Let's Encrypt Unifi
Let's Encrypt is a free and automated Certificate Authority. The most commonly used client is Certbot, a tool fully automated and published by the EFF.
Unifi is an enterprise WiFi solution that I use at home. It works with a central controller accessed by a web interface. This controller is accessible in HTTPS, but by default it uses a self-signed certificate. Fortunately it is possible to use your own certificate, and in this article I will show you how to use Let's Encrypt certificates that renew automatically.
Install Certbot
To install Certbot, please refer to the very good documentation directly on Certbot's website.
My own install is such that the certboot client is located at /root/certbot-auto. You may have to adapt some of the commands if it is installed differently for you.
Let's Encrypt certificates are only valid for 90 days. To renew them automatically, don't forget to create a cron task :
First certificate
In this article and its given scripts, I suppose that your Unifi controller is accessed at the address
http://unifi.example.com. So we will generate a certificate fort unifi.example.com, a domain that points to your server.
Certbot can automatically detect the most appropriate method to sign a certificate. Simply run the following command:
Follow the instructions. If you don't already have a webserver on your server, use the standalone option.
You can verify that the certificate were successfully created in /etc/letsencrypt/live/unifi.example.com/
Automatic deployment script
Create the script /root/certbot-renew-hook.sh :
# This script is run after a successful renewal
set -e
for domain in $RENEWED_DOMAINS; do
case $domain in
unifi.example.com)
{
unifi_root=/var/lib/unifi
umask 077
rm -f "$unifi_root/cert_and_key.p12" "$unifi_root/keystore"
openssl pkcs12 -export -in "$RENEWED_LINEAGE/fullchain.pem" -inkey "$RENEWED_LINEAGE/privkey.pem" -out "$unifi_root/cert_and_key.p12" -name tomcat -CAfile "$RENEWED_LINEAGE/chain.pem" -caname root -password pass:aaa
keytool -importkeystore -srcstorepass aaa -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -srckeystore "$unifi_root/cert_and_key.p12" -srcstoretype PKCS12 -alias tomcat -keystore "$unifi_root/keystore"
keytool -import -trustcacerts -alias unifi -deststorepass aircontrolenterprise -file "$RENEWED_LINEAGE/fullchain.pem" -noprompt -keystore "$unifi_root/keystore"
chown unifi:root "$unifi_root/keystore"
service unifi restart
} &> /dev/null
;;
esac
done
And don't forget to make it exacutable :
Renew with the script
Even if it is not recommended to do too many requests to the ACME services of Let's Encrypt, the easiest way to install your certificates and verify that the automatic renewal works correctly is to force the certificate renewal. Run the following command :
If there is no error message, you can connect to your Unifi controller and check the HTTPS certificate ! Please not that the renew-hook script has been automatically added to certbot's configuration (check in /etc/letsencrypt/renewal/unifi.example.com.conf) so you don't need to modify the crontab entry.
Enjoy !
Disponible également en : Français