Do you want your UniFi controller to have a Let's Encrypt Certificate, automate it, and not have to open it up to the internet? Here's how!

To do this, I used acme.sh to get the certificate automated.

First, SSH into your UniFi controller and become root:

sudo -i

Next, install acme.sh:

curl https://get.acme.sh | sh

Now, in order to use acme.sh, you'll either need to exit and re-ssh in to your server, or open bash again. I prefer to just open bash again, so type:

bash

Next, import your DNS API keys into acme.sh. I used Cloudflare, so I used these:

export CF_Key="YOUR_API_KEY"
export CF_Email="YOUR_EMAIL"

Replace YOUR_API_KEY with your Cloudflare API key, and YOUR_EMAIL with your Cloudflare account's email. If you're using something other than Cloudflare for your DNS, you can read about other DNS integrations here.

Next, get a certificate for your UniFi controller. Note: If you're using something other than Cloudflare for your DNS, use the name as shown in the DNS integration link above.

acme.sh --issue --dns dns_cf -d unifi.yourdomain.com

Once you do that, it's highly recommened to install the certificate somewhere, rather than leaving it in /root. I put mine in /etc/unifi/ssl, although you can pick anywhere.

I created the folder:

mkdir -p /etc/unifi/ssl

Then, I made the script that UniFi needs to import the certificate. Note: Make sure you're in the /root directory, or change the acme install command (shown later) to where your script's directory is.

Next, download the script and make it so you can run it:

wget https://gist.githubusercontent.com/ThePigsMud/66efdd598a044169dc6d79868bdf9ced/raw/unificert.sh
chmod +x unificert.sh

Run this command to install the certificate and reload it:

acme.sh --install-cert -d unifi.yourdomain.com \
--key-file /etc/unifi/ssl/key.pem \
--fullchain-file /etc/unifi/ssl/fullchain.pem \
--reloadcmd "/root/unificert.sh"

Make sure you change yourdomain.com to your domain.

Once you do this, it should install your certificate and reload UniFi. If everything goes properly, you should have a valid Let's Encrypt certificate for your UniFi controller, and it should automatically renew.

unifi_cert

Credit: Thanks to this helpful post for the commands to install the certificate into UniFi.