Install Letsencrypt SSL Certificate for Unifi Controller

Statut
N'est pas ouverte pour d'autres réponses.

Xavier Mustin

Administrator
Staff member
#1
Install Letsencrypt SSL Certificate for Unifi Controller on Raspberry Pi

One of the most asked questions about the Unifi Controller is how to get rid of the certificate error when you open the controller. And I totally understand, it’s annoying to bypass the error/warning every time you log in to your controller.
So in this article, we are going to install a Letsencrypt SSL Certificate for our Unifi Controller. I am using a Rasberry Pi to run the controller, so this article is mostly written for a Pi.
Letsencrypt and Unifi
Letsencrypt certificates are free to use but need to be renewed every 90 days. The renewing can be automated, as I will show you in this article, but it requires that your controller is accessible from the internet.
To do this you will need a custom domain name that you can use to point a subdomain to your local controller. Also, we need to open and forward a specific port in the router.
Before we continue there is one thing you should know, we can’t create a certificate for a local IP Address. You are probably running your controller locally, so if you want to open your Unifi Controller, you go to 192.168.0.201 for example.
Even if we make the controller accessible from the internet, with unifi.yourdomain.com, then, by default, you still can’t access it locally with a certificate. You can’t open unifi.yourdomain.com, because that will require you to make a U-turn on the internet, which won’t work. Opening the controller from the local IP Address will still give a warning because the cert is issued to unifi.yourdomain.com.
Local DNS Entries
But we have a solution for this, we can create a local DNS entry. You can do this locally on your computer, by changing your host file or on your router, by creating a static DNS entry. I prefer the router because this is device independent and will work in your whole network, but you will have to check if it’s possible with your router.
Static DNS entry EdgeRouter
If you have an EdgeRouter, you can create a static DNS route by opening your router through SSH. Simply use Putty or Windows Terminal for this:
# Open the SSH connection to your EdgeRouter
ssh ubnt@192.168.0.1

# Open configure mode
configure

# Add the DNS route. Use the domain name we create later
# Change 192.168.0.201 to the IP Address of your Unifi Controller
set system static-host-mapping host-name <unifi.yourdomain.com> inet 192.168.0.201

commit
save
Change your host file
On Windows, you can easily add local DNS routes by adding them to your host file. You will need to open the host file with admin rights to save the changes:
  • Open %windir%\System32\drivers\etc
  • Open the file hosts
  • At the end of the file, add: 192.168.0.201 unifi.yourdomain.com
  • Save and close the file
Change 192.168.0.201 to the IP Address of your Unifi Controller.
Setup the Port Forwarding and Domain
So to get a certificate we need a domain name. You can get a domain name for less than $10 a year, for example here at NameCheap Now we don’t want to point the whole domain to our unifi controller, so I suggest you create a subdomain unifi.yourdomain.com and point that to your local network.
Look up your public IP Address, here at myip.com, and create an A record with the name unifi and your IP Address.
Now you need to forward and open the following ports in your router. Port 80 is needed for LetsEncrypt to authenticate the SSL Certificate.
  • Original port: 80
  • Protocol: TCP/UDP
  • Forward-to address: IP Address of your Unifi Controller
  • Forward-to port: 80
If you also want to access your Unifi Controller from the internet, you could also forward the following port number. But keep in mind that your controller is only protected with a username and password. Another, saver, option to access your Unifi Controller is to use unifi.ui.com.
  • Original port: 8443
  • Protocol: TCP/UDP
  • Forward-to address: IP Address of your Unifi Controller
  • Forward-to port: 8443
If you have an EdgeRouter you can enable Auto firewall, the EdgeRouter will open the specific port in the firewall for you then:

Install SSL Certificate on Unifi Controller
With everything set, we can start with installing the certificate for our Unifi Controller.
  1. Install Certbot
    sudo apt-get install certbot
  2. Generate a SSL certificate
    sudo certbot certonly --standalone -d unifi.yourdomain.com

    You will need to enter an email address so you can receive a notification when you need to renew (when the auto-renew fails), Accept the Terms, and Accept or Decline the last request.
  3. Download import script
    We need to import the Letsencrypt cert into the Unifi Controller. Steve Jenkins has created an import script that makes this a lot easier to do, so we are going to use this script.

    Download the script with the following cmd:

    sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh

    We place it in /usr/local/bin as recommend by Steve.
  4. Make the script executable
    By default, you can’t execute the script. Give it the correct permissions with the following cmd:

    sudo chmod +x /usr/local/bin/unifi_ssl_import.sh
  5. Edit the variables in the script
    Next, we need to edit some of the configuration variables in the script. Open the script with

    sudo nano -w /usr/local/bin/unifi_ssl_import.sh

    Add your domain
    UNIFI_HOSTNAME=unifi.yourdomain.com

    Comment the three lines for Fedora/RedHat/Centos by placing a # for it:
    # Uncomment following three lines for Fedora/RedHat/CentOS
    #UNIFI_DIR=/opt/UniFi
    #JAVA_DIR=${UNIFI_DIR}
    #KEYSTORE=${UNIFI_DIR}/data/keystore

    Uncomment the three lines for Debian/Ubuntu
    # Uncomment following three lines for Debian/Ubuntu
    UNIFI_DIR=/var/lib/unifi
    JAVA_DIR=/usr/lib/unifi
    KEYSTORE=${UNIFI_DIR}/keystore

    Set the Let’s Encrypt mode to true:
    If you only enable the line, by removing the #, you will get a loop ==Yes when running the script. So set it to true. Will still get some warning about missing [[:, but the doesn’t matter.
    LE_MODE=true

    Save and close the file
    Ctrl + X
    Y
    Enter
  6. Run the import script
    We can now import our new SSL cert into the Unifi Controller. Run the following cmd:

    sudo /usr/local/bin/unifi_ssl_import.sh

    If you get a loop with == yes, press ctrl + c and change LE_MODE to true (see step 5)
  7. Check the new Certificate
    The script will restart the Unifi Controller. Give it a couple of minutes to start.
    If you open your controller you should now have a certificate and no errors or warnings anymore.

  8. Creating the update script
    Cerbot will renew the certificate every 3 months. So we will have to import the certificate as well every 3 months.

    Create a new file
    sudo nano -w /etc/cron.daily/unifi_ssl_import

    And add the following content into it
    #!/bin/bash
    /usr/local/bin/unifi_ssl_import.sh

    Press Ctrl +X followed by Y and Enter to save and close the file.

    Give the file the correct permissions so it can be executed:
    sudo chown root:root /etc/cron.daily/unifi_ssl_import
    sudo chmod +x /etc/cron.daily/unifi_ssl_import
That’s all, you should now be set with a nice SSL certificate for you Unifi Controller and the annoying warning should be gone. If you have any questions, just drop a comment below.
You probably also want to take care of your Unifi Controller backup. By default it’s stored on the controller self, but you can simply upload a copy of the backup to Dropbox for example. You can read all about it in this article.
 
Statut
N'est pas ouverte pour d'autres réponses.
Haut