Skip to content

Instantly share code, notes, and snippets.

@blackjack4494
Last active September 1, 2024 09:20
Show Gist options
  • Save blackjack4494/331e46678c0ea15a61c4cc6756c21969 to your computer and use it in GitHub Desktop.
Save blackjack4494/331e46678c0ea15a61c4cc6756c21969 to your computer and use it in GitHub Desktop.
Add SSL Certificate to Unifi Controller using Acme.sh and DNS verification

My domain is registered on cloudflare.

So go to https://dash.cloudflare.com/profile/api-tokens to either use global key
or better create a new api key for a specific zone with zone dns edit permissions.

Copy that token you just created. Go back to dashboard, click on the domain you want to use
bottom right corner copy the zone id.

Acme Client I have used
https://github.com/acmesh-official/acme.sh
curl https://get.acme.sh | sh -s [email protected]
change to your email address.

export CF_Zone_ID="zone-id"
export CF_Token="api-token"
replace with values you copied earlier.

Do note Acme.sh changed their default CA
ZeroSSL is default now.
https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
If you want to change the default to let's say Let's Encrypt
acme.sh --set-default-ca --server letsencrypt

execute this
acme.sh --issue --dns dns_cf -d unifi.controller.tld
change to your actual sub/domain
and let acme issue you a cert for it.

now execute this command to deploy the issued certificate
acme.sh --deploy -d unifi.controller.tld --deploy-hook unifi
change your sub/domain once again.
More about deploy-hooks (especially unifi) check here
https://github.com/acmesh-official/acme.sh/wiki/deployhooks#23-deploy-the-cert-on-a-unifi-controller-or-cloud-key
https://github.com/acmesh-official/acme.sh/blob/master/deploy/unifi.sh
As of now supports

 - self-hosted Unifi Controller
 - Unifi Cloud Key (Gen1/2/2+)
 - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)

All good for my selfhosted controller on a raspberry pi 2 with raspbian (debian 9/stretch)

Acme even created a cronjob for you which you can check here
crontab -l
47 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

If it's missing for some reason just run
acme.sh --install-cronjob

Not sure if the cronjob also automatically uses the unifi deploy hook again.
Will update this then.

All commands together

curl https://get.acme.sh | sh -s [email protected]

export CF_Zone_ID="zone-id"
export CF_Token="api-token"

acme.sh --set-default-ca  --server  letsencrypt

acme.sh --issue --dns dns_cf -d unifi.controller.tld
acme.sh --deploy -d unifi.controller.tld --deploy-hook unifi

crontab -l

leave out the set-default-ca line if you are okay with ZeroSSL
Also note that you may have to reconnect to ssh/restart terminal
to be able to use acme.sh as command right away.

@blackjack4494
Copy link
Author

Hi, just followed this guide, thanks. Do you know by now if the cronjob for Unifi renews the SSL cert/keystore for the controller once the cert has been renewed?

Yes it worked for me. However I still checked after every firmware update if the cronjob is still present. Only one time so far the cronjob disappeared for some reason but I simply reinstalled it.

@funk0id
Copy link

funk0id commented Sep 1, 2024

This is a great guide thanks, I went with that ZeroSSL option on a vanilla Debian install, but even though my cert is applied and works, chrome still throws up cert errors in MacOS, I'll try and windows device later.

Are there additional steps to resolve this with root certificate installs etc. I'm missing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment