As you may have noticed, your UDM Pro came with a self-signed certificate, which browsers don’t like much and neither do I. In this article, we are going to install Let’s Encrypt SSL certificates using crontab from a pfSense device. You can replace pfSense with any other device with crontab available.
Unifi-OS doesn’t provide any builtin configuration for SSL certificates, so we have to copy it to the device and replace the old ones ourselves. To get started, make sure you have SSH access enabled on your UDM Pro and SSH enabled on your pfSense. You will also need Let’s Encrypts certificates issued for your domain and for this purpose, we are going to use a pfSense appliance!
Before getting our hands dirty in the automation process, let’s test connectivity between your pfSense and UDM-Pro. SSH into your pfSense. and once inside, SSH into your UDM Pro. You will be asked to add the Unifi device to the list of known hosts; you have to type Yes and hit <Enter>. If you are daisy chaining your pfSense and UDM Pro, you have to create a firewall rule on your UDM Pro to allow SSH coming from pfSense.
Now that you pfSense and UDM-Pro are acquainted, create a folder on the UDM Pro to store the certificates that will be sent by pfSense’s crontab: run mkdir -p /root/ssl_from_pfsense. It is a good idea to backup your UDM Pro original keys by copying them with a different name. Run cp /mnt/data/unifi-os/unifi-core/config/unifi-core.crt /mnt/data/unifi-os/unifi-core/config/unifi-core.crt.bkp and cp /mnt/data/unifi-os/unifi-core/config/unifi-core.key /mnt/data/unifi-os/unifi-core/config/unifi-core.key.bkp for backing them up. Now you can exit both pfSense and UDM Pro terminals. We are going to use pfSense GUI for the next steps.
On your pfSense, you are going to need cron installed. Go to System >> Package Manager >> Available Packages, search for cron and click on Install button and finish the process clicking on Confirm.
Let’s create cron job that will copy and install the new certificates every day of the month at 3 am. On your pfSense, go to Services >> Cron and click on Add and fill the new job as follow:
- Minute: 0
- Hour: 3
- Day of the month: 1
- Month of the year: *
- Day of the week: *
- User: root
- Command: ssh root@<udm_pro_ip> “rm -fv /root/ssl_from_pfsense/*”;scp /conf/acme/<certificate_name>.* root@<udm_pro_ip>:/root/ssl_from_pfsense; ssh root@<udm_pro_ip> “cd /root/ssl_from_pfsense/; cp -fv <certificate_name>.all.pem /mnt/data/unifi-os/unifi-core/config/unifi-core.crt; cp -fv <certificate_name>.key /mnt/data/unifi-os/unifi-core/config/unifi-core.key; /usr/sbin/unifi-os restart”
Make sure you replace <udm_pro_ip> by the UDM Pro IP on pfSense network, not the IP from the UDM Pro network.
Click on Save and you are done.