I’ve spent a lot of time scratching my head trying to get LetsEncrypt, or more accurately certbot working with Ubiquiti UniFi Video server, especially auto-renewing the certificate every month or so.
I found two posts on the Ubiquiti forum that were very useful:
Install certbot
You first need to install certbot for use with an unspecified webserver. Go to the certbot website for your specific OS, but for Ubuntu it’s likely to be something like this.
$ add-apt-repository ppa:certbot/certbot $ apt-get update $ apt-get install certbot |
Issue first LetsEncrypt certificate
You need to ensure that you have a FQDN that resolves (from a public DNS server) to your server. I’m going to use cctv.example.com
Right, let’s issue the certificate
$ certbot certonly --standalone |
You’ll now need to enter the domain name, an email address and probably agree (or not agree) to receive emails from EFF.
All going well, you should see something like
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/cctv.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/cctv.example.com/privkey.pem Your cert will expire on 2018-07-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
You now have private and public keys for your domain, signed by LetsEncrypt sitting in the /etc/letsencrypt/live/cctv.example.com directory. Unfortunately they are in the wrong format for Unifi Video server.
Reformat and move the keys
We now need to convert the pem files to der and place them in the Unifi Video certificates directory.
- fullchain.pem >> ufv-server.cert.der
- privkey.pem >> ufv-server.key.der
This is basically just converting them from base64 encoding to binary.
Create a certificates directory for Unifi Video
mkdir /usr/lib/unifi-video/data/certificates |
Reformat the keys and make the unifi-video user owner of them
$ openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/cctv.example.com/privkey.pem -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der $ openssl x509 -outform der -in /etc/letsencrypt/live/cctv.example.com/fullchain.pem -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der $ chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates |
Stop/Configure/Start the Unifi Video service
We now need to
- Stop the Unifi Video service
- Delete the self signed certificates
- Enable custom certificates
- Start the Unifi Video service
Stop the Unifi VIdeo service and delete the self signed certificates
$ service unifi-video stop $ rm /usr/lib/unifi-video/data/ufv-truststore $ rm /usr/lib/unifi-video/data/keystore $ rm /usr/lib/unifi-video/conf/evostream/server.* |
Enable custom ceritificates
$ nano /usr/lib/unifi-video/data/system.properties and add the line... ufv.custom.certs.enable=true |
Restart the unifi video service with
$ service unifi-video start |
Congratulations, Unifi Video server is now running on a LetsEncrypt SSL certificate until it expires in 3 months.
All you need to do now is create a script to renew the certs and run it once a day from cron. If the certificate is renewed, you need to reprocess it and restart the Unifi Video service.
Here’s my version. Note that if the certificate is renewed, it will briefly take the Unifi Video server offline when it restarts the service.
#!/usr/bin/env bash certFQDN=cctv.example.com rm /home/tempcert_$certFQDN -rf mkdir /home/tempcert_$certFQDN certbot certonly --standalone --quiet --non-interactive -d $certFQDN --post-hook "touch /home/tempcert_$certFQDN/newcert" if [ -f "/home/tempcert_$certFQDN/newcert" ] then #Cert was renewed, so process it openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$certFQDN/privkey.pem -outform DER -out ufv-server.key.der openssl x509 -outform der -in /etc/letsencrypt/live/$certFQDN/fullchain.pem -out ufv-server.cert.der mv ufv-server* /usr/lib/unifi-video/data/certificates chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates #service unifi-video restart fi rm /home/tempcert_$certFQDN -rf |
Great stuff!
One error – you’ve left “cctv.[censored].co.nz ” in there, I edited it to “-d $certFQDN”
Thanks 🙂
Thanks Andy. I’ve updated the post
Could you please elaborate a little more on how to automate it?
You have a script, but how to deploy it correctly?
Thanks in advance!
Thanks mate! Worked like a charm!
I think there are a few issues with this:
1) The correct location for the certs (per your links) is: /usr/lib/unifi-video/data/certificates (you are switching between /usr/lib and /var/lib throughout your examples).
2) In the reformat and move keys section, you are outputting the keys to /usr/lib…..(which is correct), but you are changing the ownership on /var/lib…(which is not correct)
3) In your “automate all the things” section, you are NOT using the same path as your manual steps. i.e. your automation is putting the files at /var/lib (which is not correct) instead of /usr/lib. (and is again setting the owner of /var/lib instead of /usr/lib)
The example from their forums that you used as an example is from Dec 2017, but in May 2018 they changed the paths. You referenced 2 links on the unifi site but one of the links uses out of date paths (which has been reproduced here)
Thanks, the post has been updated
Why did you comment out this? “#service unifi-video restart”