Copying unifi-core-direct.crt and unifi-core-direct.key is causing DNS for my domain to resolve to UDM console login

[jonathann92]

Issue

When I use the ubios-cert.sh script to generate and deploy a cert for mydomain.com, I noticed that sometime after 10 - 30 minutes that all my DNS queries will point to the default network's gateway's IP address. This is resulting in my browser going to the unifi console login. This is happening for any wildcard *.mydomain.com as well.

I set the DNS settings to Auto for my Internet -> Primary (WAN1) network and all my internal networks as well.

What I found that resolved the issue for me

In the ubios-cert.sh file I commented out the lines that created the unifi-core-direct.crt and unifi-core-direct.key files. When the unifi-core service restarted I noticed that the unifi-core-direct.crt and unifi-core-direct.key were automatically created anyways.

I noticed that if I remove them and restart the unifi-core service, the unifi-core-direct.crt's subject is changed to <string of hex characters>.id.ui.direct. I inspected the cert by using openssl x509 -noout -text -in unifi-core-direct.crt

The lines that I commented out:

		cp -f ${ACMESH_ROOT}/${CERT_NAME}/fullchain.cer ${UNIFIOS_CERT_PATH}/unifi-core-direct.crt
		cp -f ${ACMESH_ROOT}/${CERT_NAME}/${CERT_NAME}.key ${UNIFIOS_CERT_PATH}/unifi-core-direct.key
		chmod 644 ${UNIFIOS_CERT_PATH}/unifi-core.crt ${UNIFIOS_CERT_PATH}/unifi-core-direct.crt
		chmod 644 ${UNIFIOS_CERT_PATH}/unifi-core.key ${UNIFIOS_CERT_PATH}/unifi-core-direct.key

Question

Is it okay if I make a PR to remove these lines? Or should I raise this issue up to the unifi community forums?

UDM Info

Model: UDM Pro
UniFi OS UDM Pro: v3.0.20
Network: 7.4.156

[alxwolf]

Hi, thanks for your efforts.

I'd like to have a look into this first, but won't be able to check this over the next days.

I found one hint pointing in the direction of -direct being the certificate used by UI itself for access via unifi.ui.com.

Still, it's not clear for me what a certificate could possibly have to do with DNS resolution ;) but if it works for you, it works for you!

[alxwolf]

OK, did a quick check and hope nothing breaks:

For me, only the -direct.key file gets recreated, not -direct.crt, after service restart and device reboot. But, everything (checked so far) works fine.

@jonathann92 so yes, I'm happy if you create a PR on that as this looks like something not required to work properly.

[jonathann92]

@alxwolf the direct.crt created for me after I went to the console in my browser. Try checking if the direct.crt is created after that.

Still, it's not clear for me what a certificate could possibly have to do with DNS resolution

im not sure what it has to do with either. I was thinking about submitting a request to the community but that would take a while.

Did you find similar behavior where the UDM was resolving all queries to mydomain.com to the gateway when copying over the direct .crt and .key?

@bfayers I saw PR #41 updated the permissions of the direct.key to 644. I’m not sure how the direct.key is used but it seems to have affected evostreams and RTSP. Do you know what the direct .crt and .key are used for? Could I also ask you to test this on your UDM?

[jonathann92]

@alxwolf

I opened #57. Let's try to wait and see if bfayers responds and is able to test before we merge. I don't want to break someone else's functionality.

[bfayers]

@alxwolf the direct.crt created for me after I went to the console in my browser. Try checking if the direct.crt is created after that.

Still, it's not clear for me what a certificate could possibly have to do with DNS resolution

im not sure what it has to do with either. I was thinking about submitting a request to the community but that would take a while.

Did you find similar behavior where the UDM was resolving all queries to mydomain.com to the gateway when copying over the direct .crt and .key?

@bfayers I saw PR #41 updated the permissions of the direct.key to 644. I’m not sure how the direct.key is used but it seems to have affected evostreams and RTSP. Do you know what the direct .crt and .key are used for? Could I also ask you to test this on your UDM?

I can't understand how a cert could, would or should affect DNS resolution (and it doesn't affect mine -- are you using a wildcard cert? I'm not.)

As for the permissions of the keys from my PR, I simply copied the permissions that unifi use for the default, self signed ones. without those permissions it'd break evostreams and thus the rtsp feeds out of the UDM for use by other things.

I will say I don't think not replacing unifi's default self signed keys there would cause any issues -- so long as the webui still gets the LE cert I don't mind!

[alxwolf]

I will say I don't think not replacing unifi's default self signed keys there would cause any issues -- so long as the webui still gets the LE cert I don't mind!

Agree. Merged the PR so the -direct certs are no longer be touched. Let's see if this breaks anything (I doubt it...) - we will know latest in 60 days after next renewal...

[jonathann92]

Honestly I don’t understand why it would either. I can try playing around later with 2 different domains and use one with the regular and the second with the direct cert.

I am using a wildcard cert so I’m passing this to the .env file *.mydomain.com,mydomain.com