Unifi Protect shouldn't use RTSPS by default if Verify SSL is disabled

dolkensp · June 22, 2022, 2:50am

Unifi products like the CloudKey Gen 2 are difficult to secure by default due to deficiencies in the Unifi OS.

This means that users are forced to either use the default self-signed certificates, or jump through some complicated (and frequently changing) steps to constantly reprovision the certificates on the device.

These certificates are used for both HTTPS, and also RTSPS streams.

When configuring the Unifi Protect integration, there is currently an option to “Verify SSL”, which defaults to off (sensible defaults for greatest compatibility).

The Unifi Protect component continues to advertise the RTSPS camera endpoint however, meaning other integrations (such as WebRTC integrations) then fail as the RTSPS certificates are also self-signed.

It would make sense to me that if the user has disabled SSL Verification, the component should advertise the rtsp_url as the stream source, rather than the rtsps_url. Alternatively, the component could allow the user to select which stream to advertise, but the current behavior is rather difficult to diagnose for an average user.

AngellusMortis · June 27, 2022, 5:28pm

Nope. 20 charrrr.

dolkensp · June 29, 2022, 11:25am

If you access them through the UI direct URL, which can be find via discovery or the console system API, it does have a valid SSL cert as that is the one they use for unifi.ui.com.

Hmm, have you got an example of this? When I go to unifi.ui.com, the rtsps link they provide for my camera is rtsps://[ipaddress]:7441/[token]?enableSrtp, and when discovery kicks in, the logs are filled with self-signed-cert warnings. Wondering what I’ve missed.

AngellusMortis · June 29, 2022, 2:53pm

Nope. 20 charrrr.

aaroncarson · January 22, 2023, 11:22pm

Hey - I’m not entirely sure this is still accurate.

I have a Unifi Dream Router and I’ve replaced the unifi-core.{key,crt} files with ACME SSL certs - and they’re definitely used for RTSPS.

In fact, checking /srv/unifi-protect/data/ems.json (the RTSP streams being provided by EvoStream Media Server) confirms this:

{
  "ip": "0.0.0.0",
  "port": 7441,
  "protocol": "inboundRtsps",
  "sslKey": "/data/unifi-core/config/unifi-core.key",
  "sslCert": "/data/unifi-core/config/unifi-core.crt"
}

Puma7 · March 17, 2024, 2:00pm

I wanted to share some information I just learned while configuring Frigate with UniFi RTSPS/RTSPX and Go2RTC. In my case, I had trouble using Go2RTC and discovered that you can also use an RTSP stream locally with UniFi.

You can transform this RTSPS link:
rtsps://192.168.1.1:7441/CnhLKtvnsIOsgV15?enableSrtp
to an RTSP link:
rtsp://192.168.1.1:7447/CnhLKtvnsIOsgV15
by changing from rtsps to rtsp and from port 7441 to 7447. Also, the “?enableSrtp” needs to be removed in any case.

In Frigate, I can then use the stream directly with FFmpeg instead of Go2RTC.

This method simplifies the integration process, making it more straightforward to connect UniFi cameras with Frigate for home surveillance or other security applications. By bypassing the need for Go2RTC, you may also see improved stream stability and reduce the complexity of your setup.

I hope this information will save someone days of debugging in the future