Install Letsencrypt SSL Certificate for Unifi Controller on Raspberry Pi

One of the most asked questions about the Unifi Controller is how to get rid of the certificate error when you open the controller. And I totally understand, it’s annoying to bypass the error/warning every time you log in to your controller.

So in this article, we are going to install a Letsencrypt SSL Certificate for our Unifi Controller. I am using a Rasberry Pi to run the controller, so this article is mostly written for a Pi.

Letsencrypt and Unifi

Letsencrypt certificates are free to use but need to be renewed every 90 days. The renewing can be automated, as I will show you in this article, but it requires that your controller is accessible from the internet.

To do this you will need a custom domain name that you can use to point a subdomain to your local controller. Also, we need to open and forward a specific port in the router.

Before we continue there is one thing you should know, we can’t create a certificate for a local IP Address. You are probably running your controller locally, so if you want to open your Unifi Controller, you go to 192.168.0.200 for example.

Even if we make the controller accessible from the internet, with unifi.yourdomain.com, then, by default, you still can’t access it locally with a certificate. You can’t open unifi.yourdomain.com, because that will require you to make a U-turn on the internet, which won’t work. Opening the controller from the local IP Address will still give a warning because the cert is issued to unifi.yourdomain.com.

Local DNS Entries

But we have a solution for this, we can create a local DNS entry. You can do this locally on your computer, by changing your host file or on your router, by creating a static DNS entry. I prefer the router because this is device independent and will work in your whole network, but you will have to check if it’s possible with your router.

Static DNS entry EdgeRouter

If you have an EdgeRouter, you can create a static DNS route by opening your router through SSH. Simply use Putty or Windows Terminal for this:

#Open the SSH connection
ssh [email protected]

#Open configure mode
configure

#Add the DNS route. Use the domain name we create later
set system static-host-mapping host-name <unifi.yourdomain.com> inet 192.168.0.200

commit
save

Change your host file

On Windows you can easily add local DNS routes by adding them in your host file. You will need to open the host file with admin rights to save the changes:

  • Open %windir%\System32\drivers\etc
  • Open the file hosts
  • At the end of the file, add: 192.168.0.200 unifi.yourdomain.com
  • Save and close the file

Setup the Port Forwarding and Domain

So to get a certificate we need a domain name. You can get a domain name for less than $10 a year, for example here at NameCheap Now we don’t want to point the whole domain to our unifi controller, so I suggest you create a subdomain unifi.yourdomain.com and point that to your local network.

Look up your public IP Address, here at myip.com, and create an A record with the name unifi and your IP Address.

Now you need to forward and open the following ports in your router:

  • Original port: 80
  • Protocol: TCP/UDP
  • Forward-to address: IP Address of your Unifi Controller
  • Forward-to port: 80

If you also want to access your Unifi Controller from the internet, then also forward the following port number:

  • Original port: 8443
  • Protocol: TCP/UDP
  • Forward-to address: IP Address of your Unifi Controller
  • Forward-to port: 8443

If you have an EdgeRouter you can enable Auto firewall, the EdgeRouter will open the specific port in the firewall for you then:

Port forwarding EdgeRouter

Install SSL Certificate on Unifi Controller

With everything set, we can start with installing the certificate for our Unifi Controller.

  1. Install Certbot

    sudo apt-get install certbot

  2. Generate a SSL certificate

    sudo certbot certonly --standalone -d unifi.yourdomain.com

    You will need to enter an email address so you can receive a notification when you need to renew (when the auto-renew fails), Accept the Terms, and Accept or Decline the last request.

  3. Download import script

    We need to import the Letsencrypt cert into the Unifi Controller. Steve Jenkins has created an import script that makes this a lot easier to do, so we are going to use this script.

    Download the script with the following cmd:

    sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh

    We place it in /usr/local/bin as recommend by Steve.

  4. Make the script executable

    By default, you can’t execute the script. Give it the correct permissions with the following cmd:

    sudo chmod +x /usr/local/bin/unifi_ssl_import.sh

  5. Edit the variables in the script

    Next, we need to edit some of the configuration variables in the script. Open the script with

    sudo nano -w /usr/local/bin/unifi_ssl_import.sh

    Add your domain
    UNIFI_HOSTNAME=unifi.yourdomain.com

    Comment the three lines for Fedora/RedHat/Centos by placing a # for it:
    # Uncomment following three lines for Fedora/RedHat/CentOS
    #UNIFI_DIR=/opt/UniFi
    #JAVA_DIR=${UNIFI_DIR}
    #KEYSTORE=${UNIFI_DIR}/data/keystore


    Uncomment the three lines for Debian/Ubuntu
    # Uncomment following three lines for Debian/Ubuntu
    UNIFI_DIR=/var/lib/unifi
    JAVA_DIR=/usr/lib/unifi
    KEYSTORE=${UNIFI_DIR}/keystore


    Set the Let’s Encrypt mode to true:
    If you only enable the line, by removing the #, you will get a loop ==Yes when running the script. So set it to true. Will still get some warning about missing [[:, but the doesn’t matter.
    LE_MODE=true

    Save and close the file
    Ctrl + X
    Y
    Enter

  6. Run the import script

    We can now import our new SSL cert into the Unifi Controller. Run the following cmd:

    sudo /usr/local/bin/unifi_ssl_import.sh

    If you get a loop with == yes, press ctrl + c and change LE_MODE to true (see step 5)

  7. Check the new Certificate

    The script will restart the Unifi Controller. Give it a couple of minutes to start.
    If you open your controller you should now have a certificate and no errors or warnings anymore.

  8. Creating the update script

    Cerbot will renew the certificate every 3 months. So we will have to import the certificate as well every 3 months.

    Create a new file
    sudo nano -w /etc/cron.daily/unifi_ssl_import

    And add the following content into it
    #!/bin/bash
    /usr/local/bin/unifi_ssl_import.sh


    Press Ctrl +X followed by Y and Enter to save and close the file.

    Give the file the correct permissions so it can be executed:
    sudo chown root:root /etc/cron.daily/unifi_ssl_import
    sudo chmod +x /etc/cron.daily/unifi_ssl_import


That’s all, you should now be set with a nice SSL certificate for you Unifi Controller and the annoying warning should be gone. If you have any questions, just drop a comment below.

sources used:
https://www.stevejenkins.com/blog/2016/06/use-existing-ssl-certificate-linux-unifi-controller/
https://crosstalksolutions.com/definitive-guide-to-hosted-unifi/

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share