Deploying Letsencrypt certificates to Unraid, Docker Apps and Unifi Cloud Key UPDATE: 2.x firmware for cloud key cert process

 
08d9330d (1).jpg
 
 

Why

I Have started to migrate from my current network gear which was a mix of D-Link, TP-Link, Reolink and PFSense over to Unifi. The reason being I like the way Unifi is manageable from one webpage. Switch settings, Network settings and Firewall settings all there. Unfortunately Unifi does not come with a built-in CA so I have to now replace all my self signed certs after much investigation trying with Microsoft CA and making my own CA with open SSL I landed on using Unraid and Letsencrypt. Ill update this if i add more apps to my enviroment.

Setting up letsencrypt in Unraid

This part is fairly easy though it does require setting up a port forward, Head over to the App section of the Unraid UI and search for “letsencrypt” and hit the click to install button.

Add the below settings.

Http 8081

Https 8443

E-Mail <your E-mail>

Domain <domain you wish to use>

Sub-Domain <sub-domains you wish to use>

The rest you can leave as default, If you have more than one domain add the variable EXTRA_DOMAINS. Now unlike when adding the top domain and subdomain, this uses FQDN which are comma-separated with no spaces.

Now you need to set up a port forward on your firewall from port 443 and 80 on your firewall WAN interface to 8443 and 8081 on your Unraid server.

The last step will be to use your domains DNS to put an A record from the subdomains you are using to your firewalls WAN interface. If you have a dynamic IP address like me you will need to use a service like Google DNS to update this record.

Now both are set up restart the letsencrypt docker and your certificates will be created for your subdomains.

The sections below this will be how to add these certs to various applications.

Adding Letsencrypt Certificates to Unraid

You will need to have followed my guide to add a self-signed certificate to Unraid here. What we will be going through here is just updating from your self signed to a letsencrypt.

Now any changes to your crontab in unraid are not saved between reboots. This is solved by downloading the plugin CA User Scripts through the App section.

Once downloaded head over to the plugins section and open User Scripts. And then add a new script, Give your script a name then hit ok.

Now to edit the script mouse over the cog next to the name of the script you just added. And select edit script. And the below script below #!/bin/bash.

cat /mnt/user/appdata/letsencrypt/keys/letsencrypt/cert.pem /mnt/user/appdata/letsencrypt/keys/letsencrypt/privkey.pem > /boot/config/ssl/certs/<tower>_unraid_bundle.pem

Replace <tower> with the subdomain you are using.

Once done select save changes. The next thing that needs doing is making it run on a schedule. To the right of your script line select the dropdown where it says Schedule Disabled and change it to say custom.

A new field will appear to the right put in the below which will make the script run daily at 3am

0 3 * * *

Lastly run this script and your cert will be updated.

This will replace the current cert with the letsencrypt certificate and run a job daily to replace it so that when it updates it is updated in Unraid.

You will need to restart to apply the change.

Adding Letsencrypt Certificates to Unraid Plex

I have already covered this here. Just thought it would be easier to locate in one guide

Adding Letsencrypt certificates to Nextcloud

This one is another User scripts add the below line to a new User scripts and get that to run 5 3 * * *

cp /mnt/user/appdata/letsencrypt/keys/letsencrypt/cert.pem /mnt/user/appdata/nextcloud/keys/cert.crt

cp /mnt/user/appdata/letsencrypt/keys/letsencrypt/privkey.pem /mnt/user/appdata/nextcloud/keys/cert.key



Adding Letsencrypt certificates to Cloudkey

As I said I am moving to Unifi, Part of this is was getting a Cloudkey Gen 2 +. This process is going to be more involved than the others as it’s not located on your Unraid Server.

