FN11 Jailed UniFi Controller with Let's Encrypt (iocage) 2018-01-04

[kjake]

kjake submitted a new resource:

FN11 Jailed UniFi Controller with Let's Encrypt (iocage) - UniFi Controller in an iocage jail for FreeNAS - with Let's Encrypt!

As iocage is becoming the preferred Jail manager in FN11.2, I migated all of my Jails to it. There is no working Plugin for FN/iocage, so I concocted my own, but not using the iocage plugin system.

I previously used a Docker container and liked it because it mounted important paths for persistent storage. I've done my best to replicate this in a Jail using iocage. As a bonus, I've added in a Let's Encrypt client and automated it for the controller's webserver.

Instructions on how to...

Read more about this resource...

 

[kjake]

Cleaned this project up via suggestion of @danb35. Thanks!

 

[danb35]

I currently have the Unifi controller running in a tired old Ubuntu VM that's seeing various issues. What should I copy from there to move that configuration to this installation?

Edit: Checking out that system, it looks like /data is in /var/lib/unifi, and /logs is in /var/log/unifi.

 

[danb35]

I'm trying this now, and running into two issues. The first is simple; there's an extraneous " at the end of line 25 of unifi-jail.sh. The second is missing " "; they should be around ${JAIL_NAME} in the openssl command in deploy.sh.

Having now succeeded with the installation (and obtaining the cert), I'm now getting this:

I'm thinking the answer is to wipe out what's in unifi/data/ and start over.

 

[danb35]

I'm thinking the answer is to wipe out what's in unifi/data/ and start over.

Nope, that wasn't it--the controller wouldn't start. Edited unifi/data/db/version to read 5.6.26 and restarted the jail, and it appears to be up and running. It sees my AP and offers to upgrade its firmware (which I'll probably do later). Good, that's one service moved off the aging VM.

 

[ggoldfingerd]

Thanks for the post. I plan to do this over the weekend. I just bought the SHD AD and the US-48-500W. I might email the FreshPorts maintainer to see when he/she plans to update next. I know Ubiquiti is on 5.6.30 now.

 

[Redcoat]

I currently have the Unifi controller running in a tired old Ubuntu VM that's seeing various issues. What should I copy from there to move that configuration to this installation?

Did you in fact copy anything over?

 

[danb35]

Did you in fact copy anything over?

I did; I copied the contents of the two directories I mentioned above. And, since the Ubuntu VM was running a later version of the controller software, I edited unifi/data/db/version to say that it was using 5.6.26 rather than 5.6.29.

 

[Redcoat]

I did; I copied the contents of the two directories I mentioned above.

OK, thx. I'm still on 5.5.24 so I'll leave that as it is and hope it updates without protest.

 

[ggoldfingerd]

What am I missing with the persistent storage? I have

JAIL_PATH=/mnt/matrix/jails_psd

No files or folders are being created in that path when I run the sh file. So I get errors such has

RuntimeError: mount_nullfs: /mnt/matrix/jails_psd/portsnap: No such file or directory

This would be due to no portsnap folder existing in that directory. I removed all dehydrated referenced lines and from echo. The iocage folder is found on my system under /mnt/iocage

 

[butchwcassidy]

Anyone else get this to work? I get the same error as ggoldfingerd

 

[danb35]

RuntimeError: mount_nullfs: /mnt/matrix/jails_psd/portsnap: No such file or directory

So create the directories. You'll need $JAIL_PATH/portsnap/ports, $JAIL_PATH/portsnap/db, $JAIL_PATH/unifi/data, and $JAIL_PATH/unifi/logs.

 

[butchwcassidy]

I don't do this very often so excuse the noobness. Isn't line 11-17 doing that?

 

[ggoldfingerd]

So create the directories. You'll need $JAIL_PATH/portsnap/ports, $JAIL_PATH/portsnap/db, $JAIL_PATH/unifi/data, and $JAIL_PATH/unifi/logs.

Thanks for this. I destroyed the jail after adding these files an ran the script again. It seems to be working so far.

 

[danb35]

I don't do this very often so excuse the noobness. Isn't line 11-17 doing that?

No. Line 11 has nothing to do with it. Lines 12-17 are making directories that should already exist, accessible to the jail.

 

[grimneko]

I did ran the script on a FreeNAS 11.1-U2, and he tried to install unifi5-5.6.30. Just it won't start up at all. Sadly it doesn't write a log either, so I'm kinda stunned. Any hint what could be the issue or where i could investigate?

 

[kjake]

Hi! There’s a bug with iocage in U2 that breaks networking in some cases. It is fixed in an upcoming release.

Add this before the last restart in the script and it’ll fix it for the time being.

iocage exec ${JAIL_NAME} sysrc -f /etc/rc.conf ifconfig_epair0_name="epair0b"

 

[danb35]

I'm having some trouble with this myself. After successfully installing it before, I tried to log in to the Unifi manager this morning and got "connection refused". I was able to ping the IP, but openssl s_client connect unifi.mydomain:8443 returned a "connection refused".

So, using iocage console unifi, I logged into the jail, and found that the unifi service wasn't running. I started it ( service unifi start), and it showed that it was running for a few seconds, and then it stopped again. Well, easy enough, the point of this script is to be able to blow away the jail and reinstall it easily, so I destroyed the jail, downloaded the latest unifi-jail.sh and deploy.sh to the appropriate locations, and ran unifi-jail.sh again.

It ran as expected until the end, when it returned this:

Code:

* Starting unifi
  + Started OK
  + Configuring VNET OK
  + Starting services OK
Importing keystore /etc/dehydrated/certs/unifi.familybrown.org/signed.p12 to /usr/local/share/java/unifi/data/keystore...
keytool error: java.lang.Exception: Alias <-noprompt> does not exist

Usage:
service -e
service -R
service [-v] -l | -r
service [-v] <rc.d script> start|stop|etc.
service -h

-e   Show services that are enabled
-R   Stop and start enabled /usr/local/etc/rc.d services
-l   List all scripts in /etc/rc.d and /usr/local/etc/rc.d
-r   Show the results of boot time rcorder
-v   Verbose

True

Thinking this looked like an issue with the cert deployment, I logged into the jail again and ran dehydrated -c -x to force reissue and re-deployment of the cert. Here was the output of that:

Code:

root@unifi:~ # dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Processing unifi.familybrown.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Apr 26 00:24:47 2018 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for unifi.familybrown.org...
 + CloudFlare hook executing: deploy_challenge
 + Settling down for 10s...
 + Responding to challenge for unifi.familybrown.org...
 + CloudFlare hook executing: clean_challenge
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + CloudFlare hook executing: deploy_cert
 + Done!
 + CloudFlare hook executing: exit_hook

It appears to complete successfully, but when I try to start the unifi service, it stops almost immediately. I can't see anything in the log files either--the server.log hasn't been touched for two weeks:

Code:

root@unifi:/usr/local/share/java/unifi/logs # ll
total 12167
-rw-------  1 unifi  nogroup  37878935 Mar  3 07:32 mongod.log
-rw-------  1 unifi  wheel	 7467144 Mar  3 07:32 server.log
-rw-------  1 unifi  wheel	10485763 Feb 25 09:37 server.log.1
-rw-------  1 unifi  wheel	10485852 Feb 17 01:39 server.log.2
-rw-------  1 unifi  wheel	10485866 Feb  8 17:53 server.log.3

...and nothing at all comes up in /var/log/messages (or anything else in /var/log/) when I try to start the service. I'm stumped. Any ideas?

 

[kjake]

hi @danb35
that error is from the deploy.sh script for dehydrated. check to see if you have the version with double-quotes around the alias name... I think that's what corrected that error.

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ${UNIFI}/data/keystore -srckeystore ${CERTS}/${FQDN}/signed.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias "unifi" -noprompt

As for the service not running/starting, are you running 11.1-U2? Plex and Unifi seem to ignore network interfaces that start with 'v' - and since we use vnet0 for those jails, they broke. In U2, iocage automatically renames vnet0 to epair0, but I still had issues with that and needed to add 'a' or 'b' to the end, so I chose 'b'.

This is how I fixed it in the jail creation script:

Code:

iocage exec ${JAIL_NAME} chown -R unifi /usr/local/share/java/unifi
iocage exec ${JAIL_NAME} sysrc -f /etc/rc.conf ifconfig_epair0_name="epair0b"
iocage exec ${JAIL_NAME} sysrc -f /etc/rc.conf ${JAIL_NAME}_enable="YES"

 

[danb35]

Thanks, I'll check it out. BTW, you've inspired me to do one of my own: https://github.com/danb35/freenas-iocage-nextcloud