Do you want your UniFi controller to have a Let's Encrypt Certificate, automate it, and not have to open it up to the internet? Here's how!

Note for Cloud Key Gen1: You will have to run a few extra commands before following this guide, located here on the ubiquiti forums.


To do this, I used acme.sh to get the certificate automated.

First, SSH into your UniFi controller and become root:

sudo -i

Next, install acme.sh:

curl https://get.acme.sh | sh

Now, in order to use acme.sh, you'll either need to exit and re-ssh in to your server, or open bash again. I prefer to just open bash again, so type:

bash

Next, import your DNS API keys into acme.sh. I used Cloudflare, so I used these:

export CF_Key="YOUR_API_KEY"
export CF_Email="YOUR_EMAIL"

Replace YOUR_API_KEY with your Cloudflare API key, and YOUR_EMAIL with your Cloudflare account's email. If you're using something other than Cloudflare for your DNS, you can read about other DNS integrations here.

Next, get a certificate for your UniFi controller. Note: If you're using something other than Cloudflare for your DNS, use the name as shown in the DNS integration link above.

acme.sh --issue --dns dns_cf -d unifi.yourdomain.com

Once you do that, it's highly recommened to install the certificate somewhere, rather than leaving it in /root. I put mine in /etc/unifi/ssl, although you can pick anywhere.

I created the folder:

mkdir -p /etc/unifi/ssl

Then, I made the script that UniFi needs to import the certificate. Note: Make sure you're in the /root directory, or change the acme install command (shown later) to where your script's directory is.

Next, download the script and make it so you can run it:

wget https://gist.githubusercontent.com/PigsOne/66efdd598a044169dc6d79868bdf9ced/raw/unificert.sh
chmod +x unificert.sh

Run this command to install the certificate and reload it:

acme.sh --install-cert -d unifi.yourdomain.com \
--key-file /etc/unifi/ssl/key.pem \
--fullchain-file /etc/unifi/ssl/fullchain.pem \
--reloadcmd "/root/unificert.sh"

Make sure you change yourdomain.com to your domain.

Once you do this, it should install your certificate and reload UniFi. If everything goes properly, you should have a valid Let's Encrypt certificate for your UniFi controller, and it should automatically renew.

unifi_cert

Credit: Thanks to this helpful post for the commands to install the certificate into UniFi, this post for Cloud Key specific commands, and kjrm on the ubiquiti forums for informing me about this.