Having been bothered by Ubiquiti’s HTTPS certificate issue for years, today I finally find some time to resolve this. There are multiple ways to resolve this, but I’m not able to find a perfect solution on the internet, so I write down my solution here.
I’m not going to use a public domain name, neither will I issue a certificate through a public issuer, for example, letencrypt, which I’ve been vasively used for my public websites. The reason is for me, I don’t want my router to be exposed to the public internet, and the less exposion, the better. Setting up a letsencrypt certificate, most probably I need verify I own this domain name and the server, which means I will reveal my public IP address for my router, and that is not my intension.
With that, I’m going to generate a self signed certificate with a generated CA on a domain name I generated dedicated for my router (router.local). Then I will import my CA to my devices that need to access the router. Finally I’ll redirect my router’s local IP address to a local domain name (router.local).
Now I’m gonig to show you how to archive all the above step by step.
Genaret CA and certifacte for the router
Here is the script. Copy and paste it into a file and run it on a Mac/Linux environment.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
This script will generate several files, and among them, there are 2 files are import to us,
server.pem. The file
ubntCA.pem is the one we need to import into our devices that need to access the router.
As an exapmle, to import the CA to a Windows system, run this command on a Command line with Administrator access.
Install the generated certificate on the router
From the last step, we have generated a file called
server.pem. This is the file we need to install onto the router.
We can use
scp command to copy this file to the router, like this:
scp server.pem USER@188.8.131.52:~/
Here, USER is the username, and 184.108.40.206 is the IP address of the router.
Open a ssh connection to the router, and copy the the file to the lighttpd server configuration folder.
1 2 3
Then restart the lighttpd server:
Bind the domain name to the router’s IP
Of course we can modify each client’s hosts file to redirect the domain router.local into the IP of the router, in this case, it’s 220.127.116.11, but I want to do this in a smarter way, so that each client doesn’t need to manually modify the hosts file. I’m going to modify the router itself.
Again ssh into the router and run
configure command to goin the configuration shell.
Then run the following command:
1 2 3
Probably there is a way to configure this on the Web UI also, but since CLI can handle this faster, I don’t want to find a way on the UI.
Now we can access the router on a client side without the certificate error. Just open https://router.local on a client that has imported the CA.
Last question is, what if a user open https://18.104.22.168 which is the IP address of the router? They will still get a SSL certificate error.
To resolve the last problem and make this solution perfect, follow the next step.
Redirect router IP to its domain name
Again ssh into the router and go to the folder
/etc/lighttpd/conf-enabled and create a new file called
11-redirect.conf with the following content.
1 2 3 4 5 6 7
Then edit the file
/etc/lighttpd/lighttpd.conf to include the above config file.
1 2 3
Add the second line, the same way as the existing
Now restart the lighttpd server again.
Permanently save the cert file configuration for lighttpd
So far, everything works. But one day you reboot your router and find the server certificate is regenerated. To resolve this issue, we need to save the configuration in a permanent way.
Login to the router by ssh and copy the
server.pem file into folder
/config/auth/ and run the following command
1 2 3 4
Run this command to show everything is good:
It will show the following:
1 2 3 4 5
By the way, you should always set the
listen-address to a local IP address for both services
ssh. This will prevent the router from accessing from the public internet, which I see no point Ubiquiti not setting it as a default.
Conguratulations, you find a perfect solution!