Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No way to use the library at all with self-signed certificate on the UDM Pro #25

Open
desrod opened this issue May 7, 2021 · 5 comments · May be fixed by #28
Open

No way to use the library at all with self-signed certificate on the UDM Pro #25

desrod opened this issue May 7, 2021 · 5 comments · May be fixed by #28

Comments

@desrod
Copy link

desrod commented May 7, 2021

Despite what the ``ssl_self_signed.rst` document states, pinning does not work at all for the initial login. You can create the client object, but you can't use it to query the API of the UDMP at all.

This includes port 443 and 8443. The self-signed certificate is queried correctly and passed back in the request, but since the Python 'requests' library can't validate the SSL certificate, it fails with the below (common) SSL verify error:

Traceback (most recent call last):
  File "./test.py", line 14, in <module>
    client.login()
  File "/tmp/env/src/unificontrol/unificontrol/unifi.py", line 155, in login
    self._login(username=username if username else self._user,
  File "/tmp/env/src/unificontrol/unificontrol/metaprogram.py", line 125, in wrapper
    return instance(client, *a, **kw)
  File "/tmp/env/src/unificontrol/unificontrol/metaprogram.py", line 103, in __call__
    return client._execute(url, self._method, rest_dict, need_login=self._need_login)
  File "/tmp/env/src/unificontrol/unificontrol/unifi.py", line 96, in _execute
    resp = ses.send(ses.prepare_request(request))
  File "/tmp/env/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/tmp/env/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.x.x', port=443): Max retries exceeded with url: /api/login (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1123)')))

Other than procuring an officially-signed, upstream SSL certificate that the standard host certificate chain will trust, this will not work. I did add the certificate directly from the controller to /usr/local/share/ca-certificates/ and refreshed the cert chain, still no success.

Is there a plan to support verify=False in the constructor, so this will work for those of us without an upstream SSL cert configured on our controllers?
@nickovs
Copy link
Owner

nickovs commented May 7, 2021

@desrod Thanks for the report. Can you provide a little information as to your environment (what OS, Python version and unificontrol version)? If you can provide info about the version of software on your UDM Pro that would also be helpful; Ubiquiti have been making a lot of changes recently so it's a bit of a moving target.

@desrod
Copy link
Author

desrod commented May 7, 2021

Sure can! I've been chasing down some very weird issues with my UDMP, which is what led me to find this project.

  • UDMP version: 1.9.3
  • Controller version: 6.1.71
  • Python version: 3.8.5 (in a venv, as above)
  • unificontrol from https://github.com/nickovs/unificontrol.git@6d02ae8fc3d8f536b51c45b2b42dbbadbda249e7#egg=unificontrol

The entire test script is:

#!/usr/bin/env python3 

import logging
logging.basicConfig(level=logging.DEBUG)
import unificontrol
import ssl

cert = ssl.get_server_certificate(("unifi.local", 8443))

client = unificontrol.UnifiClient(host="unifi.local", 
                                  port='443', 
                                  username='me', 
                                  password="SuperSecretPassword", 
                                  site='default', 
                                  cert=cert)

client.login()

I started with the IP statically defined, that didn't work, so I added an entry to /etc/hosts to match the name in the self-signed cert itself. Same results either way.

@rfroom
Copy link

rfroom commented Sep 1, 2021

Hello, I am running into same problem. Did anyone else find a solution or work-around?

@kpanchen
Copy link

Hello, same here, tried different things and nothing worked. I have my own CA, root and unifi certs both generated by CA, whatever I tried to provide root or unifi cert I have the same error: '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))

@caco3
Copy link

caco3 commented Sep 26, 2021

For me this failed because the certificate is expired. According to the web browser, it is signed by Ubiquiti Networks Inc. but expired already in 2011!
Because of this I always got this error: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129).

The only workaround I found was to patch unifi.py and add a verify=False on resp = ses.send(ses.prepare_request(request), verify=False).

To suppress the warnings I also added following to my main script:

import requests
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

@caco3 caco3 linked a pull request Sep 26, 2021 that will close this issue
Open
@Kolia56 Kolia56 mentioned this issue Nov 23, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Param to disable certificate validation caco3/unificontrol
5 participants
@caco3 @nickovs @desrod @rfroom @kpanchen