Securing Ubiquiti UniFi Cloud Key with Let’s Encrypt SSL and automatic dns-01 challenge

Let’s Encrypt is great as it is free, but it also has downsides: (1)certificates need to be renewed every 90 days and (2) your internal servers need to be accessible. I was reluctant to use Let’s Encrypt for my internal equipment as this would mean that during the renewal, the server needs to be addressable/reachable from the outside.

To automate the whole Let’s Encrypt process, we will use acme.sh which is an alternative to certbot and I will rely on my CloudFlare account which I use for DNS already (the acme.sh supports a number of other DNS providers other than Cloudflare as well).

Install acme.sh via the online installer on the Cloud Key:

The online installer will download the latest version and also install a cronjob. You can safely ignore the warning about netcat as we will use another method to do the verification:

Exit the terminal and re-open it again. We will also enable auto-upgrade for acme.sh (the –accountemail will be used for Let’s Encrypt email notifications when certs are renewed):

Create a post-hook file

To automate the certificate installation, create the file /root/.acme.sh/cloudkey-renew-hook.sh – no adjustments are needed:

 

Using the CloudFlare DNS API

Log into your CloudFlare console and get the Global API key:

Going forward you will use the following exports to use the DNS API:

With acme.sh and DNS challenge, the process of verification is automated. Again, adjust the domain name as part of the -d option:

The above command will first do a backup of the existing SSL keys and will then contact Let’s Encrypt to issue new certificates, install the cert and restart the Cloud Key:

Finally, adjust your controller’s hostname:

If everything is done correctly, you will have a browser without any more SSL errors and you will not have to worry about renewing certificates:

 

Configuring the cronjob

Since the Let’s Encrypt certificate needs to be renewed every 3 months, you need to configure the auto-renew via a cronjob through crontab -e and append the following to the end of the crontab:

Does it survive upgrades

I have upgraded my UCK a number of times (currently on 0.64) and only with the recent firmware upgrade the crontab was reset. All other configuration remained intact and it was as simple as just restoring the crontab entry above.

 

If you feel uncomfortable using Let’s Encrypt, I also have a guide for installing a regular SSL certificate with RapidSSL available.

Print Friendly
  • Pingback: Securing UniFi Cloud Key with SSL certificate from RapidSSL | naschenweng.info()

  • I have a similar setup on my Cloud Key but, every time I reboot it, the controller service decides that the keystore is invalid, at which point it deletes it and generates a new one. Is this happening to you as well?

    • I have rebooted the UCK twice and it survived the reboot. As far as I understand, the contents are only replaced in the folder if the contents of the /etc/ssl/private/cert.tar are different to the files in that folder.

      I will retest this over the weekend. In the worst case you could always hook the /root/.acme.sh/cloudkey-renew-hook.sh into the reboot process if this is an issue. If you are not on the latest FW / Controller version, perhaps that could be an issue.

    • This weekends I reshuffled my UBNT gear and in the process have rebooted switches and UCK several times – the keystore survived all reboots.

  • Yoni C

    Hi, this worked great for the nginx portion. Thanks! the guest portal is still displaying the unbt self-signed cert and therefore displaying insecure mesages. Is there any way to point that guest portal to use this certificate as well?

    Thanks!

    • Hi – I have not used the guest-portal so I don’t know. I thought that this would be equally served via nginx. Perhaps this is just a host-name change wherever you configure the guest portal? The above method replaces the NGINX SSL cert – I am a bit surprised that the guest portal would then use something else. Are you sure this is not perhaps a caching issue?

  • Pingback: Ubiquiti - Replacing my home-network and making fibre work with UniFi | naschenweng.info()