How To Install a Let’s Encrypt SSL Certificate on UniFi
*** THIS GUIDE IS NOW OUTDATED – Check out the Definitive Guide to Hosted UniFi instead!
————– Or continue below…though it’s a total waste of time. ———-
Let’s Encrypt allows you to have a FREE signed SSL certificate on your UniFi Controller without having to spend any money. When done correctly, the Let’s Encrypt certificate will continuously renew, and you will no longer have any security warnings in the browser bugging you about insecure HTTPS.
This article is based on my 15 Minute Hosted UniFi Controller setup, so start with that article, and then come back to this article when your UniFi Controller is up and running. One additional step is that you need to create a DNS A Record that points to the IP address of your UniFi Controller. Something like unifi.company.com. That should be done first in order to ensure that DNS has time to propagate before you need to create the Let’s Encrypt certificate.
The first thing we have to do is to open up HTTP port 80 and HTTP port 443 so that Let’s Encrypt can renew itself. If anyone browses directly to those services, they will get a connection refused response.
Log into your UniFi controller and run the following commands to allow those ports through the firewall:
sudo ufw allow 80/tcp sudo ufw allow 443/tcp
Note that it would be better for security if you could lock these rules down to the FQDN’s that Let’s Encrypt requests are coming from (outbound1.letsencrypt.org and outbound2.letsencrypt.org), however it is not possible to use FQDN in iptables rules. It *should* technically be possible to create a script that periodically checks the IP address resolution for those FQDN’s and updates the iptables rules with any changes to the IP addresses for Let’s Encrypt. If anyone creates such a script, Contact Me and I’ll post an update!
Next, let’s install Let’s Encrypt:
sudo apt-get update sudo apt-get install letsencrypt
Now we need to generate our certificates.
sudo letsencrypt certonly
This command will ask for your email and FQDN – it will also have you accept the terms of usage. When complete, you should get a message that says ‘Congratulations! Your certificate and chain….’ This means you successfully created the certificate.
A developer named Steve Jenkins create a really great script that automates the rest of the process, making it super easy. So, thanks to Steve, and let’s download his script and modify a few settings.
sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh sudo chmod +x /usr/local/bin/unifi_ssl_import.sh
Next, edit the /usr/local/bin/unifi_ssl_import.sh file that we imported:
sudo nano -w /usr/local/bin/unifi_ssl_import.sh
Find the line that says ‘UNIFI_HOSTNAME’ and change it to your own FQDN:
UNIFI_HOSTNAME=unifi.company.com
Next, since we are on a Ubuntu Digital Ocean droplet instead of AWS (which the script was based on), we need to comment out the AWS stuff and uncomment the Debian/Ubuntu stuff:
# Uncomment following three lines for Fedora/RedHat/CentOS
#UNIFI_DIR=/opt/UniFi
#JAVA_DIR=${UNIFI_DIR}
#KEYSTORE=${UNIFI_DIR}/data/keystore
# Uncomment following three lines for Debian/Ubuntu
UNIFI_DIR=/var/lib/unifi
JAVA_DIR=/usr/lib/unifi
KEYSTORE=${UNIFI_DIR}/keystore
Next, enable Lets Encrypt mode:
LE_MODE=yes LE_LIVE_DIR=/etc/letsencrypt/live
Save and exit nano by doing CTRL+X followed by Y.
Finally, run the script!
sudo /usr/local/bin/unifi_ssl_import.sh
Now, this is great, and if you now close your browser and then re-open it to https://unifi.company.com:8443, you should no longer have the security warnings, and you will have a valid HTTPS certificate installed with a green padlock. BUT – one caveat with Let’s Encrypt is that it expires pretty quickly (every 90 days if I remember correctly), so we also want to automate the process of renewing the certificate periodically. To do this, we need to add a couple of lines to our /etc/crontab file, which will process these commands automatically on a schedule that we set (in this case, every 12 hours):
sudo nano -w /etc/crontab
Now, add the following two lines to the end of the file:
0 */12 * * * root letsencrypt renew 5 */12 * * * root unifi_ssl_import.sh
Save and exit nano by doing CTRL+X followed by Y.
The first command renews the certificate every 12 hours on the hour, and the second command re-runs the UniFi script 5 minutes later.
That’s it!
Sumber
0 comments:
Post a Comment