I was trying to find out how to use Let’s Encrypt SSL to secure a internal unifi controller. Google gave me a link to the following excellent blogpost which describes how to use automatic dns-01 challenge to request and update the certificate from Let’s Encrypt:
https://www.naschenweng.info/2017/01/06/securing-ubiquiti-unifi-cloud-key-encrypt-automatic-dns-01-challenge/
Follow these steps to configure SSL/TLS-certificate for your internal unifi controller including automatic update of the certificate using Let’s encrypt and Cloudflare DNS:
1. Log in as root on your controller.
2. Install acme.sh via the online installer:
curl https://get.acme.sh | sh
3. Exit the terminal and reopen it again.
4. Enable auto-upgrade, just remember to change the email-address before executing the command:
acme.sh --upgrade --auto-upgrade --accountemail "mynotifaction@example.com"
5. Create the file /root/.acme.sh/cloudkey-renew-hook.sh:
#!/bin/bash
# Renew-hook for ACME / Let's encrypt
echo "** Configuring new Let's Encrypt certs"
cd /etc/ssl/private
rm -f /etc/ssl/private/cert.tar /etc/ssl/private/unifi.keystore.jks /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/fullchain.pem
openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -password pass:aircontrolenterprise
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore
-deststorepass aircontrolenterprise
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi
rm -f /etc/ssl/private/cloudkey.p12
tar -cvf cert.tar *
chown root:root /etc/ssl/private/*
chmod 640 /etc/ssl/private/*
echo "** Testing Nginx and restarting"
/usr/sbin/nginx -t
/etc/init.d/nginx restart ; /etc/init.d/unifi restart
6. Log in to your Clodflare account and get the Global API Code.
7. Configure exports for your DNS API:
export CF_Key="YOUR-CLOUDFLARE-API-KEY"
export CF_Email="YOUR-CLOUDFLARE-EMAIL"
8. Now it is time to get the new certificate. The following command will backup your existing certificate, contact Let’s encrypt to issue the new certificate, install the certificate and restart the controller. Remember to change the hostname in the parameter -d before running the command:
acme.sh --force --issue --dns dns_cf -d unifi.example.com --pre-hook "touch /etc/ssl/private/cert.tar; tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /etc/ssl/private/*" --fullchainpath /etc/ssl/private/cloudkey.crt --keypath /etc/ssl/private/cloudkey.key --reloadcmd "sh /root/.acme.sh/cloudkey-renew-hook.sh"
9. Log in to the controller and ensure that the hostname is configured.
10. Verify that a cronjob has been configured to enable automatic renewal of the certificate:
crontab -e
The line for acme.sh should look like the one below:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh/" >> /var/log/letsencrypt.log
ern.nu 
Thank you for this instructions. I was able to load the SSL cert. but my problem is that the private IP still not responding to that SSL. Only when i access to the public IP it works. Can you help me please.
LikeLike
This sounds like a DNS-related problem. The hostname that you use must resolve with the private IP-adress. Either you use a unique hostname in your domain that resolves with the private IP or you have to configure your local caching DNS-server to resolve the hostname to the private IP-address.
LikeLike