{"id":174,"date":"2019-04-03T17:28:01","date_gmt":"2019-04-03T17:28:01","guid":{"rendered":"http:\/\/www.scheh.com\/?p=174"},"modified":"2021-07-27T12:29:22","modified_gmt":"2021-07-27T17:29:22","slug":"reblog-of-securing-ubiquiti-unifi-cloud-key-with-lets-encrypt-ssl-and-automatic-dns-01-challenge","status":"publish","type":"post","link":"https:\/\/www.scheh.com\/index.php\/2019\/04\/03\/reblog-of-securing-ubiquiti-unifi-cloud-key-with-lets-encrypt-ssl-and-automatic-dns-01-challenge\/","title":{"rendered":"Reblog of Securing Ubiquiti UniFi Cloud Key with Let\u2019s Encrypt SSL and automatic dns-01 challenge"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/p>\n

The following was lifted from here:
https:\/\/www.naschenweng.info\/2017\/01\/06\/securing-ubiquiti-unifi-cloud-key-encrypt-automatic-dns-01-challenge\/<\/a><\/p>\n

<\/p>\n

<\/p>\n

I’m reposting it so i have easy access to it. This is not my work, nor did I have anything to do with it.<\/p>\n

<\/p>\n

<\/p>\n

curl https:\/\/get.acme.sh | sh<\/pre>\n
<\/p>\n
<\/p>\n
Exit the terminal and re-open it again. We will also enable auto-upgrade for acme.sh\u00a0(the \u2013accountemail\u00a0will be used for Let\u2019s Encrypt email notifications when certs are renewed):<\/p>\n
<\/p>\n
<\/p>\n
acme.sh --upgrade --auto-upgrade --accountemail \"mynotifaction@email.com\"  <\/pre>\n
OR<\/p>\n
acme.sh --register-account -m mynotifaction@email.com<\/pre>\n
<\/p>\n
<\/p>\n
Cloud Key Gen 1 \/ Linux Only<\/h3>\n
To automate the certificate installation, create the file\u00a0\/root\/.acme.sh\/cloudkey-renew-hook.sh<\/strong><\/em>\u00a0\u2013 no adjustments are needed:<\/p>\n
nano \/root\/.acme.sh\/cloudkey-renew-hook.sh<\/pre>\n
<\/p>\n
<\/p>\n
#!\/bin\/bash
# Renew-hook for ACME \/ Let's encrypt
echo \"** Configuring new Let's Encrypt certs\"
cd \/etc\/ssl\/private
rm -f \/etc\/ssl\/private\/cert.tar \/etc\/ssl\/private\/unifi.keystore.jks \/etc\/ssl\/private\/ssl-cert-snakeoil.key \/etc\/ssl\/private\/fullchain.pem

openssl pkcs12 -export -in \/etc\/ssl\/private\/cloudkey.crt -inkey \/etc\/ssl\/private\/cloudkey.key -out \/etc\/ssl\/private\/cloudkey.p12 -name unifi -password pass:aircontrolenterprise<\/span>

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore \/usr\/lib\/unifi\/data\/keystore -srckeystore \/etc\/ssl\/private\/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi<\/span>

rm -f \/etc\/ssl\/private\/cloudkey.p12<\/span>

tar -cvf cert.tar *
chown root:ssl-cert \/etc\/ssl\/private\/*
chmod 640 \/etc\/ssl\/private\/*
echo \"** Testing Nginx and restarting\"
\/usr\/sbin\/nginx -t
\/etc\/init.d\/nginx restart ; \/etc\/init.d\/unifi restart<\/pre>\n
DNS API Instructions<\/h3>\n
https:\/\/github.com\/acmesh-official\/acme.sh\/wiki\/dnsapi<\/a><\/p>\n
<\/p>\n
<\/p>\n
Use something similar to the 2 lines below to export your Key and Email \/ Secret according to your DNS provider and the instructions above.<\/p>\n
export CF_Key=\"YOUR-CLOUDFLARE-API-KEY\"
export CF_Email=\"YOUR-CLOUDFLARE-EMAIL\"<\/pre>\n
Use the following commands to issue your certificate according to your device type.<\/p>\n
Cloud Key Gen 1 \/ Linux<\/h3>\n
acme.sh --force --issue --dns dns_cf -d unifi.naschenweng.info --pre-hook \"touch \/etc\/ssl\/private\/cert.tar; tar -zcvf \/root\/.acme.sh\/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz \/etc\/ssl\/private\/*\" --fullchainpath \/etc\/ssl\/private\/cloudkey.crt --keypath \/etc\/ssl\/private\/cloudkey.key --reloadcmd \"sh \/root\/.acme.sh\/cloudkey-renew-hook.sh\"<\/pre>\n
\u00a0<\/p>\n
Cloud Key Gen 2<\/span><\/h3>\n
acme.sh --force --issue --dns dns_cf -d unifi.home.jamesridgway.co.uk --pre-hook \"tar -zcvf \/root\/.acme.sh\/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz \/data\/unifi-core\/config\/unifi-core.*\" --fullchainpath \/data\/unifi-core\/config\/unifi-core.crt --keypath \/data\/unifi-core\/config\/unifi-core.key --reloadcmd \"systemctl restart unifi-core.service\"<\/code><\/pre>\n
<\/p>\n
<\/p>\n
Since the Let\u2019s Encrypt certificate needs to be renewed every 3 months, you need to configure the auto-renew via a cronjob through\u00a0crontab -e<\/em>\u00a0and append\u00a0the following to the end of the crontab:<\/p>\n
Cloud Key Gen 1 \/ Linux Install<\/h3>\n
<\/p>\n
<\/p>\n
# minute hour dayofmonth month dayofweek commandto run\n0 0 * * * \"\/root\/.acme.sh\"\/acme.sh --cron --home \"\/root\/.acme.sh\/\" >> \/var\/log\/letsencrypt.log<\/pre>\n
\u00a0<\/p>\n
Cloud Key Gen 2<\/span><\/h3>\n
# minute hour dayofmonth month dayofweek commandto run
0 0 * * * \/root\/.acme.sh\/acme.sh --renew -d unifi.home.jamesridgway.co.uk --pre-hook \"tar -zcvf \/root\/.acme.sh\/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz \/data\/unifi-core\/config\/unifi-core.*\" --fullchainpath \/data\/unifi-core\/config\/unifi-core.crt --keypath \/data\/unifi-core\/config\/unifi-core.key --reloadcmd \"systemctl restart unifi-core.service\"<\/code><\/pre>\n
<\/code><\/p>\n
<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"
The following was lifted from here: https:\/\/www.naschenweng.info\/2017\/01\/06\/securing-ubiquiti-unifi-cloud-key-encrypt-automatic-dns-01-challenge\/ I’m reposting it so i have easy access to it. This is not my work, nor did I have anything to do with it. curl https:\/\/get.acme.sh | sh Exit the terminal and re-open it again. We will also enable auto-upgrade for acme.sh\u00a0(the \u2013accountemail\u00a0will be used for Let\u2019s Encrypt […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-174","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p3eyIP-2O","_links":{"self":[{"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/posts\/174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/comments?post=174"}],"version-history":[{"count":27,"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/posts\/174\/revisions"}],"predecessor-version":[{"id":730,"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/posts\/174\/revisions\/730"}],"wp:attachment":[{"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/media?parent=174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/categories?post=174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.scheh.com\/index.php\/wp-json\/wp\/v2\/tags?post=174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}