Let's Encrypt UniFi
How to install a Let’s Encrypt certificate on UniFi and configure crontab to automatically renew the certificate every 12 hours.
15 Minute Hosted UniFi Controller:
Let’s Encrypt UniFi:
Digital Ocean sign-up:
Crosstalk Store on Amazon – RECOMMENDED PRODUCTS:
Amazon Wish List:
Crosstalk Solutions offers best practice phone systems, network design and deployment, and UniFi Video camera systems. Visit for details.
Crosstalk Solutions is an authorized Sangoma partner and reseller.
Connect with Chris:
Twitter: @CrosstalkSol
LinkedIn:
YouTube:
Hi! How about same thing for Dream Machine Pro?
No sure how often you update your content but the last comments seems to be 4 months ago.
I tried to follow your instruction using Ubuntu 20.04, but it failed because you have to use snapd to carry out the installation.
I managed to get as far as making a certificate request but it fails on the rootdir for the unifi controller instance.
Now unifi support have not been very forthcoming with information or details about what and how the unifi application is created and delivered. As far as I can gather, it is a custom instance of Tomcat. With ths installation I was asked to provide the unifi applications rootdir. As far as I can guess, I assume that it is /use/lib/unifi/webapps …. but when I sue this I get the following error.
I have also tried a second rootdir /usr/lib/unifi/webapps/ROOT/app-unifi/
and get the same error.
I look forward to your soonest response.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
[email protected]:/var/lib/unifi# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): icanunifi.e2snail.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for icanunifi.e2snail.com
Input the webroot for icanunifi.e2snail.com: (Enter 'c' to cancel): /usr/lib/unifi/webapps/ROOT/app-unifi/
Waiting for verification…
Challenge failed for domain icanunifi.e2snail.com
http-01 challenge for icanunifi.e2snail.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: icanunifi.e2snail.com
Type: connection
Detail: Fetching
http://icanunifi.e2snail.com/.well-known/acme-challenge/RbbOFwblPOVX-7x5LrNhnDKY-UT6ShSTbTllXa2GTJ4:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
Thanks
Lawrence
where do you obtain your domain from?
Thank you! Still working!
Cloud key! We need to do this to a cloud key!
Hey Chris! Could you do a video on how to do this with the UDM-Pro/ Cloud Key? That would be awesome!
I am getting this error" Problem binding to port 80: Could not bind to IPv4 or IPv6."
if i have wild card ssl from thawte, do i need to create csr? coz csr was generated on 1st server
Is this also usable with a local controller(if yes what do I have to write instead of "UNIFI_CONTROLLER=unifi.company.com") . I have a relativly small setup but I would still like to get rid of the not secure warning. Thanks in advance
Just what I was looking for, thanks Chris you're a superstar! Works perfectly.
Chris,
First of all, thank you for all of the great videos that you post.
I could not get this to work on the digital ocean Ubuntu 18.04. I did find another blog post "Definitive Guide to Hosted UniFi" and Part 21 walks you through the lets Encrypt process and everything worked.
Do you have a tutorial available for then hosting UNifi with a Windows server?
Can you do one for the Cloud Key Gen 2 Plus?
Why don't y'all just run sudo /bin/bash first so you don't have to type sudo every time? Then, if for some reason you need to de-escalate/run as a different user, run su user-name-here command and you'll run the command as that user. Saves me so many keystrokes.
Very good tutorial. I moved my local controller to the VPS and I wanted to have a proper SSL certificate on my cloud controller. Only think I needed to do was edit my DNS Records to point my conroller and follow this tutorial… no problems encountered. Works like a charm.
At the end of the Definitive Guide there's no step to add a cron job to re-run unifi_ssl_import.sh like you had in the now deprecated guide (5 */12 * * * root unifi_ssl_import.sh). Certbot automatically adds a job but am I right in thinking we need to add one for the Steve Jenkins script?
your setup does not work on ubuntu 18.04.2 unable to locate letsencrypt, then you get stuck. can you please update your article?
Hey Chris, got an email from Let's Encrypt about certificate renewals breaking due to TLS-SNI-01 domain validation reaching end of life. Could you do a video update on what we need to do to work around this, and keep Let's Encrypt working on our Unifi servers? Thanks!
Hey I got an email from let’s encrypt that ACME TLS-SNI-01 that issues the cert will break soon. It looks like that’s what this uses so after March 13th any new certs will not work. Is there any info how to update this?
Hi, I need some help. After finishing this, i get "took too long to respond." error.
Finlaly worked to install the certificate. Bud i cannot load the page (Ubunti 18.10)
UBUNTU 18.10 Not working yet
It Says: Running in Standard Mode…
Missing one or more required files. Check your settings.
Hey Chris, I keep getting this error, keytool error: java.lang.Exception: Alias <unifi> does not exist
Exactly what I was looking for thanks!! I was hunting for the unifi controllers webserver to no avail.
Let's Encrypt explicitly does not support whitelisting their validation IPs, and have stated an intent to randomize those IPs in the future, as well as validating from multiple IPs. It may work in the short term, but is highly likely to break in the long term.
Or, of course, use DNS validation, which avoids the issue entirely.
I get the following –
[email protected]:~# sudo letsencrypt certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
——————————————————————————-
1: Apache Web Server plugin – Beta (apache)
2: Place files in webroot directory (webroot)
3: Spin up a temporary webserver (standalone)
——————————————————————————-
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):
any ideas?
So… I have a controller running on Ubuntu 18.04 and set up Lets Encrypt on it. Following your recipe, I got it up and running and there was no complains from the script etc. BUT – before it asks for email etc, it asks how to handle things. Either as a standalone web server instance, or I have to give it the web root. As I could not find the web root folder, I used the standalone option.
The problem I am running into is that I am accessing the controller via IP address. And that gives me unsecure server no matter what. For now, I am not able to access it via the fqdn. Will have to wait and see what happens in a few hours.
I am using the free DNS at he.net to do a dyndns. Seems to work.
Hi Chris,
please make a Video with the CloudKey 🙂
greetings from Germany
Unfortunately, it appears that my certificate is not renewing as it should be despite editing the correct file with the same syntax and instructions you posted.
Sir can you give me your Num? I wana talk to you PLZZ GIVE ME YOUR WHATSAPP NUMBER
Very cool, thanx chris!
Someone help me out on this — if there are no processes running bound to port 80 or 443 then why does it matter if they stay open all the time?