Use Letsencrypt with Unifi Controller on Ubuntu
There’s too much noise on the internet, to the extent a simple process is sometimes hidden within countless pages. Here is how to use Letsencrypt with Unifi Controller on Ubuntu.
The steps below assumes you have Letsencrypt SSL already generated and running, and not close to expiring date.
Download Unifi SSL Import Script
Download the unifi_ssl_import.sh script to your server, thanks to Steve Jenkins
wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh
Modify Script
Change your hostname.example.com to the actual hostname you wish to use. In my case, I’m using www.khophi.co , because that’s where I access my Unifi Controller
If you are not sure about this, go into your /etc/letsencrypt/live folder and see what the hostname used is.
Delete or comment the entire section for Fedora/Redhat/Centos
Uncomment the section for Debian
Make LE_MODE=yes
Comment PRIV_KEY, SIGNED_CRT, and CHAIN_FILE, params
Make script executable: chmod a+x unifi_ssl_import.sh
Run script: sudo ./unifi_ssl_import.sh
# CONFIGURATION OPTIONS
UNIFI_HOSTNAME=hostname.example.com
UNIFI_SERVICE=unifi
# Uncomment following three lines for Fedora/RedHat/CentOS
#UNIFI_DIR=/opt/UniFi
#JAVA_DIR=${UNIFI_DIR}
#KEYSTORE=${UNIFI_DIR}/data/keystore
# Uncomment following three lines for Debian/Ubuntu
UNIFI_DIR=/var/lib/unifi
JAVA_DIR=/usr/lib/unifi
KEYSTORE=${UNIFI_DIR}/keystore
# FOR LET'S ENCRYPT SSL CERTIFICATES ONLY
# Generate your Let's Encrtypt key & cert with certbot before running this script
LE_MODE=yes
LE_LIVE_DIR=/etc/letsencrypt/live
# THE FOLLOWING OPTIONS NOT REQUIRED IF LE_MODE IS ENABLED
#PRIV_KEY=/etc/ssl/private/hostname.example.com.key
#SIGNED_CRT=/etc/ssl/certs/hostname.example.com.crt
#CHAIN_FILE=/etc/ssl/certs/startssl-chain.crt
If all goes well, you’re done, and SSL should be applied to your Unifi Controller Website.
Another Approach
As root, you need to run:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out unifi.p12 -name unifi -CAfile fullchain.pem -caname root mv /var/lib/unifi/keystore /var/lib/unifi/keystore.backup keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore unifi.p12 -srcstoretype PKCS12 -alias unifi service unifi restart
Explanation of the commands:
- Package the PEMs into P12 format.
- Backup your current, probably default, UniFi keystore.
- Import the P12 certs into UniFi’s Java keystore
- Restart the UniFi controller
In case anything goes wrong, restore the default keystore to get a working UniFi web GUI again:
mv /var/lib/unifi/keystore /var/lib/unifi/keystore.borked mv /var/lib/unifi/keystore.backup /var/lib/unifi/keystore
The above approach is taken from: https://community.ubnt.com/t5/UniFi-Wireless/Use-already-existing-SSL-for-unifi-controller/m-p/1917894#M226270
