tirsdag den 21. februar 2017

Free SSL certificate on Unifi Controller on Windows

When you setup a Unifi Controller, the default certificate that are provided with the installation, are not trusted, and you will therefore get a SSL warning in your browser when you access the site.
This guide will show you how to use Let's Encrypt and Powershell, to get a free certificate for your Unifi Controller.

Note that i have both Java and my Unifi controller placed in "C:\Program Files\" if yours are place in different folders, you need to chance the location in the commands.

Some of the commands will require admin permissions.

#You need IIS installed for automatic Let's Encrypt Verification
Install-WindowsFeature -Name "Web-Server" -IncludeAllSubFeature -IncludeManagementTools
Import-Module WebAdministration

#Install ACMESharp from Powershell Gallery

Install-PackageProvider -Name NuGet -Force
Install-Module -Name ACMESharp -Force -AllowClobber
Import-Module ACMESharp

The easiest way to automatically prove the ownership of your domain, is to let the ACMESharp module modify the default website on Microsoft's Internet Information Service, it's also possible to prove the ownership using DNS, but i use IIS in the example below.

#Prove Overship of Domain to Let's Encrypt
$CertDomain = 'domain.example.com'
New-ACMERegistration -Contacts mailto:email@example.com -AcceptTos
New-ACMEIdentifier -Dns $CertDomain -Alias dns1
Complete-ACMEChallenge -IdentifierRef dns1 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'Default Web Site' }
Submit-ACMEChallenge -IdentifierRef dns1 -ChallengeType http-01

#Wait for status to be valid

Update-ACMEIdentifier -IdentifierRef dns1 -ChallengeType http-01

You can run the Update-ACMEIdentifier as meny times as you need, you need it to return valid instead of pending, if it starts returning invalid, something has gone wrong, and you need to start over with a new IdentifierRef and ChallangeType name.

#Request the new certificate
$CertAlias = "Cert" + (get-date -f MMddyyyyHHmmss)
New-ACMECertificate -IdentifierRef dns1 -Generate -Alias $CertAlias
Submit-ACMECertificate -CertificateRef $CertAlias
Update-ACMECertificate -CertificateRef $CertAlias

According to different forum posts you need to use the password "aircontrolenterprise" for the new keystore to work with the Unifi Controller, I have not tested if this is true or not, as of writing this guide.

#Export certificate for UniFi Keystore
Get-ACMECertificate -CertificateRef $CertAlias -ExportPkcs12 "C:\Program Files\Ubiquiti UniFi\data\$CertAlias.pfx" -CertificatePassword "aircontrolenterprise"

#Stopping service
Get-Service "*UniFi*" | Stop-Service

#Backup the original keystore
Rename-Item "C:\Program Files\Ubiquiti UniFi\data\keystore" keystore.backup

#Create the New keystore
& 'C:\Program Files\Java\jre1.8.0_121\bin\keytool.exe' -importkeystore -srcstoretype pkcs12 -srcalias "1" -srckeystore "C:\Program Files\Ubiquiti UniFi\data\$CertAlias.pfx" -keystore "C:\Program Files\Ubiquiti UniFi\data\keystore" -destalias unifi -srcstorepass aircontrolenterprise -deststorepass aircontrolenterprise

#Starting service
Get-Service "*UniFi*" | Start-Service

#Stop IIS website as you don't need it anymore
Set-ItemProperty "IIS:\Sites\Default Web Site" serverAutoStart False
Get-Website "Default Web Site" | Stop-Website


Ingen kommentarer:

Send en kommentar