Do you want your UniFi controller to have a Let's Encrypt Certificate, automate it, and not have to open it up to the internet? Here's how!
Note for Cloud Key Gen1: You will have to run a few extra commands before following this guide, located here on the ubiquiti forums.
To do this, I used acme.sh to get the certificate automated.
First, SSH into your UniFi controller and become root:
Next, install acme.sh:
curl https://get.acme.sh | sh
Now, in order to use acme.sh, you'll either need to exit and re-ssh in to your server, or open bash again. I prefer to just open bash again, so type:
Next, import your DNS API keys into acme.sh. I used Cloudflare, so I used these:
export CF_Key="YOUR_API_KEY" export CF_Email="YOUR_EMAIL"
Replace YOUR_API_KEY with your Cloudflare API key, and YOUR_EMAIL with your Cloudflare account's email. If you're using something other than Cloudflare for your DNS, you can read about other DNS integrations here.
Next, get a certificate for your UniFi controller. Note: If you're using something other than Cloudflare for your DNS, use the name as shown in the DNS integration link above.
acme.sh --issue --dns dns_cf -d unifi.yourdomain.com
Once you do that, it's highly recommened to install the certificate somewhere, rather than leaving it in /root. I put mine in
/etc/unifi/ssl, although you can pick anywhere.
I created the folder:
mkdir -p /etc/unifi/ssl
Then, I made the script that UniFi needs to import the certificate. Note: Make sure you're in the /root directory, or change the acme install command (shown later) to where your script's directory is.
Next, download the script and make it so you can run it:
wget https://gist.githubusercontent.com/PigsOne/66efdd598a044169dc6d79868bdf9ced/raw/unificert.sh chmod +x unificert.sh
Run this command to install the certificate and reload it:
acme.sh --install-cert -d unifi.yourdomain.com \ --key-file /etc/unifi/ssl/key.pem \ --fullchain-file /etc/unifi/ssl/fullchain.pem \ --reloadcmd "/root/unificert.sh"
Make sure you change yourdomain.com to your domain.
Once you do this, it should install your certificate and reload UniFi. If everything goes properly, you should have a valid Let's Encrypt certificate for your UniFi controller, and it should automatically renew.