Import existing certificate SSL on Unifi Controller on Docker

This is a question that has appeared many times in the UniFi forums, but despite having read multiple posts and tried many solutions; I am still stuck. I also asked on their forum, but I didn’t get an answer; so I wanted to try my luck here.

Summary: I want to import my SSL Certificates generated with linuxserver/swag into UniFi controller on linuxserver/unifi-controller. However, it always uses the default self-signed root certificate instead of the ones that I save on the keystore.

I have tried to import my .pfx certificate file, as well as a few variants (see below). However, when I restart docker, it still uses the “self-signed” instead of the certificates I am trying to upload. In general, I do not need to generate my certificates, or even potentially P12 file; I have those. I would just need to import them. In most cases, I was able to successfully create the keystore, the system is just not using the certificates.

How do I import my existing pfx certificate (or pem certificates)?

SETUP

My setup is like this:

Domain

  • I have my own domain. Cloudflare is my DNS provider.
  • Domain directs to my public IP, updated using DDNS.
  • My router does port forwarding where required, and I have a few services running fine like this including UniFi Controller.

Certificates

  • I use Let’sEncrypt using DNS challenge to generate a domain and wildcard certificate.
  • I automate this using linuxserver/swag Docker container which spits out: cert.pem, chain.pem, fullchain.pem, priv-fullchain-bundle.pem, privkey.pem, privkey.pfx
  • I use these SSL certificates for most of my services without issues. I want to use them in my controller too.

UniFi Controller

  • Controller installed on Docker on Synology NAS. Image is: linuxserver/unifi-controller

IMPORTING CERTIFICATES

I have tried several methods:

  1. I tried importing the pfx directly using keytool -importkeystore and my PFX file.
  2. I tried creating a P12 file using openssl pkcs12 with my privkey.pem and fullchain.pem; or in some cases adding cert.pem
  3. Listing (keytool -list) would work with both the pfx, and the p12. The information shows the right certificate (for my domain).
  4. I tried creating the keystore as pkcs12 as well as the default JKS.
  5. I tried using lib/ace.jar to import_cert, but in most cases, it wouldn’t import my certificates.

You can see some of the tests on the git script.

In the examples, you will see I tried using /var/lib/unifi as well as /usr/lib/unifi/data.

With the exception of lib/ace.jar, I always succeed in creating keystore or importing certificates. However, when I would restart docker, the system will not be using these certificates.

1d385d8a-5f42-4090-a04f-5a3686d22989

Resources

RESOURCES
I’ve been researching quite a bit on the topic. Since I am limited to two links, you can check the resources on the UniFi post if relevant/interested.

Just reverse proxy it. The unifi controller proxy conf is built in

1 Like

https://docs.linuxserver.io/general/swag

@aptalca I am considering that option. However, for now, my first objective is try to see if I can just import the certificates. It is technically possible and I shouldn’t need to reverse proxy for that.

@driz I have SWAG already working and outputting the certificates fine. I also use these certificates for a few purposes without issues. The question is about how to import/install them on the UniFi docker image.

Thanks both for the input.

Giving another try in case someone knows the answer. Thank you.

If you want SSL for unifi, you would just proxy the webui via swag then you don’t have to worry about importing.

Hi @j0nnymoe, thanks a lot for the input.

This is the same suggestion that aptalca gave. I understand Reverse Proxy is an easy solution. I also understand, as per driz, that linuxserver/swag is already setting a reverse proxy server, and I imagine it’s possible to change the configuration to add UniFi to it.

However, it is technically possible to import the certificates as well and I would prefer to do that instead. That’s the set up I do with all my other services without issues, and there’s a lot of guides on how to do them in UniFi controller too. Unfortunately, I have not been able to made it work for this particular one :frowning:

Yep this is the same conclusion I hit when I looked at it a while ago, was too much effort to do for little reward.