In order to get a valid SSL certificate for the UniFi Controller you need to have Nginx proxy to the local controller and trust the UniFi Controller’s certificate.

Most of this came from the solution in this post: Re: Lets Encrypt and UniFi controller. But it was missing a few things so I figured I’d write a post so I don’t have to remember it later and hopefully help someone else.

First I setup a 1 GB Ubuntu 16.04 droplet (you need 1 GB for the controller) at Digital Ocean. If you haven’t heard of Digital Ocean check them out, they are fast, inexpensive and easy to set up. They also have fantastic support and awesome tutorials.

Note: replace your.controller.com with your fully qualified domain name in all the examples below.

ssh into the machine and update:

Then install the UniFi Controller (version 5):

Install letsencrypt:

Install NGINX:

Configure the firewall:

Note: We don’t need to open the ports for the controller because we are going to proxy to the controller locally. See set-inform details.

Verify firewall and turn it on:

Extract and convert the UniFi key:

Create a folder for the converted key:

Create the file for the let’s encrypt challenge:

letsencryptauth.conf:

Verify you have a working Nginx install by visiting http://your.controller.com

generate the certificate:

Create a configuration file for your controller:

controller.conf:

I’ve put the code for the lets encrypt renewal inside ‘#EDIT’ & ‘#EDIT2’ comments.

Enable the configuration:

Test your configuration:

Reload Nginx:

Your controller should now have a valid SSL certificate. But we aren’t done yet.


Once you have configured your controller you will need to ssh into your gateway and access points and change the inform URL :

Once the device has been adopted,  run the command again to save:

If you don’t want to change this then you need to make sure you open port 8080 on the firewall:

Let’s encrypt renewal

To automate the renewal of the certificate. To edit your cron jobs:

If it’s your first time running this command it will prompt you for the editor to use. I would choose nano (usually the default) as it’s the easiest for beginners. Paste this at the bottom:

This will run the command  letsencrypt renew  every Monday at 2:30 AM and then append the output to the le-renew.log log file.

This is my first how to article so if you see an error or have suggestions, let me know in the comments.

Here are some helpful links, if what is going on isn’t clear:
Understanding Nginx Server and Location Block Selection Algorithms
How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04
Getting Started – Let’s Encrypt
How To Configure Nginx with SSL as a Reverse Proxy for Jenkins
crontab guru example