- #UNIFI CONTROLLER SSL CERTIFICATE HOW TO#
- #UNIFI CONTROLLER SSL CERTIFICATE INSTALL#
- #UNIFI CONTROLLER SSL CERTIFICATE UPDATE#
- #UNIFI CONTROLLER SSL CERTIFICATE SOFTWARE#
Now on the Unifi controller machine, need to copy the new keystore file to the correct location.
#UNIFI CONTROLLER SSL CERTIFICATE INSTALL#
Oops, I forgot that I didn't have SSH running on the controller, so needed to install that on the Ubuntu machine.Using Putty PSFTP, upload the keystore file to a known location on the Unifi controller machine.When prompted, enter the same password for the keystore, aircontrolenterprise.Go to File, Save As, and save the keystore file with the name keystore.When prompted for a password, enter aircontrolenterprise.Provide decryption password and click Import.Click Browse, locate the PFX file for the wildcard certificate.From Tools menu choose Import Key Pair - PKCS #12.Go to File - New and choose JKS for the type of keystore Once updated, launch Keystore Explorer and create a new empty keystore.
#UNIFI CONTROLLER SSL CERTIFICATE UPDATE#
Run Keystore Explorer as administrator, then follow the prompts to complete the update
#UNIFI CONTROLLER SSL CERTIFICATE SOFTWARE#
I find it slightly annoying having to add ':8443' onto the URL I came up with a quite nifty solution, a DNAT rule on my home router.Running the Unifi controller software on a Ubuntu machine, and wanted to replace the self-signed certificate with my own wildcard cert. Redirecting from port 443-to-8443 with NAT This checks/renews the certificate, on the hour, every 12 hours, then 5 minutes later, imports the certificate into the unifi key store.
However, we can use a cron job to check and renew the certificate. LetsEncrypt certificates are only valid for 90 days. Now if all has went well, try and your browser should connect without warning and have a green padlock in the address bar. LE_MODE=yesįinally we run Steve's script sudo /usr/local/bin/unifi_ssl_import.sh # Uncomment following three lines for Debian/Ubuntu Next we download and modify unifi_ssl_import.sh sudo wget -O sudo chmod +x /usr/local/bin/unifi_ssl_import.shįirst we define our controller's fully qualified domain name UNIFI_HOSTNAME=īy default, the script is for Fedora/RedHat and needs to be changed because I'm on Ubuntu # Uncomment following three lines for Fedora/RedHat/CentOS Generate our certificate with Let's Encrypt sudo letsencrypt The rest is pretty easy as a developer named Steve Jenkins has authored a script to automate the whole process. Next we install letsencrypt: sudo apt sudo apt install letsencrypt At this point, I recommend doing a backup/snapshot of your controller instance. This is Amazon specific, in most other cases, you'll need to add an iptables rule. My controller is hosted on an Ubuntu EC2 instance, so the first thing I needed to was edit its security group to open port 443 and 80.
It's also just better practice and looks more professional.įor this to work, you must have a domain name pointing to your controller (you can't get SSL certs for IPs) and your controller server must have port 443 and 80 open and unused (during the renwal) The immediate advantage of this is that your browser will stop complaining that "Your connection is not secure" when you connect to the controller, and having a CA signed certificate provides additional security against man-in-the-middle attacks by proving the authenticity of the controller.
#UNIFI CONTROLLER SSL CERTIFICATE HOW TO#
In this tutorial, we will learn how to replace the self signed SSL certificate provided with the Unifi controller with a free trusted certificate from Let's Encrypt.