UniFi Controller on Linux with CA certificates

The subject of SSL certificates with UniFi has spawned many threads within the UBNT Community.

 

_.-=%> UniFi Linux Setup with CA SSL Cert <%=-._

 

The distribution of Linux that I am using is Ubuntu 15.04 with ONLY SSH server selected during the installation.  I have also put a static IP address on the server, and only forwarded the appropriate ports through to the server as this will be a centralized UniFi server for about 20 locations.

 

I know you can add repositories and do apt-get, so read that I understand that before commenting to tell me that.

 

Log into your Ubuntu server and run:

 

wget https://www.ubnt.com/downloads/unifi/4.6.6/unifi_sysvinit_all.deb

 

once that completes:

 

sudo dpkg -i unifi_sysvinit_all.deb

 

It will try to install and throw some errors about dependancies.  Do this:

 

sudo apt-get -f install

 

This will install all the dependancies.  Then:

 

sudo dpkg -i unifi_sysvinit_all.deb

 

Once this is done you could browse to https://ip-or-fqdn-of-this-server:8443 and walk through the install

 

OR

 

You can get a CSR (I used ssls.com and got the $5/year SSL cert), get a cert issued, and install the cert:

 

From the command line:

 

cd /usr/lib/unifi

 

sudo java -jar lib/ace.jar new_cert unifi.mydomain.dom “My Company Name” City State CC*

*(cc = 2 letter country code)

 

You will enter your password and then it will create your CSR in /var/lib/unifi

 

Do:  more unifi_certificate.csr.pem

 

Copy and paste the CSR into your SSL provider’s website to request the certificate.  Get your certificate issued (I would tell them I am using apache so they issue all the certs you will need)

 

Once you get your certificate and all the intermediate certs (if required) copy all the .crt files to /usr/lib/unifi and then (in my case):

 

sudo java -jar lib/ace.jar import_cert unifi_mydomain_org.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt

 

Put in your password again and you will see (after a few other lines):

 

Certificates successfuly imported. Please restart the UniFi Controller.

 

Run:  sudo service unifi restart

 

You can now load up the UniFi site and it should be using the CA issued cert instead of the self signed.