Securing UniFi Cloud Key with SSL certificate from RapidSSL
During the installation of my new Ubiquiti UniFi home-network I noticed that the Cloud Key management console uses a self-signed certificate which annoyed me for days:
There is no support for Let’s Encrypt nor does Ubiquiti have a knowledge base article explaining how to install a proper certificate and their support forums are filled with the same questions. When I asked Ubiquiti support via ticket to assist I was pointed to some arbitrary 3rd party blog-post which provided instructions for installing SSL on the UniFi Cloud Controller hosted on AWS, but did not provide any information on how to install a SSL certificate onto the UniFi Cloud Key.
If you prefer Let’s Encrypt and you have a Cloudflare account you should try: UniFi SSL Cloud Key installation with Let’s Encrypt.
The Cloud Key allows SFTP access as well as SSH-access. Before you continue with this guide, make a backup of the current certificate configuration. To be really safe, make a copy of /etc/ssl/private to your local computer.
After you have backed up the Cloud Key directory, delete it’s content:
rm -f /etc/ssl/private/*
Create the CSR – Certificate Signing Request
First we generate a new private key:
openssl genrsa -out /etc/ssl/private/cloudkey.key 2048
Then create the CSR:
openssl req -new -batch \ -subj "/C=ZA/ST=Gauteng/L=Johannesburg/O=Naschenweng.info/OU=UniFi/CN=unifi.naschenweng.info/[email protected]" \ -key /etc/ssl/private/cloudkey.key \ -out /etc/ssl/private/cloudkey.csr
The only relevant section is the “CN=” (common name) part, which should be the website name of your Cloud Key (with SSL you will address a website via a domain name instead of an IP).
Request the SSL Certificate and install the certificate
I use CheapSSLShop as it provides RapidSSL DV SSL certificates for about USD 8 / per year. Any SSL provider will operate in a similar fashion, where you need a CSR to issue the SSL certificate:
With RapidSSL you will receive an email which includes the certificate which you copy into /etc/ssl/private/cloudkey.crt:
It is important to have a line-feed after the “—-END CERTIFICATE—” section.
Copy the RapidSSL intermediate SSL certificate to the Cloud Key directory and you will have something like this:
The next step is to generate a PKCS12 file from your certificate, private key and intermediate RapidSSL file:
openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -CAfile /etc/ssl/private/rapidssl.crt -caname root -password pass:aircontrolenterprise
We then import the PKCS12 file into the Cloud Key keystore:
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi
Now we adjust the permissions and delete files which we do not need:
rm /etc/ssl/private/cloudkey.csr rm /etc/ssl/private/rapidssl.crt rm /etc/ssl/private/cloudkey.p12 tar -cvf cert.tar * chown root:ssl-cert /etc/ssl/private/* chmod 640 /etc/ssl/private/*
If everything was done correctly, you can verify your certificate via nginx:
[email protected]:/etc/ssl/private# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
If the above command nginx -t throws an error you have probably applied the wrong intermediate certificate or forgot that line-break in your CRT.
As the last step, you restart NGINX and the Unifi Controller:
/etc/init.d/nginx restart ; /etc/init.d/unifi restart
Finally, adjust your controller’s hostname:
The above commands will take a few seconds for NGINX and UniFi to restart and you will then have a beautiful green addressbar: