Hey! Listen! This post is part of a series on the Ubiquiti EdgeRouter Lite. Check them all out!

Date URL Part
2019-06-28 Migrating away from the Ubiquiti EdgeRouter Lite Migrated to a Netgate SG-1100
2019-02-03 EdgeRouter CNAME records Setup CNAME records
2017-10-03 Dyn DDNS on EdgeRouter Setup DynDNS
2017-04-25 DuckDNS on EdgeRouter Setup DuckDNS
2017-01-08 Ubiquiti EdgeRouter serial console settings Serial console settings
2016-11-29 Ubiquiti UniFi controller setup on Raspberry Pi 3 Install UniFi Controller
2016-08-30 EdgeRouter Lite Dnsmasq setup Setup dnsmasq
2016-06-13 EdgeRouter Lite software upgrade Firmware upgrade
2016-05-12 EdgeRouter Lite OpenVPN setup OpenVPN server setup
2016-04-29 Ubiquiti EdgeRouter Lite setup Initial setup


Ubiquiti just released the new v1.8.5 software for their EdgeMax devices, including the EdgeRouter Lite (ERL). I’ll be showing you how to install the new software via the CLI, which only takes a few minutes.

The software downloads are normally here, but since v1.8.5 was just released, it’s currently only available on the forums, here.

If you haven’t already, you can subscribe to the EdgeMax updates blog, located here. Ubiquiti will post all major updates here, so subscribing to the RSS feed is a good way to stay in the loop.

Backup configuration

It goes without saying that you need to backup your current configuration before you upgrade. The upgrade process is supposed to preserve your configuration, but I wouldn’t rely too much on that.


I prefer to use the CLI to backup my ERL. I use a similar script on all my devices, though slightly customized for each. On the ERL, it is saved under /config/scripts (since this directory is preserved during an upgrade). Essentially, it is just making a tar.gz file out of the /config directory.


#Set variables, update as needed
HOSTNAME=`uname -n`

#Make backup directory if it doesn't exist
mkdir -p ${BACKUP_FOLDER}

#Backup /config
tar -czf ${BACKUP_FOLDER}/${HOSTNAME}_$(date +%Y%m%d_%H%M)_config.tar.gz /config >/dev/null 2>&1

#Remove backups older than 7 days
find ${BACKUP_FOLDER} -name "*.gz" -type f -mtime +7 -exec rm {} \;


This script runs on a weekly basis using the built-in scheduler (below), but you can run it manually to generate a backup.

 task backup_script {
     crontab-spec "0 5 * * 0"
     executable {
         path /config/scripts/generate_backups.sh


You can backup the configuration through the GUI as well as the CLI. Login to the web GUI, then click on the System tab at the bottom. Scroll down to Configuration Management & Device Maintenance, then under Back Up Config, download the configuration file.

Install new image

I recommend viewing the current version of the firmware first. This is also a good chance to double-check which hardware model you have, if you’re not 100% sure.

show version

You can also view all the images you have saved.

show system image

Since the ERL can only store two images at once, you’ll need to delete the old image (if you have one).

delete system image

Download the new system image.

add system image https://dl.ubnt.com/firmwares/edgemax/v1.8.5/ER-e100.v1.8.5.4884695.tar

Then, use the command below to show both installed images.

show system image

Reboot to load the new image.


Finally, verify you’re on the new version.

show version

Roll back (optional)

If something goes wrong, you can easily roll back the image to the older one.

set system image default-boot

Reboot to make it take effect.


Finally, verify you’re on the old version.

show version

GUI updates

The v1.8.5 software has a changelog that you should read. Below are the changes I made.

First, I used the new option to disable all old ciphers for the web GUI.

set service gui older-ciphers disable

Next, I took advantage of the SHA256 hash suite in the v1.8.5 software to generate a new web GUI certificate. This is especially important if you allow GUI access from the WAN. The old certificate was SHA1.


Start by backing up the old certificate.

mv /etc/lighttpd/server.pem /etc/lighttpd/server.pem_old

Generate a new certificate.

touch /etc/lighttpd/server.pem
openssl req -new -x509 -newkey rsa:2048 -keyout /etc/lighttpd/server.pem -out /etc/lighttpd/server.pem -sha256 -days 3650 -nodes -passout pass:'' -subj "/C=US/CN=UBNT Router UI/O=Ubiquiti Networks/ST=CA/L=San Jose" >&/dev/null
chown root:root /etc/lighttpd/server.pem
chmod 400 /etc/lighttpd/server.pem

Then, restart the web server.

pgrep lighttpd | xargs kill
/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

As it was pointed out to me, all you need to do is remove the old certificate and reboot.

sudo su - 
rm /etc/lighttpd/server.pem

Verify your certificate is SHA256.