Use a Let’s Encrypt certificate with Unifi Controller and Unifi Video on Microsoft Windows
I do not mind Linux, but if I am completely honest Windows is more my thing. It is just more comfortable. So generally when there is a Windows option I go for it, instead of spinning up a Linux VM. Usually this pays off in setup time, but occasionally has the pain where I later have to figure out how to do something that is well documented/scripted/supported in Linux.
Having recently setup a Unifi network and video system at my house, the self-signed certificates the services use started to grate on me after a while. Chrome will not save credentials for self-signed sites, and Unifi Video does not work properly in FireFox, so last night I got fed up and decided to figure out how to install letsencrypt certificates to both services. The following steps are how it is done.
Update: If you are using Unifi Video 3.8.1+, follow this guide for the video component instead after completing steps 1-5 below.
- Backup your Unifi and Unifi Video site configurations.
- Download and extract letsencrypt-win-simple to a location on the Windows system you will be generating the certificate for.
- Edit letsencrypt.exe.config, change “PFXPassword” to some value (e.g. “aircontrolenterprise”), and optionally “RenewalDays” to the maximum allowed value of 90.
- Generate a certificate using letsencrypt-win-simple. I have IIS installed on the Windows system, so I followed this method. Any web server should do, as long as it is publicly available. If IIS is not an option for you follow the interactive method to generate a certificate manually using a different webserver. Do not forget to port forward, if you have not already.
- The certificates should be end up in “C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org”. We are interested in the pfx file that was generated by the process.
- Navigate to “C:\Users\Administrator\Ubiquiti UniFi\data\” and rename keystore to keystore.org (just in case we need roll this back).
- Navigate to “C:\ProgramData\unifi-video\data\” and do the same for keystore here.
- Use keytool to discover the alias of the pfx file letsencrypt generates using the command:
"C:\Program Files\Java\jre7\bin\keytool.exe" -list -keystore "C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\hostname-all.pfx" -storetype pkcs12
Enter the pfx password (e.g. “aircontrolenterprise”) set in step 3 when prompted. The alias is the value before the date in the first line, in this case “1”:
- Use the pfx password, alias, and path to the pfx file in the following commands:
"C:\Program Files\Java\jre7\bin\keytool.exe" -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore "C:\Users\Administrator\Ubiquiti UniFi\data\keystore" -srckeystore "C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\hostname-all.pfx" -srcstoretype PKCS12 -srcstorepass pfxpasswordfromstep3 -alias pfxaliasfromstep8 -noprompt "C:\Program Files\Java\jre7\bin\keytool.exe" -importkeystore -deststorepass ubiquiti -destkeypass ubiquiti -destkeystore "C:\ProgramData\unifi-video\data\keystore" -srckeystore "C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\hostname-all.pfx" -srcstoretype PKCS12 -srcstorepass pfxpasswordfromstep3-alias pfxaliasfromstep8 –noprompt
This will generate new keystore files for both services.
- You may need to change the alias in the keystore from “1” (whatever it is from Letsencrypt) to “airvision” for the NVR. You will know because the video service will recreate the keystore when it starts. If that is the case, or just because there is no harm in doing it. Run:
"C:\Program Files\Java\jre7\bin\keytool.exe" -changealias -keystore"C:\ProgramData\unifi-video\data\keystore" -storepass ubiquiti -alias pfxaliasfromstep8 -destalias airvision
- Update: A recent Unifi Video release introduced “cam-keystore”. If you have one of these, you will want to delete it before progressing:
- Restart the services to use the new certificates.
- Enjoy your happy https icon :):
Because the letsencrypt cert will expire every 90 days (or whatever it was set to in “RenewalDays”), this is a good candidate for scripting. Feel free to download, edit, and use the attached cmd file for this purpose.