Using LetsEncrypt with Ubiquiti Unifi Video server

I’ve spent a lot of time scratching my head trying to get LetsEncrypt, or more accurately certbot working with Ubiquiti UniFi Video server, especially auto-renewing the certificate every month or so.

I found two posts on the Ubiquiti forum that were very useful:

Install certbot

You first need to install certbot for use with an unspecified webserver. Go to the certbot website for your specific OS, but for Ubuntu it’s likely to be something like this.

$ add-apt-repository ppa:certbot/certbot
$ apt-get update
$ apt-get install certbot

Issue first LetsEncrypt certificate

You need to ensure that you have a FQDN that resolves (from a public DNS server) to your server. I’m going to use

Right, let’s issue the certificate

$ certbot certonly --standalone

You’ll now need to enter the domain name, an email address and probably agree (or not agree) to receive emails from EFF.

All going well, you should see something like

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-07-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:
Donating to EFF:

You now have private and public keys for your domain, signed by LetsEncrypt sitting in the /etc/letsencrypt/live/ directory. Unfortunately they are in the wrong format for Unifi Video server.

Reformat and move the keys

We now need to convert the pem files to der and place them in the Unifi Video certificates directory.

  • fullchain.pem >> ufv-server.cert.der
  • privkey.pem >> ufv-server.key.der

This is basically just converting them from base64 encoding to binary.

Create a certificates directory for Unifi Video

mkdir /usr/lib/unifi-video/data/certificates

Reformat the keys and make the unifi-video user owner of them

$ openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/ -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der
$ openssl x509 -outform der -in /etc/letsencrypt/live/ -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der
$ chown -R unifi-video:unifi-video /var/lib/unifi-video/certificates

Stop/Configure/Start the Unifi Video service

We now need to

  • Stop the Unifi Video service
  • Delete the self signed certificates
  • Enable custom certificates
  • Start the Unifi Video service

Stop the Unifi VIdeo service and delete the self signed certificates

$ service unifi-video stop
$ rm /var/lib/unifi-video/ufv-truststore
$ rm /var/lib/unifi-video/keystore
$ rm /var/lib/unifi-video/conf/evostream/server.*

Enable custom ceritificates

$ nano /var/lib/unifi-video/
and add the line...

Restart the unifi video service with

$ service unifi-video start

Congratulations, Unifi Video server is now running on a LetsEncrypt SSL certificate until it expires in 3 months.

All you need to do now is create a script to renew the certs and run it once a day from cron. If the certificate is renewed, you need to reprocess it and restart the Unifi Video service.

Here’s my version. Note that if the certificate is renewed, it will briefly take the Unifi Video server offline when it restarts the service.

#!/usr/bin/env bash

rm /home/tempcert_$certFQDN -rf
mkdir /home/tempcert_$certFQDN

certbot certonly --standalone --quiet --non-interactive -d --post-hook "touch /home/tempcert_$certFQDN/newcert"

if [ -f "/home/tempcert_$certFQDN/newcert" ]
#Cert was renewed, so process it
openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$certFQDN/privkey.pem -outform DER -out ufv-server.key.der
openssl x509 -outform der -in /etc/letsencrypt/live/$certFQDN/fullchain.pem -out ufv-server.cert.der
mv ufv-server* /var/lib/unifi-video/certificates
chown -R unifi-video:unifi-video /var/lib/unifi-video/certificates
#service unifi-video restart

rm /home/tempcert_$certFQDN -rf

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *