I recently took the plunge and upgraded my trusty Ubiquiti EdgeRouter 12 which seems to be a product line that Ubiquiti are no longer advertising or supporting to the more fully featured Unifi DreamMachine Pro which also takes over controller and NVR duties from my CloudKey Gen 2+ and I've been very happy with the upgrade. One thing I was waiting for, and happy to see, was the ability to setup and manage these devices completely without a Unifi account. There have been too many security incidents with Unifi's hosted solutions to make me comfortable using them, so a requirement for me was entirely offline management.
Since this was a big change in my Unifi controller setup, I needed to revisit the SSL configuration so I don't have to remember IP addresses, and I can keep browsers (as well as the Unifi apps) happy and like everything else on my network, I wanted this to use LetsEncrypt. Unifi OS does not support the acme protocol so cannot fetch the certificates itself, so it all falls back to my favourite client, acme.sh.
Prerequisites
- A Linux machine with acme.sh installed
- SSH keys for your DreamMachine Pro
- A supported external DNS provider (I use Route 53)
Fetch the certificate
I'm using the domain unifi.aramsay.co.nz to host my controller. We need to fetch a certificate with that name, using the DNS-01 challenge with acme.sh
1export AWS_ACCESS_KEY_ID="<key id>"
2export AWS_SECRET_ACCESS_KEY="<secret>"
3
4acme.sh --issue --dns dns_aws -d unifi.aramsay.co.nzDeploy the certificate
Make sure the DNS for the domain (i.e. unifi.aramsay.co.nz) is pointed at the local IP address of the DreamMachine ProNow that we have a certificate that will automatically renew every 60 days, it's time to get it onto the DreamMachine Pro. We're going to use the SSH hook from acme.sh for this
1export DEPLOY_SSH_USER="root"
2export DEPLOY_SSH_SERVER="unifi.aramsay.co.nz"
3export DEPLOY_SSH_KEYFILE="/data/unifi-core/config/unifi-core.key"
4export DEPLOY_SSH_FULLCHAIN="/data/unifi-core/config/unifi-core.crt"
5export DEPLOY_SSH_REMOTE_CMD="service unifi-core restart"
6export DEPLOY_SSH_MULTI_CALL="yes"
7
8acme.sh --deploy -d unifi.aramsay.co.nz --deploy-hook sshThis will copy the certificates into the correct path (/data/unifi-core/config) and restart the unifi-core service.
Now when you visit the domain, you should see a valid SSL connection with no warnings 🎉