Let's Encrypt Unifi

Let's Encrypt is a free and automated Certificate Authority. The most commonly used client is Certbot, a tool fully automated and published by the EFF.

Unifi is an enterprise WiFi solution that I use at home. It works with a central controller accessed by a web interface. This controller is accessible in HTTPS, but by default it uses a self-signed certificate. Fortunately it is possible to use your own certificate, and in this article I will show you how to use Let's Encrypt certificates that renew automatically.

Install Certbot

To install Certbot, please refer to the very good documentation directly on Certbot's website.

My own install is such that the certboot client is located at /root/certbot-auto. You may have to adapt some of the commands if it is installed differently for you.

Let's Encrypt certificates are only valid for 90 days. To renew them automatically, don't forget to create a cron task :

# crontab -e
00 04 * * * /root/certbot-auto renew --quiet

First certificate

In this article and its given scripts, I suppose that your Unifi controller is accessed at the address
http://unifi.example.com. So we will generate a certificate fort unifi.example.com, a domain that points to your server.

Certbot can automatically detect the most appropriate method to sign a certificate. Simply run the following command:

./certbot-auto certonly --domain unifi.example.com

Follow the instructions. If you don't already have a webserver on your server, use the standalone option.

You can verify that the certificate were successfully created in /etc/letsencrypt/live/unifi.example.com/

Automatic deployment script

Create the script /root/certbot-renew-hook.sh :

# editor /root/certbot-renew-hook.sh

# This script is run after a successful renewal

set -e

for domain in $RENEWED_DOMAINS; do
        case $domain in
            umask 077
            rm -f "$unifi_root/cert_and_key.p12" "$unifi_root/keystore"
            openssl pkcs12 -export -in "$RENEWED_LINEAGE/fullchain.pem" -inkey "$RENEWED_LINEAGE/privkey.pem" -out "$unifi_root/cert_and_key.p12" -name tomcat -CAfile "$RENEWED_LINEAGE/chain.pem" -caname root -password pass:aaa
            keytool -importkeystore -srcstorepass aaa -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -srckeystore "$unifi_root/cert_and_key.p12" -srcstoretype PKCS12 -alias tomcat -keystore "$unifi_root/keystore"
            keytool -import -trustcacerts -alias unifi -deststorepass aircontrolenterprise -file "$RENEWED_LINEAGE/fullchain.pem" -noprompt -keystore "$unifi_root/keystore"
            chown unifi:root "$unifi_root/keystore"
            service unifi restart
            } &> /dev/null

And don't forget to make it exacutable :

# chmod a+x /root/certbot-renew-hook.sh

Renew with the script

Even if it is not recommended to do too many requests to the ACME services of Let's Encrypt, the easiest way to install your certificates and verify that the automatic renewal works correctly is to force the certificate renewal. Run the following command :

# ./certbot-auto renew --cert-name unifi.example.com --force-renewal --renew-hook /root/certbot-renew-hook.sh

If there is no error message, you can connect to your Unifi controller and check the HTTPS certificate ! Please not that the renew-hook script has been automatically added to certbot's configuration (check in /etc/letsencrypt/renewal/unifi.example.com.conf) so you don't need to modify the crontab entry.

Enjoy !

Disponible également en : Français