Skip to main content

How To Install a Let’s Encrypt SSL Certificate on UniFi

*** THIS GUIDE IS NOW OUTDATED – Check out the Definitive Guide to Hosted UniFi instead!

————– Or continue below…though it’s a total waste of time. ———-
Let’s Encrypt allows you to have a FREE signed SSL certificate on your UniFi Controller without having to spend any money.  When done correctly, the Let’s Encrypt certificate will continuously renew, and you will no longer have any security warnings in the browser bugging you about insecure HTTPS.
This article is based on my 15 Minute Hosted UniFi Controller setup, so start with that article, and then come back to this article when your UniFi Controller is up and running.  One additional step is that you need to create a DNS A Record that points to the IP address of your UniFi Controller.  Something like unifi.company.com.  That should be done first in order to ensure that DNS has time to propagate before you need to create the Let’s Encrypt certificate.
The first thing we have to do is to open up HTTP port 80 and HTTP port 443 so that Let’s Encrypt can renew itself.  If anyone browses directly to those services, they will get a connection refused response.
Log into your UniFi controller and run the following commands to allow those ports through the firewall:
sudo ufw allow 80/tcp

sudo ufw allow 443/tcp
Note that it would be better for security if you could lock these rules down to the FQDN’s that Let’s Encrypt requests are coming from (outbound1.letsencrypt.org and outbound2.letsencrypt.org), however it is not possible to use FQDN in iptables rules.  It *should* technically be possible to create a script that periodically checks the IP address resolution for those FQDN’s and updates the iptables rules with any changes to the IP addresses for Let’s Encrypt.  If anyone creates such a script, Contact Me and I’ll post an update!
Next, let’s install Let’s Encrypt:
sudo apt-get update

sudo apt-get install letsencrypt
Now we need to generate our certificates.
sudo letsencrypt certonly
This command will ask for your email and FQDN – it will also have you accept the terms of usage.  When complete, you should get a message that says ‘Congratulations!  Your certificate and chain….’  This means you successfully created the certificate.
A developer named Steve Jenkins create a really great script that automates the rest of the process, making it super easy.  So, thanks to Steve, and let’s download his script and modify a few settings.
sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh

sudo chmod +x /usr/local/bin/unifi_ssl_import.sh
Next, edit the /usr/local/bin/unifi_ssl_import.sh file that we imported:
sudo nano -w /usr/local/bin/unifi_ssl_import.sh
Find the line that says ‘UNIFI_HOSTNAME’ and change it to your own FQDN:
UNIFI_HOSTNAME=unifi.company.com
Next, since we are on a Ubuntu Digital Ocean droplet instead of AWS (which the script was based on), we need to comment out the AWS stuff and uncomment the Debian/Ubuntu stuff:
# Uncomment following three lines for Fedora/RedHat/CentOS
#UNIFI_DIR=/opt/UniFi
#JAVA_DIR=${UNIFI_DIR}
#KEYSTORE=${UNIFI_DIR}/data/keystore

# Uncomment following three lines for Debian/Ubuntu
UNIFI_DIR=/var/lib/unifi
JAVA_DIR=/usr/lib/unifi
KEYSTORE=${UNIFI_DIR}/keystore
Next, enable Lets Encrypt mode:
LE_MODE=yes
LE_LIVE_DIR=/etc/letsencrypt/live
Save and exit nano by doing CTRL+X followed by Y.
Finally, run the script!
sudo /usr/local/bin/unifi_ssl_import.sh
Now, this is great, and if you now close your browser and then re-open it to https://unifi.company.com:8443, you should no longer have the security warnings, and you will have a valid HTTPS certificate installed with a green padlock.  BUT – one caveat with Let’s Encrypt is that it expires pretty quickly (every 90 days if I remember correctly), so we also want to automate the process of renewing the certificate periodically.  To do this, we need to add a couple of lines to our /etc/crontab file, which will process these commands automatically on a schedule that we set (in this case, every 12 hours):
sudo nano -w /etc/crontab
Now, add the following two lines to the end of the file:
0 */12 * * * root letsencrypt renew
5 */12 * * * root unifi_ssl_import.sh
Save and exit nano by doing CTRL+X followed by Y.
The first command renews the certificate every 12 hours on the hour, and the second command re-runs the UniFi script 5 minutes later.
That’s it!

Sumber 

Labels:

Comments

Post a Comment

Popular posts from this blog

CLI Populer di OLT GPON ZTE

  ## cek onu belum terdaftar ZTE C300 # show gpon onu uncfg interface gpon-olt_1/9/1 onu 1 type ZTE-F609 sn ZTEGC86CCB88 exit ## Config interface onu yang baru interface gpon-onu_1/9/1:1   name NAME   description DESCRIPTION   sn-bind enable sn   tcont 1 name HSI profile 100M   tcont 2 name HOT profile 100M   gemport 1 name HSI unicast tcont 1 dir both   gemport 1 traffic-limit upstream UP100M downstream DW100M   gemport 2 name HOT unicast tcont 2 dir both   gemport 2 traffic-limit upstream UP100M downstream DW100M   switchport mode hybrid vport 1   switchport mode hybrid vport 2   service-port 1 vport 1 user-vlan 1200 vlan 1200   pppoe-plus enable sport 1   pppoe-plus trust true replace sport 1 exit ## config onu pon-onu-mng gpon-onu_1/9/1:1   service HSI type internet gemport 1 cos 0 vlan 1200   wan-ip 1 mode pppoe username PPPoE_USERNAME password PPPoeE_PASSWORD vlan-profile PPPoE host 1   secur...
1 comment
SelengkapNya ^_^

OLT ZTE C300/320 di ONT Mode Port: Vlan_Translate, QinQ, Trunk & Access

  Contoh Config  1. Vlan Translate QinQ To Access: OLT-ZTE-C320#show run interface gpon-onu_1/4/1:21 Building configuration... ! interface gpon-onu_1/4/1:21   name RSO0766   description Customer_Vlan-Translate   tcont 6 name Internet_Vlan-Translate profile UP-100M   gemport 6 name Internet_Vlan-Translate unicast tcont 6 dir both   switchport mode hybrid vport 6   service-port 6 vport 6 user-vlan 1490 vlan 1490 svlan 1479  ! end OLT-ZTE-C320#show onu running config gpon-onu_1/4/1:21 pon-onu-mng gpon-onu_1/4/1:21   service Internet_Vlan-Translate gemport 6 vlan 1490   vlan port eth_0/4 mode tag vlan 1490   dhcp-ip ethuni eth_0/4 from-internet ! 2. Vlan QinQ Access: OLT-ZTE-C320#show run interface gpon-onu_1/2/5:22 Building configuration... ! interface gpon-onu_1/2/5:22   name Internet-QinQ-Access   description QinQ-Access   tcont 1 name Acsata profile UP-200M   tcont 1 gap mode2   gemport 1...
Post a Comment
SelengkapNya ^_^

How to login Huawei Rectifier TP series (smu02B)?

  Dear All, In b/m steps how to login HCR to adjust its setting 1-login SMU of HCR with username admin & password 000001 2-get IP of HCR 3-Adjust your laptop IP in the subnetmask of HCR   (IP of HCR +1) 4-Open web browser prefereed IE and in address write IP of HCR (Note u should use http not https) 5-Enter username admin & Password changeme 6-Now u can adjust all rectifer setting B/M photos for clearafication
Post a Comment
SelengkapNya ^_^