My domain is registered on cloudflare.
So go to https://dash.cloudflare.com/profile/api-tokens to either use global key
or better create a new api key for a specific zone with zone dns edit permissions.
Copy that token you just created. Go back to dashboard, click on the domain you want to use
bottom right corner copy the zone id.
Acme Client I have used
https://github.com/acmesh-official/acme.sh
curl https://get.acme.sh | sh -s email=my@example.com
change to your email address.
export CF_Zone_ID="zone-id"
export CF_Token="api-token"
replace with values you copied earlier.
Do note Acme.sh changed their default CA
ZeroSSL is default now.
https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
If you want to change the default to let's say Let's Encrypt
acme.sh --set-default-ca --server letsencrypt
execute this
acme.sh --issue --dns dns_cf -d unifi.controller.tld
change to your actual sub/domain
and let acme issue you a cert for it.
now execute this command to deploy the issued certificate
acme.sh --deploy -d unifi.controller.tld --deploy-hook unifi
change your sub/domain once again.
More about deploy-hooks (especially unifi) check here
https://github.com/acmesh-official/acme.sh/wiki/deployhooks#23-deploy-the-cert-on-a-unifi-controller-or-cloud-key
https://github.com/acmesh-official/acme.sh/blob/master/deploy/unifi.sh
As of now supports
- self-hosted Unifi Controller
- Unifi Cloud Key (Gen1/2/2+)
- Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
All good for my selfhosted controller on a raspberry pi 2 with raspbian (debian 9/stretch)
Acme even created a cronjob for you which you can check here
crontab -l
47 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
If it's missing for some reason just run
acme.sh --install-cronjob
Not sure if the cronjob also automatically uses the unifi deploy hook again.
Will update this then.
All commands together
curl https://get.acme.sh | sh -s email=my@example.com
export CF_Zone_ID="zone-id"
export CF_Token="api-token"
acme.sh --set-default-ca --server letsencrypt
acme.sh --issue --dns dns_cf -d unifi.controller.tld
acme.sh --deploy -d unifi.controller.tld --deploy-hook unifi
crontab -l
leave out the set-default-ca
line if you are okay with ZeroSSL
Also note that you may have to reconnect to ssh/restart terminal
to be able to use acme.sh
as command right away.
Hi, just followed this guide, thanks. Do you know by now if the cronjob for Unifi renews the SSL cert/keystore for the controller once the cert has been renewed?