Securing Ubiquiti UniFi Cloud Key with Let’s Encrypt SSL and automatic dns-01 challenge

Let’s Encrypt is great as it is free, but it also has downsides: (1)certificates need to be renewed every 90 days and (2) your internal servers need to be accessible. I was reluctant to use Let’s Encrypt for my internal equipment as this would mean that during the renewal, the server needs to be addressable/reachable from the outside.

To automate the whole Let’s Encrypt process, we will use acme.sh which is an alternative to certbot and I will rely on my CloudFlare account which I use for DNS already (the acme.sh supports a number of other DNS providers other than Cloudflare as well).

Install acme.sh via the online installer on the Cloud Key:

The online installer will download the latest version and also install a cronjob. You can safely ignore the warning about netcat as we will use another method to do the verification:

Exit the terminal and re-open it again. We will also enable auto-upgrade for acme.sh (the –accountemail will be used for Let’s Encrypt email notifications when certs are renewed):

Create a post-hook file

To automate the certificate installation, create the file /root/.acme.sh/cloudkey-renew-hook.sh – no adjustments are needed:

 

Using the CloudFlare DNS API

Log into your CloudFlare console and get the Global API key:

Going forward you will use the following exports to use the DNS API:

With acme.sh and DNS challenge, the process of verification is automated. Again, adjust the domain name as part of the -d option:

The above command will first do a backup of the existing SSL keys and will then contact Let’s Encrypt to issue new certificates, install the cert and restart the Cloud Key:

Finally, adjust your controller’s hostname:

If everything is done correctly, you will have a browser without any more SSL errors and you will not have to worry about renewing certificates:

 

Configuring the cronjob

Since the Let’s Encrypt certificate needs to be renewed every 3 months, you need to configure the auto-renew via a cronjob through crontab -e and append the following to the end of the crontab:

Does it survive upgrades

I have upgraded my UCK a number of times (currently on 0.64) and only with the recent firmware upgrade the crontab was reset. All other configuration remained intact and it was as simple as just restoring the crontab entry above.

 

If you feel uncomfortable using Let’s Encrypt, I also have a guide for installing a regular SSL certificate with RapidSSL available.

 

🍺 Pay it forward: If any of my content helped you in any way, then follow me on Twitter or send me some coins:

Affiliates: Binance (#altcoins), Coinbase (buy/sell ETH/BTC, get 10$), CoinTracking.info (get 10% off), TradingView (trend reports) or old-school PayPal.

Print Friendly, PDF & Email