Skip to content

Instantly share code, notes, and snippets.

@blackjack4494

blackjack4494/readme.md

Last active February 28, 2024 12:47
Show Gist options
  • Save blackjack4494/331e46678c0ea15a61c4cc6756c21969 to your computer and use it in GitHub Desktop.
Save blackjack4494/331e46678c0ea15a61c4cc6756c21969 to your computer and use it in GitHub Desktop.
Download ZIP
Add SSL Certificate to Unifi Controller using Acme.sh and DNS verification
Raw
readme.md

My domain is registered on cloudflare.

So go to https://dash.cloudflare.com/profile/api-tokens to either use global key
or better create a new api key for a specific zone with zone dns edit permissions.

Copy that token you just created. Go back to dashboard, click on the domain you want to use
bottom right corner copy the zone id.

Acme Client I have used
https://github.com/acmesh-official/acme.sh
curl https://get.acme.sh | sh -s email=my@example.com
change to your email address.

export CF_Zone_ID="zone-id"
export CF_Token="api-token"
replace with values you copied earlier.

Do note Acme.sh changed their default CA
ZeroSSL is default now.
https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
If you want to change the default to let's say Let's Encrypt
acme.sh --set-default-ca --server letsencrypt

execute this
acme.sh --issue --dns dns_cf -d unifi.controller.tld
change to your actual sub/domain
and let acme issue you a cert for it.

now execute this command to deploy the issued certificate
acme.sh --deploy -d unifi.controller.tld --deploy-hook unifi
change your sub/domain once again.
More about deploy-hooks (especially unifi) check here
https://github.com/acmesh-official/acme.sh/wiki/deployhooks#23-deploy-the-cert-on-a-unifi-controller-or-cloud-key
https://github.com/acmesh-official/acme.sh/blob/master/deploy/unifi.sh
As of now supports

 - self-hosted Unifi Controller
 - Unifi Cloud Key (Gen1/2/2+)
 - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)

All good for my selfhosted controller on a raspberry pi 2 with raspbian (debian 9/stretch)

Acme even created a cronjob for you which you can check here
crontab -l
47 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

If it's missing for some reason just run
acme.sh --install-cronjob

Not sure if the cronjob also automatically uses the unifi deploy hook again.
Will update this then.

All commands together

curl https://get.acme.sh | sh -s email=my@example.com

export CF_Zone_ID="zone-id"
export CF_Token="api-token"

acme.sh --set-default-ca  --server  letsencrypt

acme.sh --issue --dns dns_cf -d unifi.controller.tld
acme.sh --deploy -d unifi.controller.tld --deploy-hook unifi

crontab -l

leave out the set-default-ca line if you are okay with ZeroSSL
Also note that you may have to reconnect to ssh/restart terminal
to be able to use acme.sh as command right away.

@AdeTheux
Copy link

Hi, just followed this guide, thanks. Do you know by now if the cronjob for Unifi renews the SSL cert/keystore for the controller once the cert has been renewed?

@blackjack4494
Copy link
Author

Hi, just followed this guide, thanks. Do you know by now if the cronjob for Unifi renews the SSL cert/keystore for the controller once the cert has been renewed?

Yes it worked for me. However I still checked after every firmware update if the cronjob is still present. Only one time so far the cronjob disappeared for some reason but I simply reinstalled it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment