SSL for Ubiquiti UniFi Controller Software – Linux

Overview

These are the steps install or update the SSL certificate on Ubiquiti UniFi Controller software.

Detailed Steps

  1. Login to linux host via SSH, then sudo su – root.
  2. Copy SSL certificate, key file, and CA Bundle onto host.
  3. Verify the existing keystore – keytool -list -keystore /var/lib/unifi/keystore, password is aircontrolenterprise.
  4. Backup the original keystore – cp /var/lib/unifi/keystore /home/keystore.orig.
  5. Start the generation of the new keystore – openssl pkcs12 -export -in /tmp/STAR_rm-pc_com.crt -inkey /tmp/STAR_rm-pc_com_key.txt -out /tmp/tmpkeystore -passout pass:aircontrolenterprise -name unifi
  6. Complete the generation of the new keystore – keytool -importkeystore -srckeystore /tmp/tmpkeystore -srcstorepass aircontrolenterprise -destkeystore /tmp/newkeystore -deststorepass aircontrolenterprise -alias unifi -trustcacerts
  7. Copy the new keystore into place – cp /tmp/newkeystore /var/lib/unifi/keystore
  8. Restart the controller software – systemctl restart unifi
  9. Verify the SSL Certificate is coming up and correct using a web browser and go to: https://yourctrl.name:8443.

Raspbian – Turn off Screen Timeout & Enable RDP to GUI

So you have a Raspberry Pi that you are wanting to run the GUI on and not have the display go to sleep (maybe running some displays for a NOC?), well, here’s my setup:

  1. Login as your user that will auto-login to the GUI desktop, and start a Terminal session.
  2. From the Terminal, perform the following to remove the default VNC server:
    sudo apt remove vnc4server tightvncserver
    sudo apt autoremove
    
  3. Then, install Vino and xRDP:
    sudo apt install vino xrdp
    
  4. Now, perform the following as your user:
    vi ~/.config/autostart/vino.desktop
    [Desktop Entry]
    Encoding=UTF-8
    Type=Application
    Name=VINO
    Comment=
    Exec=/usr/lib/vino/vino-server
    StartupNotify=false
    Terminal=false
    Hidden=false
    
    vi ~/.xinitrc
    xset s off
    xset -dpms
    xset s noblank
    
  5. Lastly, as your user, execute the following commands:
    gsettings set org.gnome.Vino require-encryption false  <== Turns off encryption
    gsettings set org.gnome.Vino prompt-enabled false  <== Turns off prompting for an account
    gsettings set org.gnome.Vino authentication-methods "['vnc']"  <== Sets the default authentication method for Vino to VNC
    gsettings set org.gnome.Vino vnc-password "$(echo -n 'APWnot<8' | base64)"  <== Sets a password to authenticate the session with.  NOTE - password needs to be 8 characters or less.
    
  6. Now, perform the following to configure xRDP:
    sudo vi /etc/xrdp/xrdp.ini
    [xrdp1]
    name=Active Local Login
    lib=libvnc.so
    username=
    password=ask
    ip=127.0.0.1
    port=5900
    
    sudo systemctl enable xrdp
    sudo systemctl restart xrdp
    
  7. Now, perform the following to configure lightDM:
    sudo vi /etc/lightdm/lightdm.conf
    xserver-command=X -s 0 -dpms
    
  8. Now reboot the pi, and test your connectivity.  You should now connect to the active, logged in session that is on the screen.

How to Reset Password on a SMC 6128L2 Tiger Switch

  1. Establish a console connection to the switch.
  2. Disconnect the power to the switch.
  3. Reconnect the power to the switch, and press CTRL-U during boot up.
  4. At this point you should receive a password prompt.  The password should be mercury.  Note, there is a delayed response from the console.
  5. You should now see a list of config and operation files.  Look for the config file that has a 1 next to it in the S/UP field – this will be the config file that is loading with the bad/unknown password.  Press “D” to delete a file, type the name of the file, it is case sensitive, so type the filename as it is displayed.  The deletion can takes about 30 seconds to complete.
  6. Press “Q” to quit, if no startup file is set it will default back to the factory default configuration.
  7. If it worked, the login will be back to Username: admin and  Password: admin, as the default login.

ICMP Being Blocked From a Separated Internal Network on a Windows 10 Host

If you have a Windows 10 host on a network, let’s say 192.168.100.28, and a monitoring host on a server network, let’s say 192.168.200.12.  Other hosts that are on the 192.168.100.0/24 network are currently able to ping the Windows 10 host but not your monitoring host.  The easy fix is to open an elevated command prompt, and then type:


netsh firewall set icmpsetting type=all mode=enable

Raspian Notes – Stabilize CPU Performance and Turn Off Radios

Add/set the following in /boot/config.txt:

# Stops CPU Ramping
force_turbo=1

# Helps to avoid SD card corruption from force_turbo
boot_delay=1

# Disable Bluetooth & WiFi
dtoverlay=pi3-disable-bt
dtoverlay=pi3-disable-wifi

Add/Set the following in the /boot/cmdline.txt:

# Turn off dynamic clock ticks
nohz=off
# Changes the I/O scheduler to noop, which is better for SD cards and flash storage devices.
elevator=noop

Change CPU Performance:

apt install cpufrequtils
vi /etc/default/cpufrequtils:
GOVERNOR="performance"

Reboot & verify the governor setting.