I found two posts on the Ubiquiti forum that were very useful:
You first need to install certbot for use with an unspecified webserver. Go to the certbot website for your specific OS, but for Ubuntu it’s likely to be something like this.
$ add-apt-repository ppa:certbot/certbot $ apt-get update $ apt-get install certbot
Issue first LetsEncrypt certificate
You need to ensure that you have a FQDN that resolves (from a public DNS server) to your server. I’m going to use cctv.example.com
Right, let’s issue the certificate
$ certbot certonly --standalone
You’ll now need to enter the domain name, an email address and probably agree (or not agree) to receive emails from EFF.
All going well, you should see something like
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/cctv.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/cctv.example.com/privkey.pem Your cert will expire on 2018-07-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
You now have private and public keys for your domain, signed by LetsEncrypt sitting in the /etc/letsencrypt/live/cctv.example.com directory. Unfortunately they are in the wrong format for Unifi Video server.
Reformat and move the keys
We now need to convert the pem files to der and place them in the Unifi Video certificates directory.
- fullchain.pem >> ufv-server.cert.der
- privkey.pem >> ufv-server.key.der
This is basically just converting them from base64 encoding to binary.
Create a certificates directory for Unifi Video
Reformat the keys and make the unifi-video user owner of them
$ openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/cctv.example.com/privkey.pem -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der $ openssl x509 -outform der -in /etc/letsencrypt/live/cctv.example.com/fullchain.pem -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der $ chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates
Stop/Configure/Start the Unifi Video service
We now need to
- Stop the Unifi Video service
- Delete the self signed certificates
- Enable custom certificates
- Start the Unifi Video service
Stop the Unifi VIdeo service and delete the self signed certificates
$ service unifi-video stop $ rm /usr/lib/unifi-video/data/ufv-truststore $ rm /usr/lib/unifi-video/data/keystore $ rm /usr/lib/unifi-video/conf/evostream/server.*
Enable custom ceritificates
$ nano /usr/lib/unifi-video/data/system.properties and add the line... ufv.custom.certs.enable=true
Restart the unifi video service with
$ service unifi-video start
Congratulations, Unifi Video server is now running on a LetsEncrypt SSL certificate until it expires in 3 months.
All you need to do now is create a script to renew the certs and run it once a day from cron. If the certificate is renewed, you need to reprocess it and restart the Unifi Video service.
Here’s my version. Note that if the certificate is renewed, it will briefly take the Unifi Video server offline when it restarts the service.
#!/usr/bin/env bash certFQDN=cctv.example.com rm /home/tempcert_$certFQDN -rf mkdir /home/tempcert_$certFQDN certbot certonly --standalone --quiet --non-interactive -d $certFQDN --post-hook "touch /home/tempcert_$certFQDN/newcert" if [ -f "/home/tempcert_$certFQDN/newcert" ] then #Cert was renewed, so process it openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$certFQDN/privkey.pem -outform DER -out ufv-server.key.der openssl x509 -outform der -in /etc/letsencrypt/live/$certFQDN/fullchain.pem -out ufv-server.cert.der mv ufv-server* /usr/lib/unifi-video/data/certificates chown -R unifi-video:unifi-video /usr/lib/unifi-video/data/certificates #service unifi-video restart fi rm /home/tempcert_$certFQDN -rf