Unifi Network Controller on Debian 10 (as OpenBSD guest)
Lately problems emerged with my self hosted Unifi network controller which I had been running on a Raspberry Pi. Mainly I suffered from a missing admin collection in the underlying MongoDB which rendered my controller unmaintainable as I was unable to login to the system. Further investigation showed also multiple warnings about ext4 problems so I decided to move away from the Raspberry and host the controller on a Linux guest running on OpenBSDs vmd(8).
My first attempt was Alpine Linux. I really enjoyed the brief moments with it and the installer seemed to be OpenBSD inspired which I liked. Sadly the current Alpine Linux does not have any MongoDB package available due a change in licensing on MongoDB’s side. So I decided to go with Debian as both MongoDB and Ubiquiti provide packages for Debian. Being a security conscious being I opted for Debian 10, their current stable distribution.
This is where the trouble began.
The nice things about running the latest stable are having current (i.e. in the Debian sense for that matter) software packages at your disposal. Little did I know that Debian also ditched MongoDB for the same reasons as Alpine (or the other way around?) but luckily I could get away by using MongoDB’s repository for the 3.6 release of the database (unifi’s package does not support a version >= 4.0.0). Unifi also has troubles with Java 11 and last but not least it also uses a poor choice of TLS parameters which culminated in a instance of the controller which I was unable to reach from my browser as there was no way to negotiate a secure connection. To make matters worse some commands taken from Ubiquiti’s documentation did harm the overall process (apt-mark). But to be fair, the instructions are for Debian 8 and 9.
So without further ado here are the steps to get the unifi network controller v6.2.26 running:
apt install -y gnupg2
echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" | \
tee /etc/apt/sources.list.d/mongodb-org-3.6.list
wget -qO - https://www.mongodb.org/static/pgp/server-3.6.asc | \
apt-key add -
echo "deb https://www.ui.com/downloads/unifi/debian stable ubiquiti" | \
tee /etc/apt/sources.list.d/100-ubnt-unifi.list
wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
apt update
apt install -y mongodb-org ca-certificates apt-transport-https unifi
systemctl start mongod
systemctl enable mongod
echo 'JAVA_HOME="$( readlink -f "$( which java )" | sed "s:bin/.*$::" )"' | \
tee /etc/default/unifi
ln -s /usr/lib/jvm/java-ll-openjdk-amd64/lib/ /usr/lib/jvm/java-ll-openjdk-amd64/lib/amd64
cat <<EOF >> /usr/lib/unifi/data/system.properties
unifi.https.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
unifi.https.sslEnabledProtocols=TLSv1.2
EOF
systemctl start unifi
systemctl enable unifi
At least in my environment the controller takes some minutes to fully boot so patience is required. I guess the system properties can be even more fine tuned but for me the above worked and as I already spent a significant amount of time on the topic I only wanted to be over with it.
Thanks to the following blogs for guidance and input:
--EOF