Do you want your UniFi controller to have a Let's Encrypt Certificate, automate it, and not have to open it up to the internet? Here's how!
To do this, I used acme.sh to get the certificate automated.
First, SSH into your UniFi controller and become root:
sudo -i
Next, install acme.sh:
curl https://get.acme.sh | sh
Now, in order to use acme.sh, you'll either need to exit and re-ssh in to your server, or open bash again. I prefer to just open bash again, so type:
bash
Next, import your DNS API keys into acme.sh. I used Cloudflare, so I used these:
export CF_Key="YOUR_API_KEY"
export CF_Email="YOUR_EMAIL"
Replace YOUR_API_KEY with your Cloudflare API key, and YOUR_EMAIL with your Cloudflare account's email. If you're using something other than Cloudflare for your DNS, you can read about other DNS integrations here.
Next, get a certificate for your UniFi controller. Note: If you're using something other than Cloudflare for your DNS, use the name as shown in the DNS integration link above.
acme.sh --issue --dns dns_cf -d unifi.yourdomain.com
Once you do that, it's highly recommened to install the certificate somewhere, rather than leaving it in /root. I put mine in /etc/unifi/ssl
, although you can pick anywhere.
I created the folder:
mkdir -p /etc/unifi/ssl
Then, I made the script that UniFi needs to import the certificate. Note: Make sure you're in the /root directory, or change the acme install command (shown later) to where your script's directory is.
Next, download the script and make it so you can run it:
wget https://gist.githubusercontent.com/ThePigsMud/66efdd598a044169dc6d79868bdf9ced/raw/unificert.sh
chmod +x unificert.sh
Run this command to install the certificate and reload it:
acme.sh --install-cert -d unifi.yourdomain.com \
--key-file /etc/unifi/ssl/key.pem \
--fullchain-file /etc/unifi/ssl/fullchain.pem \
--reloadcmd "/root/unificert.sh"
Make sure you change yourdomain.com to your domain.
Once you do this, it should install your certificate and reload UniFi. If everything goes properly, you should have a valid Let's Encrypt certificate for your UniFi controller, and it should automatically renew.

Credit: Thanks to this helpful post for the commands to install the certificate into UniFi.