Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 1
Registered: ‎10-18-2015
Kudos: 6

[Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

[ Edited ]

I've noticed a few variants and questions around installing a Let's Encrypt or other custom HTTP certificate for the Controller.

 

Using a proxy in front of unifi is not really needed as you can take a certificate and import it into unifi.

 

There are multiple ways of generating a certificate (the below example assumes using Let's Encrypt), but here are the overall steps.

 

  1. Generate your certificate (e.g. using letsencrypt-auto)
  2. Convert your certificate and private key to pkcs12 format
  3. Convert the pkcs12 file to a java keystore
  4. Copy the java keystore into the right location for unifi
  5. Restart unifi

I use 2 cronjobs, one to generate the certificate using letsencrypt (1) and one to convert and import into unif (2-5).

 

The following is the bash script (tested on Ubuntu) for steps 2-5 (don't forget to change the "unifi.mydomain.com" to your domain/certificate):

#!/bin/bash
PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games';
openssl pkcs12 -export -in /etc/letsencrypt/live/unifi.mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/unifi.mydomain.com/privkey.pem -out /etc/letsencrypt/live/unifi.mydomain.com/cert_and_key.p12 -name tomcat -CAfile /etc/letsencrypt/live/unifi.mydomain.com/chain.pem -caname root -password pass:aaa;
rm -f /etc/letsencrypt/live/unifi.mydomain.com/keystore;
keytool -importkeystore -srcstorepass aaa -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -srckeystore /etc/letsencrypt/live/unifi.mydomain.com/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore /etc/letsencrypt/live/unifi.mydomain.com/keystore;
keytool -import -trustcacerts -alias unifi -deststorepass aircontrolenterprise -file /etc/letsencrypt/live/unifi.mydomain.com/chain.pem -noprompt -keystore /etc/letsencrypt/live/unifi.mydomain.com/keystore;
mv /var/lib/unifi/keystore /var/lib/unifi/keystore-`date -I`;
cp /etc/letsencrypt/live/unifi.mydomain.com/keystore /var/lib/unifi/keystore;
service unifi restart;

Important: do not change the alias or passwords listed above - they are what unifi expects.

 

This means that your https://unifi.mydomain.com:8443 will be using the above certificate instead of the self-signed default - no proxy required.

 

I hope this helps someone else automate more of the things.

New Member
Posts: 32
Registered: ‎02-23-2015
Kudos: 11

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

This was a great guide.  I recently moved my controller from a personal server to GCP and in the process this was one of the items I wanted to add to my controller setup.  It worked great, a small issue I had was I never setup port forwarding to port 443 for HTTPS so Let's Encrypt was unable to see my domain until I opened it up.

 

Thank you for your writeup, I've saved this post into my collection of "How-to's" for later reference.

 

Ted

New Member
Posts: 5
Registered: ‎11-01-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Thanks!
Your script worked great!
New Member
Posts: 8
Registered: ‎02-23-2014
Solutions: 1

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Thanks for this script!

 

I used the --renew-hook option of certbot to automatically run the script when the certificate is renewed. More details on my blog : https://blog.webtito.be/2017/06/01/lets-encrypt-unifi/?lang=en

New Member
Posts: 3
Registered: ‎10-26-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Hi guys,

 

I created a droplet in DigitalOcean, got everything working, took a snapshot of the droplet and then installed cert-bot and ran your script. The unifi service seems running (sudo service unifi status) but it doesn't look like it hooks up with MongoDB, mongod in also active and running.

 

I am not that proficient with Ubuntu (16.04.2) so I restored the snapshot, but still the controller is running but cannot connect to it!

 

Any clues?

 

I can always create the controller from scratch as I haven't used it in production yet, but if I do I'd like to feel safe I can always restore the droplet.

 

Thank you in advance,

 

/skalf

Senior Member
Posts: 2,855
Registered: ‎06-13-2015
Kudos: 753
Solutions: 137

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller


skalf wrote:

Hi guys,

 

I created a droplet in DigitalOcean, got everything working, took a snapshot of the droplet and then installed cert-bot and ran your script. The unifi service seems running (sudo service unifi status) but it doesn't look like it hooks up with MongoDB, mongod in also active and running.

 

I am not that proficient with Ubuntu (16.04.2) so I restored the snapshot, but still the controller is running but cannot connect to it!

 

Any clues?

 

I can always create the controller from scratch as I haven't used it in production yet, but if I do I'd like to feel safe I can always restore the droplet.

 

Thank you in advance,

 

/skalf


Has the controller worked before this change? If not you probably need to add some entropy by following the suggestions mentioned here:

https://community.ubnt.com/t5/UniFi-Wireless/Ubuntu-14-04-x64-Unifi-4-6-6-very-slow-start-up/td-p/13...

When you receive a solution to your question/issue, don't forget to mark your thread as "solved" and to give kudo's to the people who have helped you out!
Check out my UniFi API browser tool on GitHub. A standalone version of the PHP API client which it uses, can be found here on GitHub.
New Member
Posts: 3
Registered: ‎10-26-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Yes it worked before, I destroyed that droplet, created new ones in Vultr, Azure and Linode. The only one worked out of the box was the Azure one! Finally I made a new one in digitalocean and made it work, haveged was part of the solution. In the beginning it works but after you try to apply the certificate then it "freezes".

Now all is up and running, thanks for the answer!
New Member
Posts: 13
Registered: ‎07-13-2016
Kudos: 1

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

did anyone try this with windows? I think most of it should work.

 

there are a few windows clients for letsencrypt. didn't try out, but i guess they can be started by a script

the rest should be possible from command line (script) via java (Import key and restart service)

 

 

for now i generated the certificate using www.sslforfree.com website and manual dns txt thing, then used windows software KeyStore Explorer what is a easy klicky way and i would continue to do so if it was one time every 3 years. but every 3 months i won't do this.  If this is running on unifi i'm going to look for the zywall to autoupdate the ssl certificate... (not having any hope)

Senior Member
Posts: 2,855
Registered: ‎06-13-2015
Kudos: 753
Solutions: 137

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller


skalf wrote:
Yes it worked before, I destroyed that droplet, created new ones in Vultr, Azure and Linode. The only one worked out of the box was the Azure one! Finally I made a new one in digitalocean and made it work, haveged was part of the solution. In the beginning it works but after you try to apply the certificate then it "freezes".

Now all is up and running, thanks for the answer!

Good to hear. Do keep in mind that haveged is a daemon that should always start upon boot. Was that enabled in the other VPSs?

When you receive a solution to your question/issue, don't forget to mark your thread as "solved" and to give kudo's to the people who have helped you out!
Check out my UniFi API browser tool on GitHub. A standalone version of the PHP API client which it uses, can be found here on GitHub.
New Member
Posts: 3
Registered: ‎10-26-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

I didn't install it on the other VMs but I am not 100% that it wasn't there, at least for the Azure distro that it worked perfect out of the box, even after reboots.

 

Now it works perfect, just updated unifi to 5.5.20 and haveged always runs automatically as a service after every boot.

New Member
Posts: 1
Registered: ‎09-04-2017

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Nice.  Worked for me on my Raspberry Pi running Raspbian on Unifi Controller 5.5.20.

Reply