the discrepancy is that it doesn't restart the service after importing the cert, and you haven't done so either.

Edit: missed this:

Honestly, my biggest issue was that I can never remember all the oddball ports that these different applications want to use, so I want a way to reach them on standard web ports (80/443)--cert management and TLS are just a bonus. The typical way to do that is to use a reverse proxy. Common web servers like Apache and Nginx can do this, as can dedicated reverse proxies like HAProxy and Traefik. I like Caddy, as it's really easy to use in applications like this. Here's my complete configuration file for Caddy with my Grafana (Kotori, in my case) instance:

{
        email admin@mydomain
}

kotori.mydomain {
        tls {
                dns cloudflare (API TOKEN)
        }
        reverse_proxy localhost:3000
}

This is using Cloudflare's DNS to manage cert issuance and renewal, so you need an API token from them--Caddy supports a number of DNS hosts, though not as many as acme.sh. This config file (Caddyfile) tells Caddy to listen on kotori.mydomain, automatically obtain and renew a cert (two certs, actually--one from Let's Encrypt, one from ZeroSSL, so you have a backup if one fails) for that FQDN, redirect HTTP to HTTPS, implement a modern, sane TLS configuration, and proxy any requests to the Grafana instance running on the same machine. Given a compatible DNS host, I think this is by far the simplest way to accomplish what you're wanting to do.

Suppose your DNS host isn't compatible, and you're unable or unwilling to change to one that is (I like Cloudflare, they have a robust API and they're free for DNS service). In that case, it gets more complicated, but it can still be automated. In that case, you'd obtain the cert on one machine (that has port 80 open--or open-able--to the Internet), and with a simple bit of scripting, copy the cert files (using scp) to the Grafana machine and restart whatever service you have acting as the reverse proxy there (with a command like ssh root@grafana systemctl reload nginx--that will connect by SSH as root and run the specified command (systemctl reload nginx) on the remote machine). I don't think Caddy will be as useful in this case, but I don't have any good advice on a reverse proxy then.

3 Likes

Look left on the Mar 17 date line:

That is definitely NOT from LE and most likely just an old unused self-signed cert.
[as I don't recall any real CAs offering 5 years certs in 2016]

1 Like

Let's encrypt was founded in April of 2016. This is most definitely not from Let’s Encrypt

2 Likes

danb35
What you suggest is very logical. I have absolutely know knowledge or experience with reverse proxy, but it seems the way I need to go.

I will look into clouseflare.
Thanks for the advice
Lawrence

2 Likes

It looks like Grafana does support doing its own TLS termination, but the preferred solution is a reverse proxy. Here's a topic in their own forum discussing the issue, which gives a sample Apache configuration if you'd prefer that to Caddy:

2 Likes

danb35,

here is the link FYI to the script. never bad to know more hey

Lawrence

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.