Reply
Regular Member
Posts: 591
Registered: ‎09-23-2015
Kudos: 218
Solutions: 6

Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

[ Edited ]

After seeing how much hair-pulling goes on tying to use your own existing SSL certificate with a Linux-based UniFi Controller (and experiencing some of that hair-pulling myself), I wrote a script that automates the process. I wrote it on a CentOS box, so it should work for any other RedHat-based systems, but it could easily be modified for Ubuntu and Debian-based users (I believe all you have to do is change the keystore directory to /var/lib/unifi).

 

Just put in the name/location of your private key, certificate file, and certificate/chain file... then BOOM! Green lock goodness.

 

UPDATE: As mentioned further below, I have completely re-written the script to also support Let's Encrypt SSL certificates.

 

This blog post includes the script, and walks your through configuring and running it:

 

http://www.stevejenkins.com/blog/2016/06/use-existing-ssl-certificate-linux-unifi-controller/

 

Suggestions for improving the script, or problems running it, are welcome in this thread.

 

This is where I used to list my UBNT gear, but now it's mostly stuff I'm not allowed to talk about yet. Man Wink
942.22 Mbps down / 926.27 Mbps up (http://result.googlefiber.net/share/316298352.png)
My Blog: http://www.stevejenkins.com/
New Member
Posts: 9
Registered: ‎06-24-2016
Kudos: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

wow, thanks so much. I wish that would have been what came up first when googling to change the ssl cert.

New Member
Posts: 9
Registered: ‎06-24-2016
Kudos: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

I'm still having a hard time. However, I am using an ubuntu VM instead of CentOS. With that said, there isn't that much different in the OS.. so with a slight modification I can fire it off in ubuntu.

New Member
Posts: 34
Registered: ‎08-23-2013
Kudos: 34

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

Any way this can be merged with the Let's Encrypt free SSL solution? I've seen articles talking about automating the renewal of SSL's from Let's Encrypt in services like Nginx. Finding a way to do this with a UniFi controller would be great.

 

Found this Youtube video for setting up Let's Encrypt with Nginx.

https://www.youtube.com/watch?v=m9aa7xqX67c&list=PLum3WoIkr5ec7ZzYXzGSGMUAW0PucREFC&index=3

 

(

Regular Member
Posts: 591
Registered: ‎09-23-2015
Kudos: 218
Solutions: 6

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers


Bauer3139 wrote:

Any way this can be merged with the Let's Encrypt free SSL solution? I've seen articles talking about automating the renewal of SSL's from Let's Encrypt in services like Nginx. Finding a way to do this with a UniFi controller would be great.

 

Found this Youtube video for setting up Let's Encrypt with Nginx.

https://www.youtube.com/watch?v=m9aa7xqX67c&list=PLum3WoIkr5ec7ZzYXzGSGMUAW0PucREFC&index=3

 

(


I've never used Let's Encrypt, but if I get time this week I'll take a peek at it. Though as long as it provides you with a key, a certificate, and allows you to download their certificate authority info, I don't see why it wouldn't work already.

This is where I used to list my UBNT gear, but now it's mostly stuff I'm not allowed to talk about yet. Man Wink
942.22 Mbps down / 926.27 Mbps up (http://result.googlefiber.net/share/316298352.png)
My Blog: http://www.stevejenkins.com/
Regular Member
Posts: 591
Registered: ‎09-23-2015
Kudos: 218
Solutions: 6

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

AFAIK, you should only have to change the location of the keystore in the script for Ubuntu. But I don't have any Ubuntu servers handy, and I'm out of energy today to go through the hassle of setting one up. Man Happy

 

Input from Ubuntu users regarding any other necessary changes would be greatly appreciated, and I'll update the article and the in-script usage instructions.

This is where I used to list my UBNT gear, but now it's mostly stuff I'm not allowed to talk about yet. Man Wink
942.22 Mbps down / 926.27 Mbps up (http://result.googlefiber.net/share/316298352.png)
My Blog: http://www.stevejenkins.com/
Regular Member
Posts: 424
Registered: ‎10-21-2014
Kudos: 119
Solutions: 16

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

Letsencrypt unifi instruktions are here.
Auto renew by running the script as cron job once a month.
Regular Member
Posts: 424
Registered: ‎10-21-2014
Kudos: 119
Solutions: 16

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

Regular Member
Posts: 591
Registered: ‎09-23-2015
Kudos: 218
Solutions: 6

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

Due to popular demand, I've re-written the script (using bash instead of sh this time) to support Let's Encrypt users.

 

If you already have a valid Let's Encrypt SSL certificate on your server, all you need to do is set the UNIFI_HOSTNAME in the unifi_ssh_import.sh script, set LE_MODE to "yes", and run the script. You should have the "green lock" within a few seconds.

 

If you don't have (or don't want) a Let's Encrypt certificate, the script still works just as well with a "traditional" SSL cert. You just need to enter a few more configuration options, and provide a valid CA or chain file for your cert. The updated blog article walks you through how to do everything:

 

http://www.stevejenkins.com/blog/2016/06/use-existing-ssl-certificate-linux-unifi-controller/

 

Again, suggestions for improvement are always welcome.

 

This is where I used to list my UBNT gear, but now it's mostly stuff I'm not allowed to talk about yet. Man Wink
942.22 Mbps down / 926.27 Mbps up (http://result.googlefiber.net/share/316298352.png)
My Blog: http://www.stevejenkins.com/
Regular Member
Posts: 591
Registered: ‎09-23-2015
Kudos: 218
Solutions: 6

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

[ Edited ]

Bauer3139 wrote:

Any way this can be merged with the Let's Encrypt free SSL solution? I've seen articles talking about automating the renewal of SSL's from Let's Encrypt in services like Nginx. Finding a way to do this with a UniFi controller would be great.

