This is a question that has appeared many times in the UniFi forums, but despite having read multiple posts and tried many solutions; I am still stuck. I also asked on their forum, but I didn’t get an answer; so I wanted to try my luck here.
Summary: I want to import my SSL Certificates generated with linuxserver/swag into UniFi controller on linuxserver/unifi-controller. However, it always uses the default self-signed root certificate instead of the ones that I save on the keystore.
I have tried to import my .pfx certificate file, as well as a few variants (see below). However, when I restart docker, it still uses the “self-signed” instead of the certificates I am trying to upload. In general, I do not need to generate my certificates, or even potentially P12 file; I have those. I would just need to import them. In most cases, I was able to successfully create the keystore, the system is just not using the certificates.
How do I import my existing pfx certificate (or pem certificates)?
My setup is like this:
- I have my own domain. Cloudflare is my DNS provider.
- Domain directs to my public IP, updated using DDNS.
- My router does port forwarding where required, and I have a few services running fine like this including UniFi Controller.
- I use Let’sEncrypt using DNS challenge to generate a domain and wildcard certificate.
- I automate this using linuxserver/swag Docker container which spits out: cert.pem, chain.pem, fullchain.pem, priv-fullchain-bundle.pem, privkey.pem, privkey.pfx
- I use these SSL certificates for most of my services without issues. I want to use them in my controller too.
- Controller installed on Docker on Synology NAS. Image is: linuxserver/unifi-controller
I have tried several methods:
- I tried importing the pfx directly using
keytool -importkeystoreand my PFX file.
- I tried creating a P12 file using
openssl pkcs12with my privkey.pem and fullchain.pem; or in some cases adding cert.pem
- Listing (keytool -list) would work with both the pfx, and the p12. The information shows the right certificate (for my domain).
- I tried creating the keystore as pkcs12 as well as the default JKS.
- I tried using lib/ace.jar to import_cert, but in most cases, it wouldn’t import my certificates.
You can see some of the tests on the git script.
In the examples, you will see I tried using /var/lib/unifi as well as /usr/lib/unifi/data.
With the exception of lib/ace.jar, I always succeed in creating keystore or importing certificates. However, when I would restart docker, the system will not be using these certificates.
I’ve been researching quite a bit on the topic. Since I am limited to two links, you can check the resources on the UniFi post if relevant/interested.