Using LetsEncrypt with Ubiquiti Unifi Video server

I’ve spent a lot of time scratching my head trying to get LetsEncrypt, or more accurately certbot working with Ubiquiti UniFi Video server, especially auto-renewing the certificate every month or so.

I found two posts on the Ubiquiti forum that were very useful:

Install certbot

You first need to install certbot for use with an unspecified webserver. Go to the certbot website for your specific OS, but for Ubuntu it’s likely to be something like this.

$ add-apt-repository ppa:certbot/certbot
$ apt-get update
$ apt-get install certbot

Issue first LetsEncrypt certificate

You need to ensure that you have a FQDN that resolves (from a public DNS server) to your server. I’m going to use cctv.example.com

Right, let’s issue the certificate

$ certbot certonly --standalone

You’ll now need to enter the domain name, an email address and probably agree (or not agree) to receive emails from EFF.

All going well, you should see something like

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cctv.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cctv.example.com/privkey.pem
   Your cert will expire on 2018-07-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

You now have private and public keys for your domain, signed by LetsEncrypt sitting in the /etc/letsencrypt/live/cctv.example.com directory. Unfortunately they are in the wrong format for Unifi Video server.

Reformat and move the keys

We now need to convert the pem files to der and place them in the Unifi Video certificates directory.

  • fullchain.pem >> ufv-server.cert.der
  • privkey.pem >> ufv-server.key.der

This is basically just converting them from base64 encoding to binary.

Create a certificates directory for Unifi Video

mkdir /usr/lib/unifi-video/data/certificates

Reformat the keys and make the unifi-video user owner of them

$ openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/cctv.example.com/privkey.pem -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der
$ openssl x509 -outform der -in /etc/letsencrypt/live/cctv.example.com/fullchain.pem -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der
$ chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates

Stop/Configure/Start the Unifi Video service

We now need to

  • Stop the Unifi Video service
  • Delete the self signed certificates
  • Enable custom certificates
  • Start the Unifi Video service

Stop the Unifi VIdeo service and delete the self signed certificates

$ service unifi-video stop
$ rm /usr/lib/unifi-video/data/ufv-truststore
$ rm /usr/lib/unifi-video/data/keystore
$ rm /usr/lib/unifi-video/conf/evostream/server.*

Enable custom ceritificates

$ nano /usr/lib/unifi-video/data/system.properties
and add the line...
ufv.custom.certs.enable=true

Restart the unifi video service with

$ service unifi-video start

Congratulations, Unifi Video server is now running on a LetsEncrypt SSL certificate until it expires in 3 months.


All you need to do now is create a script to renew the certs and run it once a day from cron. If the certificate is renewed, you need to reprocess it and restart the Unifi Video service.

Here’s my version. Note that if the certificate is renewed, it will briefly take the Unifi Video server offline when it restarts the service.

#!/usr/bin/env bash
certFQDN=cctv.example.com
 
rm /home/tempcert_$certFQDN -rf
mkdir /home/tempcert_$certFQDN
 
certbot certonly --standalone --quiet --non-interactive -d $certFQDN --post-hook "touch /home/tempcert_$certFQDN/newcert"
 
if [ -f "/home/tempcert_$certFQDN/newcert" ]
then
        #Cert was renewed, so process it
        openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$certFQDN/privkey.pem -outform DER -out ufv-server.key.der
        openssl x509 -outform der -in /etc/letsencrypt/live/$certFQDN/fullchain.pem -out ufv-server.cert.der
        mv ufv-server* /usr/lib/unifi-video/data/certificates
        chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates
        #service unifi-video restart
fi
 
rm /home/tempcert_$certFQDN -rf

You May Also Like

About the Author: John

7 Comments

  1. Great stuff!

    One error – you’ve left “cctv.[censored].co.nz ” in there, I edited it to “-d $certFQDN”

    Thanks 🙂

  2. Could you please elaborate a little more on how to automate it?
    You have a script, but how to deploy it correctly?

    Thanks in advance!

  3. I think there are a few issues with this:
    1) The correct location for the certs (per your links) is: /usr/lib/unifi-video/data/certificates (you are switching between /usr/lib and /var/lib throughout your examples).
    2) In the reformat and move keys section, you are outputting the keys to /usr/lib…..(which is correct), but you are changing the ownership on /var/lib…(which is not correct)
    3) In your “automate all the things” section, you are NOT using the same path as your manual steps. i.e. your automation is putting the files at /var/lib (which is not correct) instead of /usr/lib. (and is again setting the owner of /var/lib instead of /usr/lib)

    The example from their forums that you used as an example is from Dec 2017, but in May 2018 they changed the paths. You referenced 2 links on the unifi site but one of the links uses out of date paths (which has been reproduced here)

Leave a Reply

Your email address will not be published. Required fields are marked *

Â