Change eth0 to the interface you would like to change.
SSH into EdgePoint and type in configure to get into a configuration prompt
configure
Now set interface eth0 to dhcp
set interfaces ethernet eth0 address dhcp
Delete the static IP address on eth0 if needed
delete interfaces ethernet eth0 address 192.168.1.1/24
Save changes
commit
Scenario: Remote device in a PTP configuration has been reset to factory defaults and is not connected.
Objective: Reconnect remote device and reconfigure using backup file
We’ll refer to Radio A as the radio you initially have access to
Radio B will be the remote radio that was reset.
Reinitiate temporary wireless connection
We know that the default Ubiquiti Wireless settings are
SSID=ubnt
Channel Width=20Mhz
Security=None
To reconnect the device wirelessly we can setup the Radio A as an AP with the above wireless settings.
Setup temporary network connection
Radio B should now connect wirelessly, but is going to be on a static 192.168.1.20 address. There are a handful of ways to overcome this.
Configure remote device via SSH
Open up your backup file with a text editor and copy the whole config
Once access is gained to Radio B, open up the /tmp/system.cfg file, delete all the contents and paste in the contents of the backup configuration.
Save file and write changes to radio with
/usr/etc/rc.d/rc.softrestart save
Final steps
The device should now apply the backup settings and disconnect again as it should now have the proper SSID and settings.
Restore Radio A’s settings and verify that both sides reconnect.
SSH into radio
ssh ubnt@192.168.1.20
Put the following two lines into the /tmp/system.cfg file. Doesn’t matter where
unms.uri=REPLACE-WITH-UNMS-KEY unms.status=enabled
Apply changes with
/usr/etc/rc.d/rc.softrestart save
Go accept device in UNMS.
When applying changes over ssh you’ll need to “write” or “save” the changes. Usually you’ll edit the /tmp/system.cfg config file and then save the changes with one of the following commands.
/usr/etc/rc.d/rc.softrestart save or cfgmtd -f /tmp/system.cfg -w && reboot
rc.softrestart has some advantages. It does not require the radio to reboot when making changes to things like SNMP or the device name.
It does seem to have issues sometimes with certain changes. The following happened when attempting to replace the whole /tmp/system.cfg with a previous backup config.
XM.v6.1.8# XM.v6.1.8# /usr/etc/rc.d/rc.softrestart save ]--- /tmp/.running.cfg.972 +++ /tmp/.system.cfg.972 @@ -1,110 +1,256 @@ ... more random stuff ... Fast system script build Success. Fast syslog script build Success. Fast users script build Success. Fast poepass script build Success. Fast resolv script build Success. do_radio_fast_script: rname wifi0 Unsuported change in radio.1.dfs.status for fast update Fast radio script build failed Fixup Startup_list …Done. Welcome back! [ubnt@localhost] >
If you have issues applying changes with the softrestart, you can try it with cfgmtd. Downside is the radio does reboot.
cfgmtd -f /tmp/system.cfg -w && reboot
You could potentially take the reboot off the end of the above command, but have had random issues in the past where the only way to fix it was a physical reboot. Having the radio reboot after applying the config seems to resolve the issue
The following is a method to recover from a command that may inadvertenly make a radio go offline.
The idea is to launch a process in the background that sleeps for 5 minutes and then reboots the radio, so any changes not saved will be reverted. If the changes were successful, you’ll just need to log back in and kill the background process to keep the device from rebooting.
This can be helpful if your changing networking settings using ifconfig, trying to change routes, or something went wrong while trying to apply a system.cfg setting.
Commands
sleep 300 && reboot &
Execute whatever command you need to. i.e.
ifconfig 192.168.1.100
If your command worked you can log back into the device and search for the process id of the sleep command and kill it so the radio doesn’t reboot.
ps | grep sleep
Example output
2XC.v8.5.12# ps | grep sleep
412 admin 1636 S sleep 500
414 admin 1640 S grep sleep
2XC.v8.5.12#
Kill the pid
kill 412
In this post we’ll see how we can configure AirOS SNMP settings from the command line.
ubntmod command with save without rebooting.
