The instructions in this post relate to Edgemax 1.8.5 and above. If you are using 1.7.0 or below, then you will need to use the method set out in this earlier post.
The Problem
Edgerouters have a very handy web interface for monitoring and basic configuration. The information input via this interface includes security related information, and, appropriately, the web interface is redirected to https (TLS).
The problem is that the default certificate that comes with the device is self-issued, and hence is not trusted by browsers, and does not include the device’s fully qualified domain name (FQDN).
This means that:
• You cannot access the device from an IPad or IPhone (websockets error)
• Connecting from a PC using a web-browser issues lots of scary warnings about untrusted certificates.
- Chrome will not autofill username and password for you on a site with certificate warnings
None of this is Ubiquiti’s fault – they simply do not know what you will choose to name your device, so they cannot supply it with a valid certificate.
The workaround is just to click through all the scary warnings. But many of us want to remove these certificate errors.
Here’s how.
Overview:
There are 3 steps required:
Step 1 - Obtain a Certificate issued by a Trusted CA
- Prepare a CSR (Certificate Signing Request) for the ER
- Send the CSR to your Third Party SSL certificate supplier
- Retrieve the signed certificate, AND the CA root certificate, AND any intermediate certificates
Step 2 - Copy the Certificate files to the ER and configure the ER to use them instead of the default
Step 3 - Adjust your DNS settings so that the url you use to access the Edgemax matches the certificate.
Step 1 – Obtain a certificate from a Trusted CA
Preliminary
A critical first decision is what do you want to name your Edgemax, in DNS (see Step 3). You won’t be able to obtain a Trusted certificate from a CA for a name that is not a universally valid FQDN. This means that you can’t get a certificate for “myedgerouter”, or “myedgerouter.local”. You have to use a name like “myedgerouter.mydomain.com”. (You will also have to prove you have control over the mydomain.com domain before the CA will issue you certificate for any subdomain of mydomain.com ).
**Just to clarify, you can give it any name you like, but the ‘domain.com’ part will have to be valid, and controlled by you (ie, you get emails sent to postmaster@mydomain.com or webmaster@mydomain.com or perhaps, you have the rights to add a txt record to the dns for mydomain.com – whatever your CA requires to satisfy itself that you own the domain.**
Once you have made the decision, you need to get your preferred CA to issue you with a certificate. In this example I am running with: myedgerouter.mydomain.com
Your CA will require a Certificate Signing Request (CSR) in order to process your request. You will need to generate a CSR on your edgerouter. This is not too hard and will also generate the private key for your certificate.
Let's get started:
Connect to your ER using Putty or SSH (or the CLI window via the Web UI, but this is slow and I never use it). I am based in Windows and use Putty to talk to the ER.
You will need root privileges for these following commands, so let’s become root:
sudo –i
I recommend creating a directory in /config/auth/ - such as /config/auth/certificates. (Files in this location are preserved across router upgrades.)
mkdir /config/auth/certificates cd /config/auth/certificates
Now we need to generate the CSR
openssl req -sha256 -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key
You will then be asked questions about data to include in the certificate:
Country code is only two characters.
The only really important one is Common Name. This one must be answered with the FQDN you chose above: myedgerouter.mydomain.com
LEAVE THE PASSWORDS BLANK! (If you enter a password, you will have to enter it every time you reboot your router or your web ui won't load. )
At the end, a certificate signing request file will be generated "server.csr" and a private key file will be generated: "server.key".
Now you need to get the contents of the csr file into your clipboard so that you can paste it into the web interface of your CA when it asks you for the Certificate Signing Request.
You can do this with
cat server.csr
then select the output (in Putty simply selecting the text copies the selected data to clipboard. Do not do 'ctrl - c' in Putty !)
Alternately you can copy the file off your Edgerouter then use a notepad app to view then select and copy the entire content of the file. I use WinSCP for transferring files between windows and the Edgerouter.
Once you have the CSR text, off you go to your preferred CA and obtain your certificate. (StartSSL allows you issue trusted certificates for free. Free seems like a good price to me Image may be NSFW.
Clik here to view.
)
Whichever CA you use, you will have to give them (usually, paste into a webform) your CSR, and they will use it to issue you with a certificate. This certificate's private key will be the server.key file on your edgerouter.
When you get the certificate, you must also get the root CA certificate. Copy it too. Save each certificate in separate text files, with no other content at all. Name them whatever you like, but something that makes sense is easier to manage.
I am going to assume your certificate is named "myedgerouter.mydomain.com.crt" and your root certificate is called "myca.ca.pem".
You now need to get these files back onto your Edgerouter. WinSCP them back to /config/auth/certificates
You need to add the private key into your new certificate. Remember that the private key is called server.key and is already in /config/auth/certificates. To add (append) the private key to your certificate file:
cat server.key > myedgerouter.mydomain.com.crt
Step 2 - Configure the ER to use the new certificates
The part of the config that defines how the webcertificates will be used is Service | Gui
You can set these settings in the Web interface using the Config Tree tab, or in the CLI.
You need to set the ca-file to be the root certificate "myca.ca.pem", and the 'cert-file' to be your new certificate - "myedgerouter.mydomain.com.crt'.
I recommend disabling older ciphers as well, as they are insecure. If you are using a really old browser and can't update it for some reason, you may need to re-enable the older-ciphers.
This is what you your config should look like:
CLI:
show service gui ca-file /config/auth/certificates/myca.ca.pem cert-file /config/auth/certificates/myedgerouter.mydomain.com.crt http-port 80 https-port 443 older-ciphers disable
GUI Config Tree would look like this:
Image may be NSFW.
Clik here to view.
Step 3 - Adjust your DNS settings so that the url you use to access the Edgemax matches the certificate.
If you have successfully updated your certificate file, you will be disappointed if you browse to it right away using its IP address. You will see certificate errors.
This is because the url you typed to access the edgerouter (default is https://192.168.1.1) doesn't match the certificate (which, all having worked, now says: myedgerouter.mydomain.com)
So, you need to adjust your DNS so that when you type into your browser: myedgerouter.mydomain.com it takes you to the IP of the edgerouter.
If you control your internal domain DNS (and, if you're reading this post you probably do ;-)) then you can just do this internally, and use the internal RFC1918 address of the router.
Otherwise (or as well), you can set your external domain name settings so that myedgerouter.mydomain.com points to an IP which your edgerouter listens to. (I worry about exposing the WebUI to the big bad web, so my router is set to only listen on an internal interface.)
Whatever you decide, the critical point is that your browser will complain unless what you type in to access the edgerouter matches the certificate. So long as it does, you will get the green padlock, no errors, and your IOS device will work happily without websocket issues.
DONE!
All going well you now have your Edgerouter configured with your Trusted certificate, and you have no problems accessing via any web browser or via your IPad or Iphone.
HTH !