unifi-docker: ERR_SSL_VERSION_OR_CIPHER_MISMATCH with letsencrypt certificates

Host operating system

Debian GNU/Linux 8

What tag are you using

latest

What complete docker command or docker-compose.yml do you use to launch the container (omitting sensitive values)?

version: '3'
services:
  letsencrypt:
    container_name: letsencrypt
    image: csmith/letsencrypt-lexicon:latest
    restart: always
    environment:
      PROVIDER: 'dnsimple'
      ACCEPT_CA_TERMS: 'true'
    env_file:
      - .env
    volumes:
      - ./data/letsencrypt:/letsencrypt
  unifi:
    container_name: unifi
    # https://github.com/jacobalberty/unifi-docker
    image: jacobalberty/unifi:latest
    network_mode: host
    restart: always
    volumes:
      - ./data/unifi:/unifi
      - ./data/letsencrypt/certs/gateway.feliciterra.com:/unifi/cert

What do you expect to happen?

For the TLS certs to work when visiting with a browser.

What actually happens?

I’ve tried a variety of things here but can’t seem to get anything to work. The error displayed in chrome is ERR_SSL_VERSION_OR_CIPHER_MISMATCH and in Firefox it’s SSL_ERROR_NO_CYPHER_OVERLAP. If I remove my letsencrypt certificates everything works fine with the self-signed cert. It seems that the letsencrypt certs are broken when imported into unifi. These exact same certs I have mounted in other services and running just fine. I have rebuilt the container numerous times all with the same results.

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 28 (11 by maintainers)

Commits related to this issue

Added UNIFI_ECC_CERT param as a fix for #70 — committed to jacobalberty/unifi-docker by deleted user 4 years ago

Most upvoted comments

I found this issue today after getting an ECC certificate from LE, and was able to work around (5.12) without having to use the RSA algorithm for LE.

I had to set these two lines in system.properties explicitly:

unifi.https.sslEnabledProtocols=TLSv1.2
unifi.https.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

via https://www.c0ffee.net/blog/unifi-cloud-key-ssl-certificate/

kenperkins on Apr 11, 2020

Just wanted to quickly comment that even now in 2023 this is definitely still an issue.

Setting UNIFI_ECC_CERT=true made this work for me with a Let’s Encrypt certificate. Indeed my cert uses the affected key algorithm noted above:

 % openssl x509 -text < certbot-config/live/vera-and-marc.com/cert.pem | grep 'Public Key Algorithm'
            Public Key Algorithm: id-ecPublicKey

It was pretty hard to find this key bit of information, It think it would be helpful to add it to the Certificate Support section of the README.

I just created this PR to do that: https://github.com/jacobalberty/unifi-docker/pull/645.

liyanage on Mar 3, 2023

@hollec sorry about that, I had originally intended for it activate if UNIFI_ECC_CERT had any value via checking for ! -Z but changed it to be true, and left the ! there when I changed the behavior. It’s building on the hub now. I Was hoping the changes wouldnt break RSA certs. I’ll have to set the ciphers correctly to work with RSA certs before merging

jacobalberty on Apr 11, 2020

It’s not supposed to be the default i’ll fix it shortly.

jacobalberty on Apr 11, 2020

Did the recent change make the defaults (UNIFI_ECC_CERT not set) to be ECC parameters? I pulled down the latest beta build this afternoon while making some other unrelated tweaks to my docker setup and now have the following settings in my system.properties file:

unifi.https.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
unifi.https.sslEnabledProtocols=TLSv1.2

I don’t have ECC certs, so I now get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error in my browser.

hollec on Apr 11, 2020

Ok, I know this is going to sound stupid but its the certificate. Yours says Public Key Algorithm: id-ecPublicKey, note mine says Public Key Algorithm: rsaEncryption. id-ecPublicKey is an ECC certificate apparently it’s on the feature requests https://community.ubnt.com/t5/UniFi-Feature-Requests/UniFi-Controller-does-not-support-ECC-certificates/idi-p/1700108 . I’m checking the forums to see if theres a way to enable ECC Certificates .

Apparently some people have been able to correct the same output error by adding unifi.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA to system.properties, but I’m not confident that is the correct fix. That line came from https://community.ubnt.com/t5/UniFi-Wireless/ERR-SSL-VERSION-OR-CIPHER-MISMATCH-after-upgrading-to-5-2-7/td-p/1681242

jacobalberty on Oct 21, 2017