./ubntmod.sh -i 192.168.1.20 -s "private;monitor@incredigeek.com;[30.69636, -88.04811]" -X '/usr/etc/rc.d/rc.softrestart save'
Alternative manual method.
ssh ubnt@192.168.1.20
Open config file
vi /tmp/system.cfg
Find the SNMP settings and modify as needed. Example below
snmp.community=private
snmp.contact=monitor@incredigeek.com
snmp.location=[30.69636, -88.04811]
Save and exit file with :x
Apply settings
/usr/etc/rc.d/rc.softrestart save
The following script was taken from here
Added unifi-video support. Script uses letsencrypt to get the cert and automatically updates the UniFi and UniFi-Video Keystores.
Would be a good idea to check and make sure the the UniFi-Video cameras reconnect and still work after running script.
Install Let’s Encrypt with the following
sudo apt install letsencrypt
And generate a cert for your domain with
sudo certbot certonly -d unifi.domain.com
Copy the script at the bottom of this post and put it in a file called gen-unifi-cert.sh
Run the script to insert the cert into the UniFi and UniFi-Video services.
sudo ./gen-unifi-cert.sh -e email@domain.com -d unifi.domain.com
You can run it with no or the -h argument to show the options and arguments to use.
./gen-unifi-cert.sh -h
You should be able to add the following to a cronjob to auto renew the certificate. Replace path to script and domain name.
30 2 * * * /root/gen-unifi-cert.sh -r -d unifi.domain.com
#!/usr/bin/env bash
# Added support to do UniFi and UniFi controllers at the same time using the same cert.
# Original script from https://git.sosdg.org/brielle/lets-encrypt-scripts/raw/branch/master/gen-unifi-cert.sh
# More info here https://www.reddit.com/r/Ubiquiti/comments/43v23u/using_letsencrypt_with_the_unifi_controller/
# And here https://www.reddit.com/r/Ubiquiti/comments/43v23u/using_letsencrypt_with_the_unifi_controller/
# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
# Modified by: Brielle Bruns <bruns@2mbit.com>
# Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
# Version: 1.7
# Last Changed: 09/26/2018
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
# 02/27/2016: More verbose progress report
# 03/08/2016: Add renew option, reformat code, command line options
# 03/24/2016: More sanity checking, embedding cert
# 10/23/2017: Apparently don't need the ace.jar parts, so disable them
# 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth
# 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
# 09/26/2018: Change from TLS to HTTP authenticator
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
#LEBINARY="/usr/src/letsencrypt/certbot-auto"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
function usage() {
echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
echo " -d <domain>: The domain name to use."
echo " -e <email>: Email address to use for certificate."
echo " -r: Renew domain."
echo " -i: Insert only, use to force insertion of certificate."
}
while getopts "hird:e:" opt; do
case $opt in
i) onlyinsert="yes";;
r) renew="yes";;
d) domains+=("$OPTARG");;
e) email="$OPTARG";;
h) usage
exit;;
esac
done
DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
/usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
/usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
/usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
/usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
/usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
if [[ ! -v LEBINARY ]]; then
for i in ${DEFAULTLEBINARY}; do
if [[ -x ${i} ]]; then
LEBINARY=${i}
echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
break
fi
done
fi
# Command line options depending on New or Renew.
NEWCERT="--renew-by-default certonly"
RENEWCERT="-n renew"
# Check for required binaries
if [[ ! -x ${LEBINARY} ]]; then
echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
echo "You'll need to do one of the following:"
echo "1) Change LEBINARY variable in this script"
echo "2) Install LE manually or via your package manager and do #1"
echo "3) Use the included get-letsencrypt.sh script to install it"
exit 1
fi
if [[ ! -x $( which keytool ) ]]; then
echo "Error: Java keytool binary not found."