1st step will be prepping the files that are needed by the cloudkey. Add the below into a user script and have this run at 10 3 * * *

openssl pkcs12 -export -in /mnt/user/appdata/letsencrypt/keys/letsencrypt/fullchain.pem -inkey /mnt/user/appdata/letsencrypt/keys/letsencrypt/privkey.pem -out /mnt/user/appdata/letsencrypt/keys/letsencrypt/unifi.p12 -name unifi -password pass:aircontrolenterprise

cp /mnt/user/appdata/letsencrypt/keys/letsencrypt/privkey.pem /mnt/user/appdata/letsencrypt/keys/letsencrypt/privkey2.pem

chmod -R u-x,go-rwx,go+u,ugo+X /mnt/user/appdata/letsencrypt/keys/letsencrypt

chown -R nobody:users /mnt/user/appdata/letsencrypt/keys/letsencrypt

sync

You will need to create a user account on your unraid sever with read access to an smb share of your appdata folder.

Now Putty into your cloudkey and run the below command.

Mkdir /mnt/letsencrypt

Next thing you need to do is open nano and paste the below replacing <user>, <password> and <ipofserver> with the ones correct for your deployment.

#!/bin/bash

mount -t cifs -o username=<user>,password=<password> //<ipofserver>/appdata /mnt/letsencrypt

rm /etc/ssl/private/unifi.keystore.jks

rm /etc/ssl/private/unifi.keystore.jks.md5

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /etc/ssl/private/unifi.keystore.jks -srckeystore /mnt/letsencrypt/letsencrypt/keys/letsencrypt/unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

cp /mnt/letsencrypt/letsencrypt/keys/letsencrypt/fullchain.pem /etc/ssl/private/cloudkey.crt

cp /mnt/letsencrypt/letsencrypt/keys/letsencrypt/privkey2.pem /etc/ssl/private/cloudkey.key

tar -cvf /etc/ssl/private/cert.tar /etc/ssl/private/*

chown root:ssl-cert /etc/ssl/private/*

chmod 640 /etc/ssl/private/*

Now press ctrl+x and save this file as letsencrypt.sh , you will then need to run the below command to make it executable.

chmod +x letsencrypt.sh

Last step will be to add this to run in your crontab open the crontab with the command crontab -e and add the below line.

0 4 * * * /root/letsencrypt.sh

This will then run at 4am daily and when you restart afterward the cert will be applied.

Update as of cloudkey firmware 2.x

As of the release of the 2.X firmware for the cloudkey, the whole process is a whole lot simpler.

1st step will be prepping the files that are needed by the cloudkey. Add the below into a user script and have this run at 10 3 * * *

cp /mnt/user/appdata/letsencrypt/keys/letsencrypt/privkey.pem /mnt/user/appdata/letsencrypt/keys/letsencrypt/privkey2.pem

chmod -R u-x,go-rwx,go+u,ugo+X /mnt/user/appdata/letsencrypt/keys/letsencrypt

chown -R nobody:users /mnt/user/appdata/letsencrypt/keys/letsencrypt

sync

Now Putty into your cloudkey and run the below command.

Mkdir /mnt/letsencrypt

Next thing you need to do is open nano and paste the below replacing <user>, <password> and <ipofserver> with the ones correct for your deployment.

#!/bin/bash

mount -t cifs -o username=<user>,password=<password> //<ipofserver>/appdata /mnt/letsencrypt

cp /mnt/letsencrypt/letsencrypt/keys/letsencrypt/fullchain.pem /data/unifi-core/config/unifi-core.crt

cp /mnt/letsencrypt/letsencrypt/keys/letsencrypt/privkey2.pem /data/unifi-core/config/unifi-core.key

Now press ctrl+x and save this file as letsencrypt.sh , you will then need to run the below command to make it executable.

chmod +x letsencrypt.sh

Last step will be to add this to run in your crontab open the crontab with the command crontab -e and add the below line.

0 4 * * * /root/letsencrypt.sh

This will then run at 4am daily and when you restart afterward the cert will be applied.




 
 
Andrew WebbLetsEncrypt, Unraid, Plex, NextCloud, Unifi, Cloudkey Gen 2 +, Cloudkey gen2 2.x firmwareComment