We’re going OT on UDM… And never been a fan of UniFi. But I’m sure there is a better answer in their forums how to add an existing cert in the right location.
I was suggesting what might be using the wrong path in your scp for dreammachine. It seems each UBNT product uses a different location for certs.
Hello, just found your “will work until it stops” rule and I find excellent, with a caveat that I found it a bit icky to use in Mangle without actual mangling. I however have altered it on Output in Filter instead:
# Letsencrypt ACME servers to check on outbound connection from the router
/ip firewall address-list
add address=acme-v02.api.letsencrypt.org list=lets-encrypt
# if an outbound connection from the router is towards letsencrypt, add
# the router's source address (which is in the WAN side) into another list
# but with a timeout of 1 minute. After it has passed, the address will be
# removed from the list
/ip firewall filter add chain=output dst-address-list=lets-encrypt action=add-src-to-address-list address-list=acme-client address-list-timeout=1m
# now when an inbound connection from the internet (WAN) to the router hits
# port 80 TCP (which letsencrypt check for authentication) during the 1-minute
# window using the address list acme-client, allow.
# this rule should be placed before the drop all from WAN rule
/ip firewall filter
add chain=input in-interface-list=WAN dst-address-list=acme-client protocol=tcp dst-port=80 action=accept
can you elaborate? A rule with action=add-xxx-to-address-list placed in filter also doesn’t do any “actual filtering”, so it is merely a matter of personal preference which table (filter/mangle) you use.
I suppose it is a matter of preference.
But in filter chain output we can do away with the src-address-type=local to achieve the same outcome.
By the way, appreciate your input!