exit 1
fi
if [[ ! -x $( which openssl ) ]]; then
echo "Error: OpenSSL binary not found."
exit 1
fi
if [[ ! -z ${email} ]]; then
email="--email ${email}"
else
email=""
fi
shift $((OPTIND -1))
for val in "${domains[@]}"; do
DOMAINS="${DOMAINS} -d ${val} "
done
MAINDOMAIN=${domains[0]}
if [[ -z ${MAINDOMAIN} ]]; then
echo "Error: At least one -d argument is required"
usage
exit 1
fi
if [[ ${renew} == "yes" ]]; then
LEOPTIONS="${RENEWCERT}"
else
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
fi
#if [[ ${onlyinsert} != "yes" ]]; then
if [[ ${onlyinsert} == "yes" ]]; then
echo "Firing up standalone authenticator on TCP port 80 and requesting cert..."
${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \
--agree-tos --standalone --preferred-challenges http ${LEOPTIONS}
fi
#if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then
if [[ ${onlyinsert} == "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then
echo "Cert has not changed, not updating controller."
exit 0
else
echo "Cert has changed or -i option was used, updating controller..."
TEMPFILE=$(mktemp)
CATEMPFILE=$(mktemp)
# Identrust cross-signed CA cert needed by the java keystore for import.
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
cat > "${CATEMPFILE}" <<'_EOF'
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
_EOF
md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
echo "Using openssl to prepare certificate..."
cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
openssl pkcs12 -export -passout pass:aircontrolenterprise \
-in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
-inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
-out "${TEMPFILE}" -name unifi \
-CAfile "${CATEMPFILE}" -caname root
echo "Stopping Unifi and UniFi-Video controllers..."
systemctl stop unifi unifi-video
echo "Removing existing certificate from Unifi protected keystore..."
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore -deststorepass aircontrolenterprise
echo "Removing existing certificate from Unifi-Video protected keystore..."
keytool -delete -alias unifi -keystore /usr/lib/unifi-video/data/keystore -deststorepass ubiquiti
# following lines are needed for unifi-video
echo "Inserting certificate into Unifi keystore..."
keytool -trustcacerts -importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore /usr/lib/unifi/data/keystore \
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
-alias unifi
echo "Inserting certificate into Unifi-Video keystore..."
keytool -trustcacerts -importkeystore \
-deststorepass ubiquiti \
-destkeypass ubiquiti \
-destkeystore /usr/lib/unifi-video/data/keystore \
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
rm -f "${TEMPFILE}" "${CATEMPFILE}"
mv /usr/lib/unifi-video/data/ufv-truststore{,.old} # Delete old unifi-video keystore
sleep 5
echo "Starting Unifi and UniFi-Video controllers..."
systemctl start unifi unifi-video
echo "Done!"
fiHad an issue with the Lets Encrypt cert for a UniFi-Video server. When renewing the cert and reimporting it into the UniFi-Video keystore, the certification was showing out of date.
Issue ended up being something with certbot.
When certbot runs it generates a new cert.pem, chain.pem, fullchain.pem and privkey.pem and puts them in the “/etc/letsencrypt/live/unifi.domain.com/” directory.
The privkey.pem and cert.pem are used to create the keys.p12 file which gets imported into the UniFi-Video keystore.
Apparently the .pem files in “/etc/letsencrypt/live/unifi.domain.com/” are symbolic links to files in “/etc/letsencrypt/archive/unifi.domain.com/”
Upon inspection of the archive directory, multiple cert.pem and privkey.pem files were found with the names cert1.pem, cert2.pem, cert3.pem etc. Looking at the creation date of the file revealed the symbolic link was referring to an old “cert1.pem” file.
