Skip to content

Instantly share code, notes, and snippets.

@blackjack4494
Last active Jul 31, 2021
Embed
What would you like to do?
Add SSL Certificate to Unifi Controller using Acme.sh and DNS verification

My domain is registered on cloudflare.

So go to https://dash.cloudflare.com/profile/api-tokens to either use global key
or better create a new api key for a specific zone with zone dns edit permissions.

Copy that token you just created. Go back to dashboard, click on the domain you want to use
bottom right corner copy the zone id.

Acme Client I have used
https://github.com/acmesh-official/acme.sh
curl https://get.acme.sh | sh -s email=my@example.com
change to your email address.

export CF_Zone_ID="zone-id"
export CF_Token="api-token"
replace with values you copied earlier.

Do note Acme.sh changed their default CA
ZeroSSL is default now.
https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
If you want to change the default to let's say Let's Encrypt
acme.sh --set-default-ca --server letsencrypt

execute this
acme.sh --issue --dns dns_cf -d unifi.controller.tld
change to your actual sub/domain
and let acme issue you a cert for it.

now execute this command to deploy the issued certificate
acme.sh --deploy -d unifi.controller.tld --deploy-hook unifi
change your sub/domain once again.
More about deploy-hooks (especially unifi) check here
https://github.com/acmesh-official/acme.sh/wiki/deployhooks#23-deploy-the-cert-on-a-unifi-controller-or-cloud-key
https://github.com/acmesh-official/acme.sh/blob/master/deploy/unifi.sh
As of now supports

 - self-hosted Unifi Controller
 - Unifi Cloud Key (Gen1/2/2+)
 - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)

All good for my selfhosted controller on a raspberry pi 2 with raspbian (debian 9/stretch)

Acme even created a cronjob for you which you can check here
crontab -l
47 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

If it's missing for some reason just run
acme.sh --install-cronjob

Not sure if the cronjob also automatically uses the unifi deploy hook again.
Will update this then.

All commands together

curl https://get.acme.sh | sh -s email=my@example.com

export CF_Zone_ID="zone-id"
export CF_Token="api-token"

acme.sh --set-default-ca  --server  letsencrypt

acme.sh --issue --dns dns_cf -d unifi.controller.tld
acme.sh --deploy -d unifi.controller.tld --deploy-hook unifi

crontab -l

leave out the set-default-ca line if you are okay with ZeroSSL
Also note that you may have to reconnect to ssh/restart terminal
to be able to use acme.sh as command right away.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment