The following was lifted from here:
https://www.naschenweng.info/2017/01/06/securing-ubiquiti-unifi-cloud-key-encrypt-automatic-dns-01-challenge/
I’m reposting it so i have easy access to it. This is not my work, nor did I have anything to do with it.
curl https://get.acme.sh | sh
Exit the terminal and re-open it again. We will also enable auto-upgrade for acme.sh (the –accountemail will be used for Let’s Encrypt email notifications when certs are renewed):
acme.sh --upgrade --auto-upgrade --accountemail "[email protected]"
OR
acme.sh --register-account -m [email protected]
Cloud Key Gen 1 / Linux Only
To automate the certificate installation, create the file /root/.acme.sh/cloudkey-renew-hook.sh – no adjustments are needed:
nano /root/.acme.sh/cloudkey-renew-hook.sh
#!/bin/bash
# Renew-hook for ACME / Let's encrypt
echo "** Configuring new Let's Encrypt certs"
cd /etc/ssl/private
rm -f /etc/ssl/private/cert.tar /etc/ssl/private/unifi.keystore.jks /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/fullchain.pem
openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -password pass:aircontrolenterprise
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi
rm -f /etc/ssl/private/cloudkey.p12
tar -cvf cert.tar *
chown root:ssl-cert /etc/ssl/private/*
chmod 640 /etc/ssl/private/*
echo "** Testing Nginx and restarting"
/usr/sbin/nginx -t
/etc/init.d/nginx restart ; /etc/init.d/unifi restart
DNS API Instructions
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
Use something similar to the 2 lines below to export your Key and Email / Secret according to your DNS provider and the instructions above.
export CF_Key="YOUR-CLOUDFLARE-API-KEY"
export CF_Email="YOUR-CLOUDFLARE-EMAIL"
Use the following commands to issue your certificate according to your device type.
Cloud Key Gen 1 / Linux
acme.sh --force --issue --dns dns_cf -d unifi.naschenweng.info --pre-hook "touch /etc/ssl/private/cert.tar; tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /etc/ssl/private/*" --fullchainpath /etc/ssl/private/cloudkey.crt --keypath /etc/ssl/private/cloudkey.key --reloadcmd "sh /root/.acme.sh/cloudkey-renew-hook.sh"
Cloud Key Gen 2
acme.sh --force --issue --dns dns_cf -d unifi.home.jamesridgway.co.uk --pre-hook "tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /data/unifi-core/config/unifi-core.*" --fullchainpath /data/unifi-core/config/unifi-core.crt --keypath /data/unifi-core/config/unifi-core.key --reloadcmd "systemctl restart unifi-core.service"Since the Let’s Encrypt certificate needs to be renewed every 3 months, you need to configure the auto-renew via a cronjob through crontab -e and append the following to the end of the crontab:
Cloud Key Gen 1 / Linux Install
# minute hour dayofmonth month dayofweek commandto run 0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh/" >> /var/log/letsencrypt.log
Cloud Key Gen 2
# minute hour dayofmonth month dayofweek commandto run
0 0 * * * /root/.acme.sh/acme.sh --renew -d unifi.home.jamesridgway.co.uk --pre-hook "tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /data/unifi-core/config/unifi-core.*" --fullchainpath /data/unifi-core/config/unifi-core.crt --keypath /data/unifi-core/config/unifi-core.key --reloadcmd "systemctl restart unifi-core.service"