Unifi Controller and LetsEncrypt

Unifi Controller is an awesome setup for managing multiple networks. But in true Ubnt fashion, they don’t provide an official way of securing their software with a valid SSL and they don’t seem too interested in providing a way to do it anytime soon. For bleeping sakes Ubnt get with it!!
I spent hours trying various blogs, posts and other sites “directions” on getting LetsEncrypt working without success. Must of the scripts I found turned out to be way overkill for what, to me, is a simple task. Everything I tried resulted in errors and none provided a good way to automate the process. After much trial and error, this what for me.

Install Certbot, see official install instructions for your operating system. I have only used Ubuntu.

Setup a file for a monthly cron to auto renew:
No longer doing the monthly cron file. I had a few instances where it was not always renewing. If you get a prompt on which editor to use, I normally choose Nano but that’s completely up to you.

sudo crontab -e

Add code to bottom of the cron job file:

0 0 1 * * /etc/unifi_controller_le.sh >/dev/null 2>&1

Now lets create the file and save it to standard directory for ease of use:

sudo nano /etc/unifi_controller_le.sh

Copy the code below, make sure to change the controller.yourdomain.com to the actual domain of the controller:

# Set the Domain name, valid DNS entry must exist
DOMAIN="controller.yourdomain.com" #must be any valid public accessible url that points to the server

# NO NEED TO DO NOT EDIT BELOW --------------
# Stop the UniFi controller
service unifi stop

#backup previous keystore
cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R)

#Renew the certificate
sudo certbot-auto renew --quiet --no-self-upgrade

# Convert cert to PKCS12 format
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem -in /etc/letsencrypt/live/${DOMAIN}/fullchain.pem -out /etc/letsencrypt/live/${DOMAIN}/fullchain.p12 -name unifi -password pass:unifi

# Import certificate
sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /etc/letsencrypt/live/${DOMAIN}/fullchain.p12 -srcstoretype PKCS12 -srcstorepass unifi -alias unifi -noprompt

# Start the UniFi controller
service unifi start

Give the script permissions to run:

sudo chmod a+x /etc/unifi_controller_le.sh

Run the script and your done:

sudo /etc/unifi_controller_le.sh

View on GitHub at https://github.com/maddog986/snipplets/tree/master/unifi

Update: August 5th, 2020: Added a link to the official Certbot install page. Newer versions of Ubuntu are slightly different.

Update: March 16th, 2020: Updated the script to v1.0.1. Also no longer using the monthly cron file. I have been using this script on a production server now for over a year without any issues.

Update: November 5th, 2018: Updated & added the script to github. https://github.com/maddog986/snipplets/tree/master/unifi

Update: October 4th, 2018: Updated the main script to add a keystore backup on each run and fixed some typos in the post.



E-mail : *

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.