We’re going to set up Let’s Encrypt for secure HTTPS communication with the server (and to get rid of those pesky security screens when we browse to UniFi). We’re going to use Certbot to set up Let’s Encrypt – this well help to automate the entire process.
Install Certbot (https://certbot.eff.org/instructions):
sudo add-apt-repository ppa:certbot/certbot
Press ENTER to continue when prompted.
sudo apt-get update sudo apt-get install python-certbot-apache -y
Now Certbot is installed, so the next step is to generate our SSL certificate.
sudo certbot --apache -d vultrunifi.crosstalksolutions.com
Substitute your own FQDN instead of: vultrunifi.crosstalksolutions.com. When prompted, enter in an email address for use with the SSL cert. Then press A to Agree when prompted followed by Y or N to share your email address with the Electronic Frontier Foundation (I said N). Next you will be asked if you want to redirect all HTTP traffic to HTTPS – choose option 2. Your Let’s Encrypt certificate has now been installed.
Next, we need to import that SSL certificate into UniFi – or in other words, we have to tell UniFi to use the Let’s Encrypt certificate.
A developer named Steve Jenkins created a really great script that automates the rest of the process, making it super easy. So, thanks to Steve, and let’s download his script and modify a few settings.
sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh sudo chmod +x /usr/local/bin/unifi_ssl_import.sh
Next, edit the /usr/local/bin/unifi_ssl_import.sh file that we imported:
sudo nano -w /usr/local/bin/unifi_ssl_import.sh
Find the line that says ‘UNIFI_HOSTNAME’ and change it to your own FQDN:
UNIFI_HOSTNAME=vultrunifi.crosstalksolutions.com
Next, since we are on a Ubuntu Vultr server instead of a flavor of RedHat (which the script was based on), we need to comment out the RedHat stuff and uncomment the Debian/Ubuntu stuff:
# Uncomment following three lines for Fedora/RedHat/CentOS #UNIFI_DIR=/opt/UniFi #JAVA_DIR=${UNIFI_DIR} #KEYSTORE=${UNIFI_DIR}/data/keystore # Uncomment following three lines for Debian/Ubuntu UNIFI_DIR=/var/lib/unifi JAVA_DIR=/usr/lib/unifi KEYSTORE=${UNIFI_DIR}/keystore
Next, enable Lets Encrypt mode (change LE_MODE=no to LE_MODE=yes):
LE_MODE=yes LE_LIVE_DIR=/etc/letsencrypt/live
Save and exit nano by doing CTRL+X followed by Y.
Finally, run the script!
sudo /usr/local/bin/unifi_ssl_import.sh
If you now close your browser and then re-open it to https://[your UniFi FQDN]:8443, you should no longer have the security warnings, and you will have a valid HTTPS certificate installed. And no more pesky security warnings.
This is excellent – BUT – every time certbot automatically renews your Let’s Encrypt certificate, it has to be re-imported into UniFi. So we need to run this same command on a regular basis. To do so, we’re going to create a small script and put it into the /etc/cron.daily folder.
sudo nano -w /etc/cron.daily/unifi_ssl_import
Add these lines to the file:
#!/bin/bash
/usr/local/bin/unifi_ssl_import.sh
CTRL+X followed by Y to save and exit.
Now we need to set the permissions on the file so that it runs as root and as an executable script.
sudo chown root:root /etc/cron.daily/unifi_ssl_import sudo chmod +x /etc/cron.daily/unifi_ssl_import