Reply
New Member
Posts: 40
Registered: ‎03-07-2017
Kudos: 5
Accepted Solution

Use already existing SSL for unifi controller

[ Edited ]

I'll try to make this as simple as possible, hoping for as simple as possible solution. I've seen other threads about SSL with unifi, and as they say, the devil is in the details. This unifi SSL thing are as ugly as ...

 

- Ubuntu server LTS 16.04 - Controller Version: I can't tell now, since page won't load anymore (but I am on the latest stable as at the time of writing this)

- Controller is accessed at example.com:8443/manage

- I have a letsencrypt SSL generated for example.com already, and using for example.com and it's related subdomains

-I was given cert.pem chain.pem fullchain.pem privkey.pem files from letsencrypt, of which I use for the example.com and it's related subdomains

 

Now the question: - I want to use this same certificate for my unifi controller. How do I import? - Which of the .pem do I import?

 

If there's an article explaining this somewhere, please point me to it. And please, it should be for Linux/Debian/Ubuntu. Thank you.


Accepted Solutions
Regular Member
Posts: 521
Registered: ‎03-03-2012
Kudos: 139
Solutions: 12

Re: Use already existing SSL for unifi controller

[ Edited ]

As root, you need to run:

 

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out unifi.p12 -name unifi -CAfile fullchain.pem -caname root

mv /var/lib/unifi/keystore /var/lib/unifi/keystore.backup

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore unifi.p12 -srcstoretype PKCS12 -alias unifi

service unifi restart

Explanation of the commands:

 

1. Package the PEMs into P12 format.

2. Backup your current, probably default, UniFi keystore.

3. Import the P12 certs into UniFi's Java keystore

4. Restart the UniFi controller

 

In case anything goes wrong, restore the default keystore to get a working UniFi web GUI again:

 

mv /var/lib/unifi/keystore /var/lib/unifi/keystore.borked
mv /var/lib/unifi/keystore.backup /var/lib/unifi/keystore

 

View solution in original post


All Replies
New Member
Posts: 6
Registered: ‎05-09-2017

Re: Use already existing SSL for unifi controller

I am running Unifi Controller in latest Ubuntu server and I have used this guide to install certificates on in https://www.digicert.com/ssl-certificate-installation-ubuntu-server-with-apache2.htm 

Regular Member
Posts: 521
Registered: ‎03-03-2012
Kudos: 139
Solutions: 12

Re: Use already existing SSL for unifi controller

[ Edited ]

As root, you need to run:

 

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out unifi.p12 -name unifi -CAfile fullchain.pem -caname root

mv /var/lib/unifi/keystore /var/lib/unifi/keystore.backup

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore unifi.p12 -srcstoretype PKCS12 -alias unifi

service unifi restart

Explanation of the commands:

 

1. Package the PEMs into P12 format.

2. Backup your current, probably default, UniFi keystore.

3. Import the P12 certs into UniFi's Java keystore

4. Restart the UniFi controller

 

In case anything goes wrong, restore the default keystore to get a working UniFi web GUI again:

 

mv /var/lib/unifi/keystore /var/lib/unifi/keystore.borked
mv /var/lib/unifi/keystore.backup /var/lib/unifi/keystore

 

New Member
Posts: 7
Registered: ‎01-20-2017
Kudos: 13

Re: Use already existing SSL for unifi controller

Just used this guide - worked without any issues.

 

Thanks for a great forum!

New Member
Posts: 21
Registered: ‎10-02-2017
Kudos: 2

Re: Use already existing SSL for unifi controller

I have tried this probably 20 ways, and it still gives me this error:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /var/lib/unifi/keystore -destkeystore /var/lib/unifi/keystore -deststoretype pkcs12".

 

 

However, the command is: 

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore unifi.p12 -srcstoretype PKCS12 -alias unifi

Shortly after running it it asks me for a password, which I entered after the first command. 

openssl pkcs12 -export -in "/etc/webmin/letsencrypt-cert.pem" -inkey "/etc/webmin/letsencrypt-key.pem" -out unifi.p12 -name unifi -CAfile "/etc/webmin/letsencrypt-ca.pem" -caname root

To make it simple, I only add 1234 as the password, since its failed about 20 times, Man Tongue 
I am currenly running Ubuntu 18:04, and apache2 for the letsencrypt setup.
The cert works great for Webmin, but I think its not quite the normal setup for the ones the openssl command requests.

Any suggestions? 

 

On a side note, if I don't enter a password, it will continue, but errors out with null entry error.

Not sure if it means the password, or an error with the certs...


When I tried it the Unifi way, the certs it needed were dumb, and never worked....

New Member
Posts: 21
Registered: ‎10-02-2017
Kudos: 2

Re: Use already existing SSL for unifi controller

[ Edited ]

On another note, using this method:

WINDOWS SIDE:
- Downloaded "Keystore Explorer " on windows. http://keystore-explorer.org/
- Created a new keystore file (JKS type)
- Tools > Import Key Pair
- Select the key type use PKCS #12
- (Use the exported unifi.p12 file you made from this posts other instructions) - Added by Craig.
- Select the concatenated certificate file
- Use "aircontrolenterprise" for the key pair password when requested.
- Choose File, Save As
- Set the keystore password to "aircontrolenterprise"
- Save file as "keystore"

I was able to get it certified... 
But its not automatable...

New Member
Posts: 1
Registered: ‎05-08-2018
Kudos: 1

Re: Use already existing SSL for unifi controller


@engbrc wrote:

I have tried this probably 20 ways, and it still gives me this error:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /var/lib/unifi/keystore -destkeystore /var/lib/unifi/keystore -deststoretype pkcs12".

 

 It states this no matter what, think its more of a inform warning rather than error warning.

 

 

I set mine up using letsencrypt temporary webserver.using cerbot-auto certonly following this guide

https://lg.io/2015/12/13/using-lets-encrypt-to-secure-cloud-hosted-services-like-ubiquitis-mfi-unifi...

 

i had to modify the commands a bit to work on 5.9 update though

that being near the end i used these

 

openssl pkcs12 -export -in /etc/letsencrypt/live/YourDomainHere/cert.pem -inkey /etc/letsencrypt/live/YourDomainHere/privkey.pem -out /home/YourUsernameHere/unifi.p12 -name unifi -CAfile /etc/letsencrypt/live/YourDomainHere/fullchain.pem -caname root -password pass:temppass -noprompt
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /home/YourUsernameHere/unifi.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt

*be sure to change the YourDomainHere and YourUserNameHere

Reply