Unifi Controller is an awesome setup for managing multiple networks. But in true Ubnt fashion, they don’t provide an official way of securing their software with a valid SSL and they don’t seem too interested in providing a way to do it anytime soon. For bleeping sakes Ubnt get with it!!
I spent hours trying various blogs, posts and other sites “directions” on getting LetsEncrypt working without success. Must of the scripts I found turned out to be way overkill for what, to me, is a simple task. Everything I tried resulted in errors and none provided a good way to automate the process. After much trial and error, this what for me.
Install Certbot, see official install instructions for your operating system. I have only used Ubuntu.
Setup a file for a monthly cron to auto renew:
No longer doing the monthly cron file. I had a few instances where it was not always renewing. If you get a prompt on which editor to use, I normally choose Nano but that’s completely up to you.
sudo crontab -e
Add code to bottom of the cron job file:
0 0 1 * * /etc/unifi_controller_le.sh >/dev/null 2>&1
Now lets create the file and save it to standard directory for ease of use:
sudo nano /etc/unifi_controller_le.sh
Copy the code below, make sure to change the controller.yourdomain.com to the actual domain of the controller:
# Set the Domain name, valid DNS entry must exist
DOMAIN="controller.yourdomain.com" #must be any valid public accessible url that points to the server
# NO NEED TO DO NOT EDIT BELOW --------------
# Stop the UniFi controller
service unifi stop
#backup previous keystore
cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R)
#Renew the certificate
sudo certbot-auto renew --quiet --no-self-upgrade
# Convert cert to PKCS12 format
sudo openssl pkcs12 -export -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem -in /etc/letsencrypt/live/${DOMAIN}/fullchain.pem -out /etc/letsencrypt/live/${DOMAIN}/fullchain.p12 -name unifi -password pass:unifi
# Import certificate
sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /etc/letsencrypt/live/${DOMAIN}/fullchain.p12 -srcstoretype PKCS12 -srcstorepass unifi -alias unifi -noprompt
# Start the UniFi controller
service unifi start
Give the script permissions to run:
sudo chmod a+x /etc/unifi_controller_le.sh
Run the script and your done:
sudo /etc/unifi_controller_le.sh
View on GitHub at https://github.com/maddog986/snipplets/tree/master/unifi
Update: August 5th, 2020: Added a link to the official Certbot install page. Newer versions of Ubuntu are slightly different.
Update: March 16th, 2020: Updated the script to v1.0.1. Also no longer using the monthly cron file. I have been using this script on a production server now for over a year without any issues.
Update: November 5th, 2018: Updated & added the script to github. https://github.com/maddog986/snipplets/tree/master/unifi
Update: October 4th, 2018: Updated the main script to add a keystore backup on each run and fixed some typos in the post.