Posts Setting up a Unifi Cloud Key with a valid SSL cert
Post
Cancel

Setting up a Unifi Cloud Key with a valid SSL cert

So I recently moved from a self-hosted unifi controller to a unifi cloud key gen2. https://eu.store.ui.com/collections/unifi-accessories-cloud-key/products/unifi-cloud-key-gen2 I wanted to be able to access it locally though over https with a valid cert. It turns out the cloudkey just runs a basic debian strech install with standard apt commands! So heres how I made that happpen.

Pre-requisites:

  • unifi cloud key
  • A domain with cloudflare DNS setup & API keys setup

First steps.

  • Make sure the Cloud Key is upto date.
  • Enable SSH on the cloud key.
  • A subdomain setup with an A record of your local cloud key IP
  • Open an SSH session to the cloudkey. “root” is the username plus the password you setup in the cloudkey gui

Install certbot with cloudflare dns extension

apt update
apt install python3-certbot-dns-cloudflare

Create secrets dirs

mkdir ~/.secrets/
mkdir ~/.secrets/certbot

Create secrets file with your cloudflare api keys

vi ~/.secrets/certbot/cloudflare.ini

Example Content

1
2
3
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = you@example.com
dns_cloudflare_api_key = wen_lambo?wen_moon?

Secure permissions on cloudflare creds (stops warnings in certbot output)

chmod 600 ~/.secrets/certbot/cloudflare.ini

Time to request the cert!

certbot certonly   --dns-cloudflare   --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d fqdn_of_your_cloudkey.example.com

Assuming that went well (read the output and debug if needed) move ahead to configure the cloudkey to use the key. Note the path of the cert and key from certbots output

cd /data/unifi-core/config/
cp unifi-core.crt unifi-core.crt.bk
cp unifi-core.key unifi-core.key.bk
rm unifi-core.crt
rm unifi-core.key
ln -s /etc/letsencrypt/live/fqdn_of_your_cloudkey.example.com/cert.pem unifi-core.crt # Your paths will be slightly different depending on your domain
ln -s /etc/letsencrypt/live/fqdn_of_your_cloudkey.example.com/privkey.pem unifi-core.key # Your paths will be slightly different depending on your domain
service unifi-core restart

Add the following to your root user crontab file (use crontab -e)

1
41 2 * * * certbot renew --post-hook "service unifi-core restart"

Now you should be able to access your cloudkey locally via fqdn_of_your_cloudkey.example.com with a valid cert!

This post is licensed under CC BY 4.0 by the author.

-

-

Trending Tags