Making sure you can log-in
Make sure you have SSH login enabled in by login into admin interface using your browser. Go to System menu at the bottom and make sure SSH is enabled, and note the port because we’ll next that next. Be sure to save the updated configuration if you didn’t have SSH enabled already.
Enable SSH Walkthrough
Next open the Terminal app of your choice and attempt login. You don’t need to specify -p <port>
if you are using the default SSH port of 22.
$ ssh <your username>@<router ip> -p <port>
Linux ubnt 3.10.107-UBNT #1 SMP Mon Mar 5 18:53:35 UTC 2018 mips
Welcome to EdgeOS
You can also take the time to visit Wizards > DNS host names
in the admin interface and create a static mapped domain for your router such as router.local or edgerouter.local
. The will allow you to enter router.local
into any device on your network using router dns to automatically find your router without needing to remember the IP address.
Certificate Creation
I decided to use mkcert
for creating a self-signed certificate that can be trsuted by my own machines. Follow the directions for setup or obtain a certificate some other way. The next steps will assume you have a certifcate created or will be using mkcert
.
Creating certifcate using mkcert
:
You’ll want to open a new terminal window or tab since these commands will be on your local machine.
$ cd ~/Downloads ## Folder where you want the newly created certs to be
$ mkcert <your router ip> <optionally- router hostname: router.local>
Using the local CA at "/Users/dwin/Library/Application Support/mkcert" ✨
Created a new certificate valid for the following names 📜
- "10.0.10.1"
- "router.local"
- "edgerouter.local"
The certificate is at "./10.0.10.1+2.pem" and the key at "./10.0.10.1+2-key.pem" ✅
Combine Key and Certificate File to .pem
encoded file.
$ cat 10.0.10.1+2-key.pem 10.0.10.1+2.pem > server.pem
Install Certificate
Start by making a backup copy of the existing certifcate on the router.
In your router terminal session:
$ sudo cp /etc/lighttpd/server.pem /etc/lighttpd/.old_server.pem
In your machine terminal session:
$ scp /Users/username/Downloads/server.pem username@10.0.10.1:/home/username/server.pem
Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.
username@10.0.10.1's password:
server.pem 100% 3253 1.0MB/s 00:00
In your router terminal session:
$ sudo cp /home/darwin/server.pem /etc/lighttpd/server.pem
# Kill Router Web GUI server
$ sudo kill -SIGINT $(cat /var/run/lighttpd.pid)
# Start it up again
$ sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
$ exit
logout
Connection to 10.0.10.1 closed.
You should now be able to point your browser at the Router Web GUI and see a valid TLS secured connection.
Special thanks to Filippo Valsorda for creating mkcert
.