This guide shows you how to install Unifi Controller on a Ubuntu 18.04 machine and set up a valid SSL certificate on it using Let’s Encrypt. I recommend using Ubuntu 18.04 specifically because I’ve seen all sorts of issues related to Java Runtime Enviroment on Ubuntu 16.
Use the following procedure to install the latest version of Unifi Controller on your system.
Install dependencies:
sudo apt update && sudo apt install ca-certificates apt-transport-https
Prepare for installation:
echo 'deb http://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
sudo apt update
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
Complete the installation of Unifi Controller:
sudo apt install unifi
To setup SSL you need a domain that’s pointing to your Unifi Controller’s IP address. For example, if you own the domain called “example.com”, you can create a sub-domain like “unifi.example.com” and point that towards your controller’s IP. Once that is setup we’re ready to use Let’s Encrypt to install SSL certificate on your controller.
Install certbot for SSL certificate setup:
apt-get install certbot
Download shell script for SSL certificate setup and make it executable:
cd /usr/local/sbin
wget https://source.sosdg.org/brielle/lets-encrypt-scripts/raw/master/gen-unifi-cert.sh -O /usr/local/sbin/gen-unifi-cert.sh
chmod +x /usr/local/sbin/gen-unifi-cert.sh
In the last step – in addition to your sub-domain – you also need to specify your email address which will be used to send you notices if your SSL certificate is about to expire:
/usr/local/sbin/gen-unifi-cert.sh -e [email protected] -d unifi.example.com
Now your Unifi controller should be accessible on https://unifi.example.com:8443 with a valid SSL certificate.
Let’s Encrypt certificates are valid for 3 months. You would need to renew the certificate using the following command:
/usr/local/sbin/gen-unifi-cert.sh -r -d unifi.example.com
You can also setup a cron job to automate certificate renewal process like this:
touch /etc/cron.d/unifi-cert
Then add the following code in this file:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/local/sbin/gen-unifi-cert.sh && /usr/local/sbin/gen-unifi-cert.sh -r -d unifi.example.com
Special thanks to my buddy Sibghat (https://sibzz.com/) for correcting the cron job given above.
References
Thanks for the efforts on this, we get this error when running.
An unexpected error occurred:
The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
I haven’t encountered this error before. Seems like a problem with the certbot version. Perhaps you’re using an older version?
Buenas tardes,
Haber si alguien puede ayudarme, tras intentarlo varias veces, obtengo un error y el certificado no acaba de generarse y configurarse al ejecutar la ultima sentencia de comandos.
root@unify:/usr/local/sbin# /usr/local/sbin/gen-unifi-cert.sh -e [email protected] -d unifi.onutech.com
Found LetsEncrypt/Certbot binary at /usr/bin/certbot
Firing up standalone authenticator on TCP port 80 and requesting cert…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for unifi.onutech.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. unifi.onutech.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://unifi.onutech.com/.well-known/acme-challenge/-Yqy5KBHLmGHs6uPE3GYPU_nw5rPXpqzwNizywCtuls: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: unifi.onutech.com
Type: connection
Detail: Fetching
http://unifi.onutech.com/.well-known/acme-challenge/-Yqy5KBHLmGHs6uPE3GYPU_nw5rPXpqzwNizywCtuls:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Cert has changed or -i option was used, updating controller…
/usr/local/sbin/gen-unifi-cert.sh: línea 145: /etc/letsencrypt/live/unifi.onutech.com/cert.pem.md5: No existe el archivo o el directorio
Using openssl to prepare certificate…
cat: /etc/letsencrypt/live/unifi.onutech.com/chain.pem: No existe el archivo o el directorio
Error opening input file /etc/letsencrypt/live/unifi.onutech.com/cert.pem
/etc/letsencrypt/live/unifi.onutech.com/cert.pem: No such file or directory
Stopping Unifi controller…
Removing existing certificate from Unifi protected keystore…
error de herramienta de claves: java.lang.Exception: El alias no existe
Inserting certificate into Unifi keystore…
error de herramienta de claves: java.lang.Exception: El archivo de almacén de claves de origen existe, pero está vacío: /tmp/tmp.H0vrJo3Bpa
Starting Unifi controller…
Done!
As shown in the error, please try to disable your firewall and then try. Also check if the A record is pointing to the right IP address.