Let's Encrypt UniFi

Let's Encrypt UniFi

How to install a Let’s Encrypt certificate on UniFi and configure crontab to automatically renew the certificate every 12 hours.

15 Minute Hosted UniFi Controller:

Let’s Encrypt UniFi:

Digital Ocean sign-up:

Crosstalk Store on Amazon – RECOMMENDED PRODUCTS:

Amazon Wish List:

Crosstalk Solutions offers best practice phone systems, network design and deployment, and UniFi Video camera systems. Visit for details.

Crosstalk Solutions is an authorized Sangoma partner and reseller.

Connect with Chris:
Twitter: @CrosstalkSol

32 thoughts on “Let's Encrypt UniFi

  1. No sure how often you update your content but the last comments seems to be 4 months ago.

    I tried to follow your instruction using Ubuntu 20.04, but it failed because you have to use snapd to carry out the installation.
    I managed to get as far as making a certificate request but it fails on the rootdir for the unifi controller instance.
    Now unifi support have not been very forthcoming with information or details about what and how the unifi application is created and delivered. As far as I can gather, it is a custom instance of Tomcat. With ths installation I was asked to provide the unifi applications rootdir. As far as I can guess, I assume that it is /use/lib/unifi/webapps …. but when I sue this I get the following error.
    I have also tried a second rootdir /usr/lib/unifi/webapps/ROOT/app-unifi/
    and get the same error.

    I look forward to your soonest response.

    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    [email protected]:/var/lib/unifi# certbot certonly

    Saving debug log to /var/log/letsencrypt/letsencrypt.log

    How would you like to authenticate with the ACME CA?

    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

    1: Spin up a temporary webserver (standalone)

    2: Place files in webroot directory (webroot)

    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

    Plugins selected: Authenticator webroot, Installer None

    Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'

    to cancel): icanunifi.e2snail.com

    Obtaining a new certificate

    Performing the following challenges:

    http-01 challenge for icanunifi.e2snail.com

    Input the webroot for icanunifi.e2snail.com: (Enter 'c' to cancel): /usr/lib/unifi/webapps/ROOT/app-unifi/

    Waiting for verification…

    Challenge failed for domain icanunifi.e2snail.com

    http-01 challenge for icanunifi.e2snail.com

    Cleaning up challenges

    Some challenges have failed.


    – The following errors were reported by the server:

    Domain: icanunifi.e2snail.com

    Type: connection

    Detail: Fetching


    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was

    entered correctly and the DNS A/AAAA record(s) for that domain

    contain(s) the right IP address. Additionally, please check that

    your computer has a publicly routable IP address and that no

    firewalls are preventing the server from communicating with the

    client. If you're using the webroot plugin, you should also verify

    that you are serving files from the webroot path you provided.

    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #


  2. Is this also usable with a local controller(if yes what do I have to write instead of "UNIFI_CONTROLLER=unifi.company.com") . I have a relativly small setup but I would still like to get rid of the not secure warning. Thanks in advance

  3. Chris,
    First of all, thank you for all of the great videos that you post.
    I could not get this to work on the digital ocean Ubuntu 18.04. I did find another blog post "Definitive Guide to Hosted UniFi" and Part 21 walks you through the lets Encrypt process and everything worked.

  4. Why don't y'all just run sudo /bin/bash first so you don't have to type sudo every time? Then, if for some reason you need to de-escalate/run as a different user, run su user-name-here command and you'll run the command as that user. Saves me so many keystrokes.

  5. Very good tutorial. I moved my local controller to the VPS and I wanted to have a proper SSL certificate on my cloud controller. Only think I needed to do was edit my DNS Records to point my conroller and follow this tutorial… no problems encountered. Works like a charm.

  6. At the end of the Definitive Guide there's no step to add a cron job to re-run unifi_ssl_import.sh like you had in the now deprecated guide (5 */12 * * * root unifi_ssl_import.sh). Certbot automatically adds a job but am I right in thinking we need to add one for the Steve Jenkins script?

  7. your setup does not work on ubuntu 18.04.2 unable to locate letsencrypt, then you get stuck. can you please update your article?

  8. Hey Chris, got an email from Let's Encrypt about certificate renewals breaking due to TLS-SNI-01 domain validation reaching end of life. Could you do a video update on what we need to do to work around this, and keep Let's Encrypt working on our Unifi servers? Thanks!

  9. Hey I got an email from let’s encrypt that ACME TLS-SNI-01 that issues the cert will break soon. It looks like that’s what this uses so after March 13th any new certs will not work. Is there any info how to update this?

  10. UBUNTU 18.10 Not working yet
    It Says: Running in Standard Mode…

    Missing one or more required files. Check your settings.

  11. Let's Encrypt explicitly does not support whitelisting their validation IPs, and have stated an intent to randomize those IPs in the future, as well as validating from multiple IPs. It may work in the short term, but is highly likely to break in the long term.

    Or, of course, use DNS validation, which avoids the issue entirely.

  12. I get the following –

    [email protected]:~# sudo letsencrypt certonly
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

    How would you like to authenticate with the ACME CA?
    1: Apache Web Server plugin – Beta (apache)
    2: Place files in webroot directory (webroot)
    3: Spin up a temporary webserver (standalone)
    Select the appropriate number [1-3] then [enter] (press 'c' to cancel):

    any ideas?

  13. So… I have a controller running on Ubuntu 18.04 and set up Lets Encrypt on it. Following your recipe, I got it up and running and there was no complains from the script etc. BUT – before it asks for email etc, it asks how to handle things. Either as a standalone web server instance, or I have to give it the web root. As I could not find the web root folder, I used the standalone option.

    The problem I am running into is that I am accessing the controller via IP address. And that gives me unsecure server no matter what. For now, I am not able to access it via the fqdn. Will have to wait and see what happens in a few hours.

    I am using the free DNS at he.net to do a dyndns. Seems to work.

  14. Unfortunately, it appears that my certificate is not renewing as it should be despite editing the correct file with the same syntax and instructions you posted.

  15. Someone help me out on this — if there are no processes running bound to port 80 or 443 then why does it matter if they stay open all the time?

Leave a Reply

Your email address will not be published. Required fields are marked *