Unifi Controller on Ubuntu 18.04 with Let’s Encrypt SSL

This guide shows you how to install Unifi Controller on a Ubuntu 18.04 machine and set up a valid SSL certificate on it using Let’s Encrypt. I recommend using Ubuntu 18.04 specifically because I’ve seen all sorts of issues related to Java Runtime Enviroment on Ubuntu 16.

Use the following procedure to install the latest version of Unifi Controller on your system.

Install dependencies:

sudo apt update && sudo apt install ca-certificates apt-transport-https

Prepare for installation:

echo 'deb http://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
sudo apt update
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg

Complete the installation of Unifi Controller:

sudo apt install unifi

To setup SSL you need a domain that’s pointing to your Unifi Controller’s IP address. For example, if you own the domain called “example.com”, you can create a sub-domain like “unifi.example.com” and point that towards your controller’s IP. Once that is setup we’re ready to use Let’s Encrypt to install SSL certificate on your controller.

Install certbot for SSL certificate setup:

apt-get install certbot

Download shell script for SSL certificate setup and make it executable:

cd /usr/local/sbin

wget https://source.sosdg.org/brielle/lets-encrypt-scripts/raw/master/gen-unifi-cert.sh -O /usr/local/sbin/gen-unifi-cert.sh

chmod +x /usr/local/sbin/gen-unifi-cert.sh

In the last step – in addition to your sub-domain – you also need to specify your email address which will be used to send you notices if your SSL certificate is about to expire:

/usr/local/sbin/gen-unifi-cert.sh -e email@domain.com -d unifi.example.com 

Now your Unifi controller should be accessible on https://unifi.example.com:8443 with a valid SSL certificate.

Let’s Encrypt certificates are valid for 3 months. You would need to renew the certificate using the following command:

/usr/local/sbin/gen-unifi-cert.sh -r -d unifi.example.com

You can also setup a cron job to automate certificate renewal process like this:

touch /etc/cron.d/unifi-cert

Then add the following code in this file:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/local/sbin/gen-unifi-cert.sh && /usr/local/sbin/gen-unifi-cert.sh -r -d unifi.example.com

Special thanks to my buddy Sibghat (https://sibzz.com/) for correcting the cron job given above.

References

How to install and update via APT on Debian or Ubuntu

Using Let’s Encrypt with Unifi Controller

Nasir Hafeez

A CCIE certified networks and systems specialist with 8+ years of experience in designing, configuring, troubleshooting, and documenting diverse IT scenarios for ISPs, enterprises and startups

2 Comments

  1. Shane says:

    Thanks for the efforts on this, we get this error when running.
    An unexpected error occurred:
    The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

    1. Nasir Hafeez says:

      I haven’t encountered this error before. Seems like a problem with the certbot version. Perhaps you’re using an older version?

Leave a Reply

Your email address will not be published. Required fields are marked *