Jump to content

Unifi/Controller/keystore

From MattWiki
noteThis Page was written with UniFi Controller version 5.6.12 in mind, and may not work correctly with other versions.

Creating a New Letsencrypt Certificate[edit | edit source]

noteThis Page was written with Ubuntu 16.04 LTS in mind, and may not work correctly with other versions or distributions.

We will be generating a new letsencrypt certificate then importing it into the Unifi keystore. First we will need to create the certificate.

Setting up your Server[edit | edit source]

First you need to install nginx and letsencrypt. 

apt update; apt install nginx letsencrypt

After Nginx has been installed, you will need to setup a site to be accessed by the letsencrypt service to validate your certificate.

Add the following entry near the bottom to your /etc/nginx/nginx.conf file.

<syntaxhighlight lang="bash"> 

   server {
       listen 80;
       listen [::]:80;
       server_name unifi.example.com;
       root /var/www/unifi.example.com;
       index index.html;

       location '/.well-known/acme-challenge' {
           default_type "text/plain";
       }
   }

</syntaxhighlight>

Next, create your new sites root directory. 

mkdir -p /var/www/unifi.example.com

Then start nginx. 

service nginx restart

Creating the Certificate[edit | edit source]

To create a new letsencrypt certificate replace unifi.example.com with the domain name of the UniFi Controller you wish to create the certificate for. 

letsencrypt certonly --webroot -w /var/www/unifi.example.com -d unifi.example.com

This will create a new folder at /etc/letsencrypt/live/unifi.example.com/

Creating the keystore from your new certificate[edit | edit source]

Export the newly created letsencrypt certificate into a format that keystore can understand.<syntaxhighlight lang="shell"> echo 2413FB3709B05939F | openssl pkcs12 -export -inkey /etc/letsencrypt/live/unifi.example.com/privkey.pem -in /etc/letsencrypt/live/unifi.example.com/cert.pem -name unifi -out /etc/letsencrypt/live/unifi.example.com/keys.p12 -password stdin </syntaxhighlight>Convert the newly exported certificate into UniFi's keystore format.<syntaxhighlight lang="shell"> keytool -importkeystore -srckeystore /etc/letsencrypt/live/unifi.example.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi/data/keystore -storepass 2413FB3709B05939F -srcstorepass 2413FB3709B05939F </syntaxhighlight>Once complete, you need to restart the UniFi Controller.<syntaxhighlight lang="shell"> service unifi restart </syntaxhighlight>Once complete, you should now be able to access your controller's website without the https error.

Updating a Keystore[edit | edit source]

Every 3 months a letsencrypt certificate expires. Because of this, every 2 months, a letsencrypt certificate may be renewed. Therefore you are required to automate the certificate renewal process to guarantee that the site is accessible. Below is the steps you need to follow to renew a certificate with the keystore, but you should setup an automated script to update the certificate.

Manually Updating a Keystore[edit | edit source]

First start by updating the letsencrypt certificate.<syntaxhighlight lang="shell"> letsencrypt renew </syntaxhighlight>Assuming that finished successfully, you may export the letsencrypt certificate into the pkcs12 format.<syntaxhighlight lang="shell"> echo 2413FB3709B05939F | openssl pkcs12 -export -inkey /etc/letsencrypt/live/unifi.example.com/privkey.pem -in /etc/letsencrypt/live/unifi.example.com/cert.pem -name unifi -out /etc/letsencrypt/live/unifi.example.com/keys.p12 -password stdin </syntaxhighlight>Convert the newly exported certificate into UniFi's keystore format.<syntaxhighlight lang="shell"> keytool -importkeystore -srckeystore /etc/letsencrypt/live/unifi.example.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi/data/keystore -storepass 2413FB3709B05939F -srcstorepass 2413FB3709B05939F </syntaxhighlight>Once complete, you need to restart the UniFi Controller.<syntaxhighlight lang="shell"> service unifi restart </syntaxhighlight>You should now, once again, be able to access your controller's website without the https error.

UniFi Keystore Letsencrypt Update Script[edit | edit source]

noteThis Page was written with Ubuntu 16.04 LTS in mind, and may not work correctly with other versions or distributions.

This small script will update your Unifi Controller TLS Cert.

<syntaxhighlight lang="sh">

  1. !/bin/sh
  2. A Small script to update the UniFi Keystore file from #
  3. an letsencrypt auto generated certificate. #

DOMAIN='unifi.example.com'

  1. Update the Letsencrypt Cert

/usr/bin/letsencrypt renew

  1. Checking if the key has been updated.

if [ /etc/letsencrypt/live/${DOMAIN}/cert.pem -nt /var/lib/unifi/keystore ]; then 

 echo "Updating UniFi Cert"

 rm -f /var/lib/unifi/keystore /etc/letsencrypt/live/${DOMAIN}/keys.p12

 # Export the newly created Letsencrypt Cert
 echo aircontrolenterprise | /usr/bin/openssl pkcs12 -export -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem -in /etc/letsencrypt/live/${DOMAIN}/cert.pem -name unifi -out /etc/letsencrypt/live/${DOMAIN}/keys.p12 -password stdin

 # Convert the newly created Letsencrypt Cert to UniFi's keystore format
 echo y | /usr/bin/keytool -importkeystore -srckeystore /etc/letsencrypt/live/${DOMAIN}/keys.p12 -srcstoretype pkcs12 -destkeystore /var/lib/unifi/keystore -storepass aircontrolenterprise -srcstorepass aircontrolenterprise

 # Restart the UniFi Controller
 /usr/sbin/service unifi restart

fi </syntaxhighlight>

Retrieved from "https://wiki.mattrude.com/index.php?title=Unifi/Controller/keystore&oldid=18808"