-
-
Save OnkelDom/faa3997c8a4042088c4d65b1310cc5e6 to your computer and use it in GitHub Desktop.
Ubiquiti UniFi - Fix for the Let's Encrypt DST Root CA X3 Expiration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Some UniFi devices may not have the current ISRG root cert that LE uses | |
| # Some devices also have an older version of OpenSSL | |
| # These older versions will not validate a cert if the expired DST root cert is part of the chain | |
| # USG | |
| # This has an older OpenSSL version | |
| # The current ISRG root cert is not included in the latest firmware | |
| sudo -i | |
| sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf | |
| curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt | |
| update-ca-certificates --fresh | |
| # UDM | |
| # This is needed at the hardware OS level because of the older OpenSSL version there | |
| # The ISRG root cert should already be included | |
| mv /etc/ssl/certs/DST_Root_CA_X3.pem /etc/ssl/certs/DST_Root_CA_X3.old | |
| # UAP | |
| # Some older UAPs have an older version of OpenSSL | |
| # The ISRG root cert should be included in the latest firmware | |
| mv /etc/ssl/certs/DST_Root_CA_X3.crt /etc/ssl/certs/DST_Root_CA_X3.old |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment