Import existing certificate SSL on Unifi Controller on Docker

LSIO Discussion Container Support
1

This is a question that has appeared many times in the UniFi forums, but despite having read multiple posts and tried many solutions; I am still stuck. I also asked on their forum, but I didn’t get an answer; so I wanted to try my luck here.

Summary: I want to import my SSL Certificates generated with linuxserver/swag into UniFi controller on linuxserver/unifi-controller. However, it always uses the default self-signed root certificate instead of the ones that I save on the keystore.

I have tried to import my .pfx certificate file, as well as a few variants (see below). However, when I restart docker, it still uses the “self-signed” instead of the certificates I am trying to upload. In general, I do not need to generate my certificates, or even potentially P12 file; I have those. I would just need to import them. In most cases, I was able to successfully create the keystore, the system is just not using the certificates.

How do I import my existing pfx certificate (or pem certificates)?

SETUP

My setup is like this:

Domain

  • I have my own domain. Cloudflare is my DNS provider.
  • Domain directs to my public IP, updated using DDNS.
  • My router does port forwarding where required, and I have a few services running fine like this including UniFi Controller.

Certificates

  • I use Let’sEncrypt using DNS challenge to generate a domain and wildcard certificate.
  • I automate this using linuxserver/swag Docker container which spits out: cert.pem, chain.pem, fullchain.pem, priv-fullchain-bundle.pem, privkey.pem, privkey.pfx
  • I use these SSL certificates for most of my services without issues. I want to use them in my controller too.

UniFi Controller

  • Controller installed on Docker on Synology NAS. Image is: linuxserver/unifi-controller

IMPORTING CERTIFICATES

I have tried several methods:

  1. I tried importing the pfx directly using keytool -importkeystore and my PFX file.
  2. I tried creating a P12 file using openssl pkcs12 with my privkey.pem and fullchain.pem; or in some cases adding cert.pem
  3. Listing (keytool -list) would work with both the pfx, and the p12. The information shows the right certificate (for my domain).
  4. I tried creating the keystore as pkcs12 as well as the default JKS.
  5. I tried using lib/ace.jar to import_cert, but in most cases, it wouldn’t import my certificates.

You can see some of the tests on the git script.

In the examples, you will see I tried using /var/lib/unifi as well as /usr/lib/unifi/data.

With the exception of lib/ace.jar, I always succeed in creating keystore or importing certificates. However, when I would restart docker, the system will not be using these certificates.

1d385d8a-5f42-4090-a04f-5a3686d22989

Resources

RESOURCES
I’ve been researching quite a bit on the topic. Since I am limited to two links, you can check the resources on the UniFi post if relevant/interested.

2

Just reverse proxy it. The unifi controller proxy conf is built in

1 Like
3

https://docs.linuxserver.io/general/swag

4

@aptalca I am considering that option. However, for now, my first objective is try to see if I can just import the certificates. It is technically possible and I shouldn’t need to reverse proxy for that.

@driz I have SWAG already working and outputting the certificates fine. I also use these certificates for a few purposes without issues. The question is about how to import/install them on the UniFi docker image.

Thanks both for the input.

5

Giving another try in case someone knows the answer. Thank you.

6

If you want SSL for unifi, you would just proxy the webui via swag then you don’t have to worry about importing.

7

Hi @j0nnymoe, thanks a lot for the input.

This is the same suggestion that aptalca gave. I understand Reverse Proxy is an easy solution. I also understand, as per driz, that linuxserver/swag is already setting a reverse proxy server, and I imagine it’s possible to change the configuration to add UniFi to it.

However, it is technically possible to import the certificates as well and I would prefer to do that instead. That’s the set up I do with all my other services without issues, and there’s a lot of guides on how to do them in UniFi controller too. Unfortunately, I have not been able to made it work for this particular one :frowning:

8

Yep this is the same conclusion I hit when I looked at it a while ago, was too much effort to do for little reward.

9

I was able to find jacobalberty/unifi image which uses certificates directly. Upon researching it, it seems there is a script that import existing letsencrypt certificates to UniFi.

This worked for me. I made copy and narrowed it down to my needs (gist). By now, I had already configured nginx reverse proxy, but I really wanted to have it working natively too.

1 Like
10

this is the command i used :

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /le-ssl/letsencrypt/live/yourdomain.com/privkey.pfx -srcstoretype PKCS12 -srcstorepass “” -srcalias 1 -destalias unifi -noprompt

passed a new path to the docker for /le-ssl as describe in the swag documentation " Using certs in other containers"

just need to restart …

11

@aptalca / @j0nnymoe
Sorry - stupid question here. How do you reverse proxy the unifi web UI (with swag(i’m not familiar with this) or nginx) when it is only served on 8443 and enforces a secure connection? Thanks!

12

you rename unifi-controller.subdomain.conf.sample to unifi-controller.subdomain.conf and restart swag

assuming you have a cname created and swag and unifi-controller share a custom bridge, it will just work.

I suggest reading the swag guide