instagram arrow-down
Kalle Lilja

Archives

Automated Let’s Encrypt – UniFi Controller

Free automated SSL solution for UniFi

Securing the UniFi Controller web interface with an SSL certificate (HTTPS) is not only important, it’s mandatory in my eyes, especially if the controller is publicly available for use via the app or directly by customers/site owners.
Luckily this process can be entirely automated and rendered free by using a Linux based controller in combination with Let’s Encrypt.

Let’s Encrypt verifies the certificates by looking up the desired hostname with DNS, verifying connectivity with HTTPS tcp:443 and finding the files the request created, read more here.
This is all well and good when applying Let’s Encrypt certificates to websites, but it does get a bit more complicated when combining it with the UniFi Controller, as it doesn’t run a simple website on tcp:443, it runs on tcp:8443.

The way we’ll automate this is by using certbot in combination with a cronjob.
Certbot will stand up a quick and dirty HTTPS enabled site on the machine to host the Let’s Encrypt request files, once the certificate is approved and downloaded the site will terminate.
The now approved certificate comes in two .pem parts, these can’t be used by the UniFi Controller as is and has to be combined and converted to a .p12 file, this will be done using openssl.
Once converted the certificate can be installed on the UniFi Contoller side of things.
Lastly the automated renewal can be set up as the certificates only stay valid for 3 months.

What you’ll need

– SSH Access to the Ubuntu/Debian based machine running UniFi Controller
– A DNS name set up (FQDN)

Setup

I’ve created and distributed the installation procedure/command reference over on GitHub as well as below.

Gotchas

A common error is that the HTTPS port is not open on the Linux side of things, as per usual there are many ways to solve this problem, the easiest is probably: sudo ufw allow 443/tcp.
Another error has to do with variable swaps. Make sure all references to UNIFI.CONTROLLER.NAME and PASSWORD has been changed to fit your environment.
Keep the certbot user guide handy in case of any errors.

Software used
Certbot
Let’s Encrypt
Ubuntu Server 16.04.2 LTS