{"id":2785,"date":"2022-07-08T16:28:46","date_gmt":"2022-07-08T08:28:46","guid":{"rendered":"https:\/\/blog.warbel.net\/?p=2785"},"modified":"2023-12-21T12:39:19","modified_gmt":"2023-12-21T04:39:19","slug":"configuring-ubiquiti-powerbeam-with-custom-tls-certificates","status":"publish","type":"post","link":"https:\/\/blog.warbel.net\/index.php\/2022\/07\/08\/configuring-ubiquiti-powerbeam-with-custom-tls-certificates\/","title":{"rendered":"Configuring Ubiquiti Powerbeam with custom TLS Certificates"},"content":{"rendered":"

Background<\/h1>\n

I recently re-connected the WA Freenet<\/a> (discord here<\/a>), an open WiFi wide-area-network that spans the Perth metropolitan area. Perth has an ideal geography for a WiFi network as it is extraordinarily flat, with an escarpment running along the eastern spine with excellent line-of-site to the suburbs.<\/p>\n

I had joined the WAFN many years ago and it is thanks to the other operators on the network that, at the time, I was able to learn how to configure IPv4 subnets, firewalls, and BGP routing, skills that have served me well in my professional career.<\/p>\n

Moving forward to the present day, I was pleasantly surprised to find that I was able to connect to an existing AP with links to the backbone of the network from my address. So I purchased two new radios – a Powerbeam AC 500 for my link in Ardross, and a Powerbeam 5AC Gen2 for my roof at home. Without much hassle, and with the support of the WAFN community, I was able to reconfigure my Ubiquiti Edgerouter with BGP, advertise my routes and accept those advertised to me.<\/p>\n

Problem:<\/h1>\n

I personally hate seeing the ‘this website is insure’ messages that appear when a site uses self signed certificates. At home, I secure all my internal websites, devices and appliances with my internal CA certificates. So I wanted to do the same for the new radios. However, I was unable to find a website that outlined the entire process end-to-end, so thought I should write one myself.<\/p>\n

Process:<\/h1>\n

Firstly, download the custom-script firmware for your device and install it. From the table below, it is easy to deduce the URL to download the appropriate firmware from UBNT.<\/p>\n\n\n\n\n\n
Firmware Table Examples<\/caption>\n
Version<\/th>\nModel<\/th>\nURL of Hardware<\/th>\nNon-CS<\/th>\nCS<\/th>\n<\/tr>\n
8.7.11<\/td>\nPowerbeam 5AC 500<\/td>\nUBNT Website<\/a><\/td>\nhttps:\/\/dl.ui.com\/firmwares\/XC-fw\/v8.7.11\/XC.v8.7.11.46972.220614.0419.bin<\/a><\/td>\nhttps:\/\/dl.ui.com\/firmwares\/XC-fw\/v8.7.11\/XC.v8.7.11-cs.46972.220614.0419.bin<\/a><\/td>\n<\/tr>\n
8.7.11<\/td>\nPowerbeam 5AC Gen 2<\/td>\nUBNT Website<\/a><\/td>\nhttps:\/\/dl.ui.com\/firmwares\/XC-fw\/v8.7.11\/WA.v8.7.11.46972.220614.0420.bin<\/a><\/td>\nhttps:\/\/dl.ui.com\/firmwares\/XC-fw\/v8.7.11\/WA.v8.7.11-cs.46972.220614.0420.bin<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Don’t forget also, that you will need to setup DNS to point to your device with its internal hostname. <\/p>\n

The custom script (CS) firmware version is important because it is necessary to run a script on the device at boot time.<\/p>\n

Then, generate your TLS certificates. How you do that is not covered here. I personally use easyrsa<\/a> to manage my internal certificates. I also deploy my root CA certificate to all my devices via AD group policy on Windows, or via Ansible for my linux hosts.<\/p>\n

You should have a certificate that looks something like the below, called server3.crt<\/p>\n

-----BEGIN CERTIFICATE-----\r\n\r\nMIIG1TCCB....\r\n\r\n-----END CERTIFICATE-----\r\n\r\n-----BEGIN RSA PRIVATE KEY-----\r\n\r\nTlI0kiQCiPGN...\r\n\r\n-----END RSA PRIVATE KEY-----<\/pre>\n
Then upload the certificate to your device:<\/p>\n
scp server3.crt ubnt@<device>:\/etc\/persistent\/https\/server3.pem<\/pre>\n
Log into the powerbeam via SSH: Create rc file in ‘\/etc\/persistent\/rc.poststart’ with following content<\/p>\n
\n
#!\/usr\/bin\/sh<\/span>\r\ncp \/etc\/persistent\/https\/server3.pem \/etc\/server.pem\r\nkill<\/span> $(<\/span>ps |<\/span> grep [<\/span>l]<\/span>ighttpd |<\/span> awk '{ print $1 }'<\/span>)<\/span>\r\n<\/pre>\n<\/div>\n
Then make it executable, save the configuration and reboot<\/p>\n
\n
chmod +x \/etc\/persistent\/rc.poststart\r\nsave\r\nreboot<\/pre>\n<\/div>\n
And done! <\/p>\n
References: https:\/\/community.ui.com\/questions\/AirOS-8-custom-SSL-certificates-Guide-Resolved\/fcf2d671-1933-4fe1-bdcb-ba33a94020e4 <\/a><\/p>\n
Images<\/h1>\n
\"\"<\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Background I recently re-connected the WA Freenet (discord here), an open WiFi wide-area-network that spans the Perth metropolitan area. Perth has an ideal geography for a WiFi network as it is extraordinarily flat, with an escarpment running along the eastern … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[91,100,99],"tags":[],"class_list":["post-2785","post","type-post","status-publish","format-standard","hentry","category-networking","category-ubiquiti","category-wafreenet"],"_links":{"self":[{"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/posts\/2785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/comments?post=2785"}],"version-history":[{"count":4,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/posts\/2785\/revisions"}],"predecessor-version":[{"id":2825,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/posts\/2785\/revisions\/2825"}],"wp:attachment":[{"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/media?parent=2785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/categories?post=2785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.warbel.net\/index.php\/wp-json\/wp\/v2\/tags?post=2785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}