Unifi Controller on Ubuntu 18.04 with Let’s Encrypt SSL

This guide shows you how to install Unifi Controller on a Ubuntu 18.04 machine and set up a valid SSL certificate on it using Let’s Encrypt. I recommend using Ubuntu 18.04 specifically because I’ve seen all sorts of issues related to Java Runtime Enviroment on Ubuntu 16.

Use the following procedure to install the latest version of Unifi Controller on your system.

Install dependencies:

sudo apt update && sudo apt install ca-certificates apt-transport-https

Prepare for installation:

echo 'deb http://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
sudo apt update
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg

Complete the installation of Unifi Controller:

sudo apt install unifi

To setup SSL you need a domain that’s pointing to your Unifi Controller’s IP address. For example, if you own the domain called “example.com”, you can create a sub-domain like “unifi.example.com” and point that towards your controller’s IP. Once that is setup we’re ready to use Let’s Encrypt to install SSL certificate on your controller.

Install certbot for SSL certificate setup:

apt-get install certbot

Download shell script for SSL certificate setup and make it executable:

cd /usr/local/sbin

wget https://source.sosdg.org/brielle/lets-encrypt-scripts/raw/master/gen-unifi-cert.sh -O /usr/local/sbin/gen-unifi-cert.sh

chmod +x /usr/local/sbin/gen-unifi-cert.sh

In the last step – in addition to your sub-domain – you also need to specify your email address which will be used to send you notices if your SSL certificate is about to expire:

/usr/local/sbin/gen-unifi-cert.sh -e email@domain.com -d unifi.example.com 

Now your Unifi controller should be accessible on https://unifi.example.com:8443 with a valid SSL certificate.

Let’s Encrypt certificates are valid for 3 months. You would need to renew the certificate using the following command:

/usr/local/sbin/gen-unifi-cert.sh -r -d unifi.example.com

You can also setup a cron job to automate certificate renewal process like this:

touch /etc/cron.d/unifi-cert

Then add the following code in this file:


0 */12 * * * root test -x /usr/local/sbin/gen-unifi-cert.sh && /usr/local/sbin/gen-unifi-cert.sh -r -d unifi.example.com

Special thanks to my buddy Sibghat (https://sibzz.com/) for correcting the cron job given above.


How to install and update via APT on Debian or Ubuntu

Using Let’s Encrypt with Unifi Controller


  1. Shane says:

    Thanks for the efforts on this, we get this error when running.
    An unexpected error occurred:
    The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

    1. Nasir Hafeez says:

      I haven’t encountered this error before. Seems like a problem with the certbot version. Perhaps you’re using an older version?

  2. José Manuel Díaz says:

    Buenas tardes,
    Haber si alguien puede ayudarme, tras intentarlo varias veces, obtengo un error y el certificado no acaba de generarse y configurarse al ejecutar la ultima sentencia de comandos.

    root@unify:/usr/local/sbin# /usr/local/sbin/gen-unifi-cert.sh -e josemanuel.diaz@onutech.com -d unifi.onutech.com
    Found LetsEncrypt/Certbot binary at /usr/bin/certbot
    Firing up standalone authenticator on TCP port 80 and requesting cert…
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer None
    Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for unifi.onutech.com
    Waiting for verification…
    Cleaning up challenges
    Failed authorization procedure. unifi.onutech.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://unifi.onutech.com/.well-known/acme-challenge/-Yqy5KBHLmGHs6uPE3GYPU_nw5rPXpqzwNizywCtuls: Timeout during connect (likely firewall problem)

    – The following errors were reported by the server:

    Domain: unifi.onutech.com
    Type: connection
    Detail: Fetching
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    Cert has changed or -i option was used, updating controller…
    /usr/local/sbin/gen-unifi-cert.sh: línea 145: /etc/letsencrypt/live/unifi.onutech.com/cert.pem.md5: No existe el archivo o el directorio
    Using openssl to prepare certificate…
    cat: /etc/letsencrypt/live/unifi.onutech.com/chain.pem: No existe el archivo o el directorio
    Error opening input file /etc/letsencrypt/live/unifi.onutech.com/cert.pem
    /etc/letsencrypt/live/unifi.onutech.com/cert.pem: No such file or directory
    Stopping Unifi controller…
    Removing existing certificate from Unifi protected keystore…
    error de herramienta de claves: java.lang.Exception: El alias no existe
    Inserting certificate into Unifi keystore…
    error de herramienta de claves: java.lang.Exception: El archivo de almacén de claves de origen existe, pero está vacío: /tmp/tmp.H0vrJo3Bpa
    Starting Unifi controller…

    1. As shown in the error, please try to disable your firewall and then try. Also check if the A record is pointing to the right IP address.

Leave a Reply

Your email address will not be published. Required fields are marked *