 

Found this Youtube video for setting up Let's Encrypt with Nginx.

https://www.youtube.com/watch?v=m9aa7xqX67c&list=PLum3WoIkr5ec7ZzYXzGSGMUAW0PucREFC&index=3

 

(


@Bauer3139: Your wish is my command. See above. Man Happy

 

I'm now running a Let's Encrypt SSL cert on my controller. Once you have the Let's Encrypt SSL cert on your server (which was ridiculously easy), the unifi_ssh_import.ssh script will make your lock turn green in about 10 seconds.

This is where I used to list my UBNT gear, but now it's mostly stuff I'm not allowed to talk about yet. Man Wink
942.22 Mbps down / 926.27 Mbps up (http://result.googlefiber.net/share/316298352.png)
My Blog: http://www.stevejenkins.com/
Emerging Member
Posts: 71
Registered: ‎11-02-2013
Kudos: 38
Solutions: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

This is fantastic. I've go tmy Linux box running UniFi wirelss all setup with a let's encrypt cert thanks to your hard work. Thank you for taking the time to do this.

 

I assume it wouldn't be hard to modify the script to work with an mFi Linux based install. I'm going to comb through the script and see what I can figure out. Any help is appreciated since my scripting skills are not the best.

Regular Member
Posts: 591
Registered: ‎09-23-2015
Kudos: 218
Solutions: 6

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers


ryanhaver wrote:

This is fantastic. I've go tmy Linux box running UniFi wirelss all setup with a let's encrypt cert thanks to your hard work. Thank you for taking the time to do this.

 

I assume it wouldn't be hard to modify the script to work with an mFi Linux based install. I'm going to comb through the script and see what I can figure out. Any help is appreciated since my scripting skills are not the best.


You're very welcome! I don't run an mFi controller, but assuming they use a similar java keystore approach to the UniFi controller, I'd bet those bits of the script would be easily repurposed. Keep me posted on your progress, and I'll link to the mFi version from my blog post if you get it sorted!

This is where I used to list my UBNT gear, but now it's mostly stuff I'm not allowed to talk about yet. Man Wink
942.22 Mbps down / 926.27 Mbps up (http://result.googlefiber.net/share/316298352.png)
My Blog: http://www.stevejenkins.com/
Emerging Member
Posts: 71
Registered: ‎11-02-2013
Kudos: 38
Solutions: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

[ Edited ]

It was much easier than I thought to get this working on mFi. All that was needed was to change the entries in the script that referenced locations for UniFi from UniFi to mFi...and that's really all there was to it. I decided to keep all the cert, key, csr files in root /etc/ssl 

 

The Green Lock in all it's Glory!!

mfi ssl.png

 

I ended up using a StartSSL Certificate, in part because I already have a web server on a separate machine, behind a dynamic IP address, running Letsencrypt. Due to the limitation with let's encrypt needing to communicate with each server via port 80/443 to authorize the certificate this made it more work than I want to deal with right now....I couldn't get Letsencrypt to work with my reverse proxy. It kept referencing my existing Letsencrypt cert even though my reverse proxy should have been pointing it to the mFi controller.

 

Thank you again for taking the time to script and document these things and post them for the community.

 

 

Edit: From what I have researched the only other thing that needs to change in the script is that the alias should be 'ubnt' instead of 'unifi' for the section that deals with the Keystore. When I get some time I will try to modify the script so that all mention of UniFi is replaced with mFi so that you can link to it. 

New Member
Posts: 9
Registered: ‎06-24-2016
Kudos: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

[ Edited ]

I finally got this to run on a ubuntu server. However, it doesn't seem to actually install it. I need to dig deeper into the code.

 

updated: yay, I got it. only a few changes needed for ubuntu

New Member
Posts: 9
Registered: ‎06-24-2016
Kudos: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

@sjjenkins You should put this in a repository, and I will add my ubuntu changes into it.

Regular Member
Posts: 591
Registered: ‎09-23-2015
Kudos: 218
Solutions: 6

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

@dino2016 Nice work! You can fork the gist and add your changes, then I'll pull and merge them.

 

https://gist.github.com/stevejenkins/639ca3470b28e07b36bacb29efcec37f

This is where I used to list my UBNT gear, but now it's mostly stuff I'm not allowed to talk about yet. Man Wink
942.22 Mbps down / 926.27 Mbps up (http://result.googlefiber.net/share/316298352.png)
My Blog: http://www.stevejenkins.com/
New Member
Posts: 9
Registered: ‎06-24-2016
Kudos: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

@sjjenkins Here are the changes, little sloppy.. but it works.

https://gist.github.com/dalenoe/fda97eb9399c5d0a8708329bc42cfcd1

New Member
Posts: 6
Registered: ‎07-30-2016
Kudos: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

Thank you very much for this worked great!

 

Make sure you set the host in the controller. I got up in minutes and spent a day trying to figure out why the portal gotthe red X. I had the IP in the url of the browser. As soon as I used the domain name I have green padlocks all the way through!

Now I have it up and secure, but the paypal button redirects to google and the credit card payment fails with "Unable to process the payment". The server log says:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

 

Any help would be apprecieated.

 

BTW commercial cert...

 

JC

New Member
Posts: 9
Registered: ‎06-24-2016
Kudos: 1

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

Did you include the chain? Anything else with more information in the logs? What OS?

Regular Member
Posts: 474
Registered: ‎12-09-2015
Kudos: 164
Solutions: 4

Re: Automated Script and Walk-Thru for Existing SSL Certificates on Linux UniFi Controllers

This is great!

 

Is there a similar option (Let's Encrypt) to handle certs on a Cloud Key?

Also: noob question but do Unifi USG, switchs and APs also use SSL certs?

 

Reply