Unifi Controller HTTPS
Planted February 8, 2023
Here’s another HTTPS certificate story. This time, a self-hosted Unifi Controller was the “invalid certificate” annoyance.
Yesterday, it began with attempting to use
acme.sh from GitHub on our Ubuntu 22.04.1 LTS server which has
unifi running on it. I did encounter a similar error to my last story, and I had to change my DNS servers again. That probably deserves another blog post so I don’t forget how to do it next time. So, I’m able to get the HTTPS certificate, but I encountered an error after running the following command.
acme.sh --deploy -d unifi.my.tld --deploy-hook unifi --debug #output... Could not open file or uri for loading certs of certificates from -in file from /root/.acme.sh/unifi.my.tld_ecc/unifi.my.tld.cer 807B28F96C7F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file 807B28F96C7F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(/root/.acme.sh/unifi.my.tld_ecc/unifi.my.tld.cer) Error generating pkcs12. Please re-run with --debug and report a bug
And Google seems to have a good answer to what’s going on here. The clues make it seem like openssl cannot generate the certificate for the Java process that Unifi runs in. I’m using OpenSSL 3.0.2 15 Mar 2022, which at this point is slightly out of date, so I attempt to build the latest from source. Eventually, after
make install and running the binary, I get a linking error…
undefined symbol: BIO_f_zlib
I did get a search result for StackOverflow, which was promising, but unfortunately it was taken down for some reason…
At this point, I go back to my original Google search “unifi controller https let’s encrypt” and through a Reddit post, found this dude who has written a cute
bash script for this very purpose. Another link to his website. I downloaded it and ran it and sure enough, it eventually works, even with a little error, too.
Despite the error message,
Unable to load certificate, the script finishes and I go refresh my Unifi Controller Chrome tab. Sure enough, the certificate error shows up, but this time, it has unifi.my.tld in the Common Name!
Next up, giving our ESXi servers real HTTPS certificates…