Running Unifi Network Controller 8.1.113 on Openbsd 7.5

📆
🏷
, ,

So I decided to give the unifi controller a shot on running on OpenBSD and most importantly the plan was to run it alongside all the other daemons on the system, so I don’t need to have a seperate VM / machine running just for the unifi controller. Spoiler: while I was able to get the unifi controller to run on my OpenBSD server I stopped the daemon right away after having all up and running. But why would I go through all the hassles just to not use it, you might ask. Well, if you are not interested about the intricacies of getting the controller up and running, just skip to the conclusion.

All commands are run as root unless otherwise specified.

Acknowledgements

The whole thing was greatly inspired by Renaud Allard’s piece

It is also possible to use the net/unifi port. But as I didn’t want to pull in the whole ports(7) tree just for one port I decided to go down my own route.

Getting all the bits and pieces

Not only do you need to Download the latest release of the UniFi Network Application (formerly known as Controller) but you also need to install MongoDB and you also need a Java Runtime not newer than 17 for the Controller to run. For the controller we create a new user (make sure to use a UID and GID > 1000 to avoid clashes with system and ports users).

At first we create a user for the UniFi Controller to use.

useradd -g =uid -m -d /var/unifi -L daemon -c 'Unifi daemon' -s /sbin/nologin _unifi

Now you need to install and setup all the dependencies for running the Controller. As you want authentication for basically everything in a mixed environment, you are also setting up MongoDB to use authentication. This also means that you need to setup MongoDB users and databases before running the Unifi controller. Java itself doesn’t need any special configuration.

You will start by installing the packages needed:

pkg_add mongodb--%44 jdk-17.0.10.7.1v0 unzip

Before the first start of mongod we must increase some rlimits:

cat …

Keycloak Upgrade 22.0.5 -> 24.0.3

📆
🏷
, ,

After running into more or less the same problem every damn keycloak upgrade it’s time to put some notes into place so I won’t struggle in the future anymore. At least not with the same problem.

  • Change into the root directory for keycloak

    cd /var/www
    
  • Download the latest release tarball

    curl -LO https://github.com/keycloak/keycloak/releases/download/24.0.3/keycloak-24.0.3.tar.gz
    
  • Change ownership

    chown _keycloak keycloak-24.0.3
    
  • Read the upgrade instructions! Most of the time it boils down to

    cp -Rpv keycloak-22.0.5/{conf,providers,themes} keycloak-24.0.3/
    

    for me

  • Change into the new release directory

    cd keycloak-24.0.3/
    
  • Stop old keycloak

    rcctl stop keycloak
    
  • This step is crucial and well hidden within the documentation of keycloak.

    JAVA_HOME=/usr/local/jdk-21 bin/kc.sh build
    

    Failing to do the build first before starting keycloak with the --optimized flag via my rc file results in an exception due to problems with the jdbc URL:

    2024-04-19 13:38:08,815 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: URL format error; must be "jdbc:h2:{ {.|mem:}[name] | [file:]fileName | {tcp|ssl}:[//]server[:port][,server2[:port]]/name }[;key=value...]" but is "jdbc:postgresql://localhost:5432/keycloak" [90046-224]
    
  • adjust daemon_execdir to reflect the new version in /etc/rc.d/keycloak

  • Start the new keycloak

    rcctl start keycloak
    
  • Clean up behind you

    rm -rd /var/www/keycloak-22.0.5
    

Cfssl Cheatsheat

📆
🏷
,

Generate new Server Certificates

  • Generate CSR, certificate and private key for fqdn:

    fqdn=host.domain.tld
    cfssl gencert -ca intermediate/intermediate_ca.pem \
      -ca-key intermediate/intermediate_ca-key.pem \
      -config config.json \
      -profile server certificates/${fqdn}.json | cfssljson -bare certificates/${fqdn}
    
  • Generate chain

    cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem 
    
  • Generate PKCS#12

    openssl pkcs12 -export \
      -in certificates/${fqdn}.pem \
      -inkey certificates/${fqdn}-key.pem \
      -out certificates/${fqdn}.p12 \
      -name ${fqdn} \
      -CAfile brank.pem \
      -chain
    
  • Convert to Java Keystore

    keytool -importkeystore \
      -deststorepass changeit \
      -destkeypass changeit \
      -destkeystore foo.keystore \
      -srckeystore certificates/${fqdn}.p12 \
      -srcstoretype PKCS12 \
      -srcstorepass password \
      -alias fqdn
    
  • Cleaning up

    unset fqdn
    

Renew expired intermediate CA certificate

  • New CSR
    cfssl gencsr -key intermediate/intermediate_ca-key.pem \
    	intermediate/intermediate-ca.json  |\
    	cfssljson -bare intermediate/intermediate_ca
    
  • Sign CSR
    cfssl sign -ca root/ca.pem \
    	-ca-key root/ca-key.pem \
    	-config config.json \
    	-profile intermediate_ca \
    	intermediate/intermediate_ca.csr |\
    	cfssljson -bare /tmp/intermediate_ca
    
  • Recreate chain
    fqdn=relayd.rand.clacks.xyz
    cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem
    
  • Cleanup environment
    unset fqdn
    

Renew expired server certificate

  • Set variable to make our life easier
    fqdn=host.domain.tld
    
  • New CSR
    cfssl gencsr -key certificates/${fqdn}-key.pem \
      certificates/${fqdn}.json |\
      cfssljson -bare certificates/${fqdn}
    
  • Sign CSR
    cfssl sign -ca intermediate/intermediate_ca.pem \
    	-ca-key intermediate/intermediate_ca-key.pem \
    	-config config.json \
    	-profile server \
    	certificates/${fqdn}.csr |\
    	cfssljson -bare certificates/${fqdn}
    
  • Recreate chain
    cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${ …