Work around was to stop the unifi-video service and reimport the cert using the latest .pem files in the archive directory.
echo ubiquiti | openssl pkcs12 -export -inkey /etc/letsencrypt/archive/unifi.yourdomain.com/privkey2.pem -in /etc/letsencrypt/archive/unifi.yourdomain.com/cert2.pem -name airvision -out /usr/lib/unifi-video/data/keys.p12 -password stdin echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/archive/unifi.yourdomain.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -srcstorepass ubiquiti
Remove the old ufv-truststore and start the service.
mv /usr/lib/unifi-video/data/ufv-truststore{,.old}
systemctl start unifi-video
Worked like a charm.
Install certbot
sudo apt-get install python-certbot
Generate certificate. Change unifi.yourdomain.com to the domain name you have pointing to your UniFi-Video controller.
sudo certbot certonly -d unifi.yourdomain.com
Certbot will create the files in “/etc/letsencrypt/live/unifi.yourdomain.com/”
Now you should stop the unifi service.
systemctl stop unifi-video
The following two commands create and install the keystore for the UniFi-Video application. These commands were copied from here. Thanks scobber!
echo ubiquiti | openssl pkcs12 -export -inkey /etc/letsencrypt/live/unifi.yourdomain.com/privkey.pem -in /etc/letsencrypt/live/unifi.yourdomain.com/cert.pem -name airvision -out /usr/lib/unifi-video/data/keys.p12 -password stdin echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/live/unifi.yourdomain.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti -srcstorepass ubiquiti
Remove or rename the Trusted Store. If you don’t, the cameras will connect, but will not record. The controller will rebuild the ufv-truststore when it starts up and the cameras will be able to record.
mv /usr/lib/unifi-video/data/ufv-truststore{,.old}
Start the UniFi-Video service
systemctl start unifi-video
Now you can check it by going to https://unifi.yourdomain.com:8443
Had an issue that /run was randomly running out of space which in turn would interfere with the unifi-video service causing it to run, but not record.
/run looks like a tmpfs or ramdisk that Ubuntu sets up. So you can do a “temporary” fix by remounting the tmpfs with a larger size. Example below. If /run is a 2GB directory, you can remount changing the size from 2GB to 2.5GB.
sudo mount -t tmpsfs tmpfs /run -o remount,size=2500M
Note that it is a temporary fix and goes away after a reboot.
The issue ended up being that the WiFi UniFi controller was setup to auto backup everything once a week. So as it was backing stuff up, it would eat up the available space in the tmpfs, think there may be an issue with the size of the UniFi data and maybe not being able to fit it all in RAM?
Running the following command
df -h --max=1 /var | sort
shows the following
1.1M /run/udev 2.5G /run/ 2.5G /run/unifi <-- UniFi controller 4.0K /run/initramfs 8.0K /run/network 12K /run/user 288K /run/samba 404K /run/systemd
Looking inside the unifi directory shows the following folders. Looks like the they are temp files.
200M /run/unifi/ExpTmp351719567129045774 696M /run/unifi/ExpTmp3406220793759111216 1.6G /run/unifi/ExpTmp3368400690321364109 0 /run/unifi/work 2.5G /run/unifi
Running an ls inside the folder shows
-rw-r----- 1 unifi unifi 13971807 Jul 2 02:30 db.gz -rw-r----- 1 unifi unifi 1665223462 Jul 2 02:56 db_stat.gz
Looking inside the UniFi controller it is set to auto backup on Monday at 2:30AM
Looks like “/run/unifi” is used as a temporary folder to create the backups and when it is completed converts it to a .unf file and moves it to “/usr/lib/unifi/data/backup/autobackup/” So the left over temp files were never completed or something caused them to stop working. Maybe the backup was big enough to take up all the tmpfs space and cause the backup to fail.
Resolution. To fix the problem I turned the data retention down to a week and deleted the temp files in /var/unifi. Had to sudo su to root. sudo wasn’t cutting it for some reason.
sudo su rm -rf /var/unifi/Exp* exit
Should be all good now.