unifi-letsencrypt-cloudflare
This script is to update your Unifi controller with a legitimate certificate from letsencrypt so that you can put your controller behind Cloudflare teams/argo tunnel. No matter what I did to try and get cloudflared to use a self-signed cert, it would never work. The benefit of using DNS-based authentication for Lets encrypt is your host doesn't have to be exposed to the internet for you to get your certificate. In my situation, my controller is behind a Cloudflare tunnel, thus isn't not accessible/routable to get a certificate via the standard way via a temporary host on port 80.
Requirements
- Unifi controller docker container - I use this one from @jacobalberty
- A Cloudflare account for your domain that you wish to get a cert from (you'll need to get an API key as well). You will need to make sure your API key has edit permissions to your DNS zone.
- certbot utility.
Optional
Put your Unifi controller behind an argo tunnel. You can read about how to do this here. I also have a docker container for cloudflared that can help with this.
Installation
- Edit cert.sh to add the data directory for your Unifi data files (where your keystore file is for certificates)
- Create your cloudflare.ini file to authenticate to add the dns records for your request.
- Update your unifi docker name
Usage
To request a new certificate or process a renewal if due. You can run this from cron once a week and it will only update unifi if the cert has changed.
sudo ./cert.sh -e email@mydomain.com -d unifi.mydomain.com
To update an already existing certificate into Unifi.
sudo ./cert.sh -i -d unifi.mydomain.com
Inspired by Brielle's unifi update script.