I found two posts on the Ubiquiti forum that were very useful:
You first need to install certbot for use with an unspecified webserver. Go to the certbot website for your specific OS, but for Ubuntu it’s likely to be something like this.
$ add-apt-repository ppa:certbot/certbot
$ apt-get update
$ apt-get install certbot
Issue first LetsEncrypt certificate
You need to ensure that you have a FQDN that resolves (from a public DNS server) to your server. I’m going to use cctv.example.com
Right, let’s issue the certificate
$ certbot certonly --standalone
You’ll now need to enter the domain name, an email address and probably agree (or not agree) to receive emails from EFF.
All going well, you should see something like
- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-07-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You now have private and public keys for your domain, signed by LetsEncrypt sitting in the /etc/letsencrypt/live/cctv.example.com directory. Unfortunately they are in the wrong format for Unifi Video server.
Reformat and move the keys
We now need to convert the pem files to der and place them in the Unifi Video certificates directory.
- fullchain.pem >> ufv-server.cert.der
- privkey.pem >> ufv-server.key.der
This is basically just converting them from base64 encoding to binary.
Create a certificates directory for Unifi Video
Reformat the keys and make the unifi-video user owner of them
$ openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/cctv.example.com/privkey.pem -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der
$ openssl x509 -outform der -in /etc/letsencrypt/live/cctv.example.com/fullchain.pem -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der
$ chown -R unifi-video:unifi-video /var/lib/unifi-video/certificates
Stop/Configure/Start the Unifi Video service
We now need to
- Stop the Unifi Video service
- Delete the self signed certificates
- Enable custom certificates
- Start the Unifi Video service
Stop the Unifi VIdeo service and delete the self signed certificates
$ service unifi-video stop
$ rm /var/lib/unifi-video/ufv-truststore
$ rm /var/lib/unifi-video/keystore
$ rm /var/lib/unifi-video/conf/evostream/server.*
Enable custom ceritificates
$ nano /var/lib/unifi-video/system.properties
and add the line...
Restart the unifi video service with
$ service unifi-video start
Congratulations, Unifi Video server is now running on a LetsEncrypt SSL certificate until it expires in 3 months.
All you need to do now is create a script to renew the certs and run it once a day from cron. If the certificate is renewed, you need to reprocess it and restart the Unifi Video service.
Here’s my version. Note that if the certificate is renewed, it will briefly take the Unifi Video server offline when it restarts the service.
rm /home/tempcert_$certFQDN -rf
certbot certonly --standalone --quiet --non-interactive -d cctv.wheronet.co.nz --post-hook "touch /home/tempcert_$certFQDN/newcert"
if [ -f "/home/tempcert_$certFQDN/newcert" ]
#Cert was renewed, so process it
openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$certFQDN/privkey.pem -outform DER -out ufv-server.key.der
openssl x509 -outform der -in /etc/letsencrypt/live/$certFQDN/fullchain.pem -out ufv-server.cert.der
mv ufv-server* /var/lib/unifi-video/certificates
chown -R unifi-video:unifi-video /var/lib/unifi-video/certificates
#service unifi-video restart
rm /home/tempcert_$certFQDN -rf