Let’s Encrypt on a UniFi Controller

Posted on by

Spun up a virtual controller for UniFi, and was looking into implementing a Let’s Encrypt SSL certificate.

Came across this link in the UniFi forum – thank you, Frank Gabriel!

https://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-on-Hosted-Controller/m-p/2463220#M318272

We wanted to help put this out there for others, so here is the script in full (please update your domain name in the script):

#!/bin/bash
# Author: Frank Gabriel, 15.09.2018
# Credits Kalle Lilja and others
# Script location: /etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh (important for auto renewal)
# Tested with Debian 9 and UniFi 5.8.28 and 5.9.22 - should work with any recent Unifi and Ubuntu/Debian releases

#************************************************
#******************Instructions******************
#************************************************

#0
# Edit your domain name in the Script section below
# Make sure file is in Linux format (windows=cr/lf, linux=lf)
# Configure your firewall, hostname, hosts, ntp and TZ data (out of scope here)
# sudo for all commands if you are not root

#1
# Install/upgrade unifi controller and dependencies: (for 5.9.22 for other releases get url from Unifi release note)
# wget https://dl.ubnt.com/unifi/5.9.22-d2a4718971/unifi_sysvinit_all.deb 
# apt install ./unifi_sysvinit_all.deb

#2
# Get a certificate, run the following shell commands: (installs certbot-auto components and runs an interactive dialogue)
# wget https://dl.eff.org/certbot-auto
# chmod a+x ./certbot-auto
# ./certbot-auto certonly

#3
# Get the import script 
# wget https://util.wifi.gl/unifi-import-cert.sh 
# cp ./unifi-import-cert.sh /etc/letsencrypt/renewal-hooks/post/
# chmod a+x /etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh

#4 Import the certificate: (remember to modify domain, above)
# /etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh

#5
# Renew the certificate: (include as a daily cron job, The certbot-auto post-hook will automatically execute the import script upon renewal)
# ./certbot-auto renew

#************************************************
#********************Script**********************
#************************************************

# Set the Domain name, valid DNS entry must exist
DOMAIN="www.yourdomain.dk"

# Backup previous keystore
cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R)

# Convert cert to PKCS12 format
openssl pkcs12 -export -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem -in /etc/letsencrypt/live/${DOMAIN}/fullchain.pem -out /etc/letsencrypt/live/${DOMAIN}/fullchain.p12 -name unifi -password pass:unifi

# Import certificate
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /etc/letsencrypt/live/${DOMAIN}/fullchain.p12 -srcstoretype PKCS12 -srcstorepass unifi -alias unifi -noprompt

# Restart the UniFi controller
service unifi restart
Posted in Ubiquiti UniFi and tagged , , .

Leave a Reply

Your email address will not be published. Required fields are marked *