Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 1
Registered: ‎10-18-2015
Kudos: 7

[Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

[ Edited ]

I've noticed a few variants and questions around installing a Let's Encrypt or other custom HTTP certificate for the Controller.

 

Using a proxy in front of unifi is not really needed as you can take a certificate and import it into unifi.

 

There are multiple ways of generating a certificate (the below example assumes using Let's Encrypt), but here are the overall steps.

 

  1. Generate your certificate (e.g. using letsencrypt-auto)
  2. Convert your certificate and private key to pkcs12 format
  3. Convert the pkcs12 file to a java keystore
  4. Copy the java keystore into the right location for unifi
  5. Restart unifi

I use 2 cronjobs, one to generate the certificate using letsencrypt (1) and one to convert and import into unif (2-5).

 

The following is the bash script (tested on Ubuntu) for steps 2-5 (don't forget to change the "unifi.mydomain.com" to your domain/certificate):

#!/bin/bash
PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games';
openssl pkcs12 -export -in /etc/letsencrypt/live/unifi.mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/unifi.mydomain.com/privkey.pem -out /etc/letsencrypt/live/unifi.mydomain.com/cert_and_key.p12 -name tomcat -CAfile /etc/letsencrypt/live/unifi.mydomain.com/chain.pem -caname root -password pass:aaa;
rm -f /etc/letsencrypt/live/unifi.mydomain.com/keystore;
keytool -importkeystore -srcstorepass aaa -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -srckeystore /etc/letsencrypt/live/unifi.mydomain.com/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore /etc/letsencrypt/live/unifi.mydomain.com/keystore;
keytool -import -trustcacerts -alias unifi -deststorepass aircontrolenterprise -file /etc/letsencrypt/live/unifi.mydomain.com/chain.pem -noprompt -keystore /etc/letsencrypt/live/unifi.mydomain.com/keystore;
mv /var/lib/unifi/keystore /var/lib/unifi/keystore-`date -I`;
cp /etc/letsencrypt/live/unifi.mydomain.com/keystore /var/lib/unifi/keystore;
service unifi restart;

Important: do not change the alias or passwords listed above - they are what unifi expects.

 

This means that your https://unifi.mydomain.com:8443 will be using the above certificate instead of the self-signed default - no proxy required.

 

I hope this helps someone else automate more of the things.

New Member
Posts: 32
Registered: ‎02-23-2015
Kudos: 11

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

This was a great guide.  I recently moved my controller from a personal server to GCP and in the process this was one of the items I wanted to add to my controller setup.  It worked great, a small issue I had was I never setup port forwarding to port 443 for HTTPS so Let's Encrypt was unable to see my domain until I opened it up.

 

Thank you for your writeup, I've saved this post into my collection of "How-to's" for later reference.

 

Ted

New Member
Posts: 7
Registered: ‎11-01-2016
Kudos: 3

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Thanks!
Your script worked great!
New Member
Posts: 8
Registered: ‎02-23-2014
Solutions: 1

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Thanks for this script!

 

I used the --renew-hook option of certbot to automatically run the script when the certificate is renewed. More details on my blog : https://blog.webtito.be/2017/06/01/lets-encrypt-unifi/?lang=en

New Member
Posts: 4
Registered: ‎10-26-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Hi guys,

 

I created a droplet in DigitalOcean, got everything working, took a snapshot of the droplet and then installed cert-bot and ran your script. The unifi service seems running (sudo service unifi status) but it doesn't look like it hooks up with MongoDB, mongod in also active and running.

 

I am not that proficient with Ubuntu (16.04.2) so I restored the snapshot, but still the controller is running but cannot connect to it!

 

Any clues?

 

I can always create the controller from scratch as I haven't used it in production yet, but if I do I'd like to feel safe I can always restore the droplet.

 

Thank you in advance,

 

/skalf

Senior Member
Posts: 3,200
Registered: ‎06-13-2015
Kudos: 850
Solutions: 154

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller


skalf wrote:

Hi guys,

 

I created a droplet in DigitalOcean, got everything working, took a snapshot of the droplet and then installed cert-bot and ran your script. The unifi service seems running (sudo service unifi status) but it doesn't look like it hooks up with MongoDB, mongod in also active and running.

 

I am not that proficient with Ubuntu (16.04.2) so I restored the snapshot, but still the controller is running but cannot connect to it!

 

Any clues?

 

I can always create the controller from scratch as I haven't used it in production yet, but if I do I'd like to feel safe I can always restore the droplet.

 

Thank you in advance,

 

/skalf


Has the controller worked before this change? If not you probably need to add some entropy by following the suggestions mentioned here:

https://community.ubnt.com/t5/UniFi-Wireless/Ubuntu-14-04-x64-Unifi-4-6-6-very-slow-start-up/td-p/13...

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
New Member
Posts: 4
Registered: ‎10-26-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Yes it worked before, I destroyed that droplet, created new ones in Vultr, Azure and Linode. The only one worked out of the box was the Azure one! Finally I made a new one in digitalocean and made it work, haveged was part of the solution. In the beginning it works but after you try to apply the certificate then it "freezes".

Now all is up and running, thanks for the answer!
New Member
Posts: 13
Registered: ‎07-13-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

did anyone try this with windows? I think most of it should work.

