UniFi Controller Keystore

From MattWiki
Jump to: navigation, search
noteThis Page was written with UniFi Controller version 5.6.12 in mind, and may not work correctly with other versions.

Creating a New Letsencrypt Certificate

noteThis Page was written with Ubuntu 16.04 LTS in mind, and may not work correctly with other versions or distributions.

We will be generating a new letsencrypt certificate then importing it into the Unifi keystore. First we will need to create the certificate.

Setting up your Server

First you need to install nginx and letsencrypt.

apt update; apt install nginx letsencrypt

After Nginx has been installed, you will need to setup a site to be accessed by the letsencrypt service to validate your certificate.

Add the following entry near the bottom to your /etc/nginx/nginx.conf file.

    server {
        listen 80;
        listen [::]:80;
        server_name unifi.example.com;
        root /var/www/unifi.example.com;
        index index.html;

        location '/.well-known/acme-challenge' {
            default_type "text/plain";
        }
    }

Next, create your new sites root directory.

mkdir -p /var/www/unifi.example.com

Then start nginx.

service nginx restart

Creating the Certificate

To create a new letsencrypt certificate replace unifi.example.com with the domain name of the UniFi Controller you wish to create the certificate for.

letsencrypt certonly --webroot -w /var/www/unifi.example.com -d unifi.example.com

This will create a new folder at /etc/letsencrypt/live/unifi.example.com/

Creating the keystore from your new certificate

Export the newly created letsencrypt certificate into a format that keystore can understand.
echo 2413FB3709B05939F | openssl pkcs12 -export -inkey /etc/letsencrypt/live/unifi.example.com/privkey.pem -in /etc/letsencrypt/live/unifi.example.com/cert.pem -name unifi -out /etc/letsencrypt/live/unifi.example.com/keys.p12 -password stdin
Convert the newly exported certificate into UniFi's keystore format.
keytool -importkeystore -srckeystore /etc/letsencrypt/live/unifi.example.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi/data/keystore -storepass 2413FB3709B05939F -srcstorepass 2413FB3709B05939F
Once complete, you need to restart the UniFi Controller.
service unifi restart
Once complete, you should now be able to access your controller's website without the https error.

Updating a Keystore

Every 3 months a letsencrypt certificate expires. Because of this, every 2 months, a letsencrypt certificate may be renewed. Therefore you are required to automate the certificate renewal process to guarantee that the site is accessible. Below is the steps you need to follow to renew a certificate with the keystore, but you should setup an automated script to update the certificate.

Manually Updating a Keystore
First start by updating the letsencrypt certificate.
letsencrypt renew
Assuming that finished successfully, you may export the letsencrypt certificate into the pkcs12 format.
echo 2413FB3709B05939F | openssl pkcs12 -export -inkey /etc/letsencrypt/live/unifi.example.com/privkey.pem -in /etc/letsencrypt/live/unifi.example.com/cert.pem -name unifi -out /etc/letsencrypt/live/unifi.example.com/keys.p12 -password stdin
Convert the newly exported certificate into UniFi's keystore format.
keytool -importkeystore -srckeystore /etc/letsencrypt/live/unifi.example.com/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi/data/keystore -storepass 2413FB3709B05939F -srcstorepass 2413FB3709B05939F
Once complete, you need to restart the UniFi Controller.
service unifi restart
You should now, once again, be able to access your controller's website without the https error.

UniFi Keystore Letsencrypt Update Script

noteThis Page was written with Ubuntu 16.04 LTS in mind, and may not work correctly with other versions or distributions.

This small script will update your Unifi Controller TLS Cert.

#!/bin/sh

#########################################################
# A Small script to update the UniFi Keystore file from #
# an letsencrypt auto generated certificate.            #
#########################################################

DOMAIN='unifi.example.com'

# Update the Letsencrypt Cert
/usr/bin/letsencrypt renew

# Checking if the key has been updated.
if [ /etc/letsencrypt/live/${DOMAIN}/cert.pem -nt /var/lib/unifi/keystore ]; then
  echo "Updating UniFi Cert"

  rm -f /var/lib/unifi/keystore /etc/letsencrypt/live/${DOMAIN}/keys.p12

  # Export the newly created Letsencrypt Cert
  echo aircontrolenterprise | /usr/bin/openssl pkcs12 -export -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem -in /etc/letsencrypt/live/${DOMAIN}/cert.pem -name unifi -out /etc/letsencrypt/live/${DOMAIN}/keys.p12 -password stdin

  # Convert the newly created Letsencrypt Cert to UniFi's keystore format
  echo y | /usr/bin/keytool -importkeystore -srckeystore /etc/letsencrypt/live/${DOMAIN}/keys.p12 -srcstoretype pkcs12 -destkeystore /var/lib/unifi/keystore -storepass aircontrolenterprise -srcstorepass aircontrolenterprise

  # Restart the UniFi Controller
  /usr/sbin/service unifi restart
fi