Skip to content

Use Letsencrypt with Unifi Controller on Ubuntu

Posted in Server

There’s too much noise on the internet, to the extent a simple process is sometimes hidden within countless pages. Here is how to use Letsencrypt with Unifi Controller on Ubuntu.

The steps below assumes you have Letsencrypt SSL already generated and running, and not close to expiring date.

Download Unifi SSL Import Script

Download the unifi_ssl_import.sh script to your server, thanks to Steve Jenkins

wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh

Modify Script

Change your hostname.example.com to the actual hostname you wish to use. In my case, I’m using www.khophi.co , because that’s where I access my Unifi Controller

If you are not sure about this, go into your /etc/letsencrypt/live folder and see what the hostname used is.

Delete or comment the entire section for Fedora/Redhat/Centos

Uncomment the section for Debian

Make LE_MODE=yes

Comment PRIV_KEY, SIGNED_CRT, and CHAIN_FILE, params

Make script executable: chmod a+x unifi_ssl_import.sh

Run script: sudo ./unifi_ssl_import.sh

# CONFIGURATION OPTIONS
UNIFI_HOSTNAME=hostname.example.com
UNIFI_SERVICE=unifi

# Uncomment following three lines for Fedora/RedHat/CentOS
#UNIFI_DIR=/opt/UniFi
#JAVA_DIR=${UNIFI_DIR}
#KEYSTORE=${UNIFI_DIR}/data/keystore

# Uncomment following three lines for Debian/Ubuntu
UNIFI_DIR=/var/lib/unifi
JAVA_DIR=/usr/lib/unifi
KEYSTORE=${UNIFI_DIR}/keystore

# FOR LET'S ENCRYPT SSL CERTIFICATES ONLY
# Generate your Let's Encrtypt key & cert with certbot before running this script
LE_MODE=yes
LE_LIVE_DIR=/etc/letsencrypt/live

# THE FOLLOWING OPTIONS NOT REQUIRED IF LE_MODE IS ENABLED
#PRIV_KEY=/etc/ssl/private/hostname.example.com.key
#SIGNED_CRT=/etc/ssl/certs/hostname.example.com.crt
#CHAIN_FILE=/etc/ssl/certs/startssl-chain.crt

If all goes well, you’re done, and SSL should be applied to your Unifi Controller Website.

Another Approach

As root, you need to run:

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out unifi.p12 -name unifi -CAfile fullchain.pem -caname root

mv /var/lib/unifi/keystore /var/lib/unifi/keystore.backup

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore unifi.p12 -srcstoretype PKCS12 -alias unifi

service unifi restart

Explanation of the commands:

  1. Package the PEMs into P12 format.
  2. Backup your current, probably default, UniFi keystore.
  3. Import the P12 certs into UniFi’s Java keystore
  4. Restart the UniFi controller

In case anything goes wrong, restore the default keystore to get a working UniFi web GUI again:

mv /var/lib/unifi/keystore /var/lib/unifi/keystore.borked
mv /var/lib/unifi/keystore.backup /var/lib/unifi/keystore

The above approach is taken from: https://community.ubnt.com/t5/UniFi-Wireless/Use-already-existing-SSL-for-unifi-controller/m-p/1917894#M226270