 

there are a few windows clients for letsencrypt. didn't try out, but i guess they can be started by a script

the rest should be possible from command line (script) via java (Import key and restart service)

 

 

for now i generated the certificate using www.sslforfree.com website and manual dns txt thing, then used windows software KeyStore Explorer what is a easy klicky way and i would continue to do so if it was one time every 3 years. but every 3 months i won't do this.  If this is running on unifi i'm going to look for the zywall to autoupdate the ssl certificate... (not having any hope)

Senior Member
Posts: 3,200
Registered: ‎06-13-2015
Kudos: 850
Solutions: 154

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller


skalf wrote:
Yes it worked before, I destroyed that droplet, created new ones in Vultr, Azure and Linode. The only one worked out of the box was the Azure one! Finally I made a new one in digitalocean and made it work, haveged was part of the solution. In the beginning it works but after you try to apply the certificate then it "freezes".

Now all is up and running, thanks for the answer!

Good to hear. Do keep in mind that haveged is a daemon that should always start upon boot. Was that enabled in the other VPSs?

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
New Member
Posts: 4
Registered: ‎10-26-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

I didn't install it on the other VMs but I am not 100% that it wasn't there, at least for the Azure distro that it worked perfect out of the box, even after reboots.

 

Now it works perfect, just updated unifi to 5.5.20 and haveged always runs automatically as a service after every boot.

New Member
Posts: 1
Registered: ‎09-04-2017

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

Nice.  Worked for me on my Raspberry Pi running Raspbian on Unifi Controller 5.5.20.

New Member
Posts: 13
Registered: ‎07-13-2016
Kudos: 2

Re: [Helper] Custom HTTPS certificate (inc. Lets Encrypt) for Web Controller

I installed a ssh cert on my unifi server running on ubuntu vm successfully and want to share what i did.

letsencrypt, free, step by step.

 

base before starting:

- install vm with ubuntu server lts 16.04

select packet openssh server during install to be able to control it via putty or similar (i used secure shell plugin in chrome browser as i don't have admin right and was not able to install putty at my work place from where i want to be able to control the machine)
my first fail was to give to small harddisk. i realised mongodb wants 3gb spare room to even start. had to enlarge partition. after installation it runs fine with 512 mb ram. As hypervisor i took hyper-v on Windows 10. I took snapshots to be able going back if i failed something really bad. 

- port forwarding: all unifi related ports

- port forwarding: Port 443 (i had to move the web-if of my router to another port)

it took me a while to find out why it doesn't work

- install unifi, configure, be sure it runs

- be sure to have a working hostname that is pointing to your ip (dyndns, no-ip, or whatever)

- test it, you have to be able to reach your new unifi server from the outside (at least port 443 must be reachable but you can't test that easily because no service should be running that listens on port 443)

 

change following in this guide:

unifi.domain.com to your (sub)domain
your@email.com to your e-mail address

 

here i found a guide that i corrected/enhanced: from 

 

Adding a quick note here to anyone visiting this thread that you can now do this for free using Letsencrypt.  Its quicker, cheaper and arguably easier than the original solution here.

 

I got it working following the instructions here: https://www.reddit.com/r/Ubiquiti/comments/43v23u/using_letsencrypt_with_the_unifi_controller/

So thanks @briellie for posting that.

 

This is exactly what I needed to do, step by step, from a fresh install of the controller on Ubuntu 16.04LTS.  Only thing that was done previously was installing Unifi controller (from apt or .deb) and running the OS updates.

 

Back your stuff up if you're going to do this on a production server.

 

Install git

sudo apt-get -y install git bc

Use git to clone letsencrypt

sudo git clone https://github.com/letsencrypt/letsencrypt /usr/src/letsencrypt

Make dir in root to store script (you need to be root for some of the next stuff. You can piss about with sudo if you want, thats up to you)

sudo su
mkdir /root/bin

Get the install script

wget https://source.sosdg.org/brielle/lets-encrypt-scripts/raw/master/gen-unifi-cert.sh -O /root/bin/gen-unifi-cert.sh

Browse to the directory and make it executable

cd /root/bin
chmod +x gen-unifi-cert.sh

Run the script and put in the required switches

./gen-unifi-cert.sh -e your@email.com -d unifi.domain.com

Agree to it installing required dependencies

 

Check that it was successful (look for "Congratulations!" under the important notices part), if it failed on anything, you need to address those before the cert will be applied.

 

Assuming everything went fine, your controller now has an SSL cert issued from Letsencrypt.  These expire every 3 months so you will want to setup cron to renew it automatically:

 

Here i changed something because i was not sure if this (must not be wrong, i just took another way)
- would work (because cron was not installed in my ubuntu server)
- would run under super user

 

Make a new cron file that runs weekly

sudo nano /etc/cron.weekly/renew-unifi-ssl

and put this in it

/root/bin/gen-unifi-cert.sh -r -d unifi.domain.com

Thats it.  Your controller will now have an SSL cert installed and will renew itself indefinately, automatically, for free.

 

I did following instead of that. (hoping it is correct)

 

Install cron

sudo apt-get update
sudo apt-get install cron

Add a cronjob

sudo crontab -e

I selected nano and pasted following line:

0 5 * * 1 /root/bin/gen-unifi-cert.sh -r -d unifi.domain.com

 

finished.

 

 

Now i have a green lock, and hope that the cert is going to be updated automatically

i plan to update this text if i can confirm it auto updates correctly. (have to wait max. 3 months to see it updates)

 

 

 

Reply