By - Markus Zehnle

Secure Ubiquiti UniFi Controller / CloudKey with an Let’s Encrypt certificate – The Cloudflare way

There are tons of tutorial’s out there if you’re searching for “unifi controller let’s encrypt” but none of the ones I found are suiting my needs.

My Ubnt controller runs on my raspberry pi 3 and Cloudflare is in charge of handling my DNS entries.

1. Get the Cloudflare Global API-key

Login to
Select your site then hit “Get your API key”

Scroll to “API Keys” and request the “Global API Key”

Copy your global API key and save it in your pwd-mgr or your favorite .txt file.

2. Commands on linux box

SSH into your controller:

The output of the –issue command should end with the location of your newly created cert files:

Now, integrate the newly created certs to unifi with builtin “unifi”-hook:

Let’s have a look if everything went smoothly and check the controller if there is a green “Secure” lock:

If you check the certificate it should state something like this:

WTF! The certificate is just valid for 90 days? I have to repeat all the steps above again!?
Nope! created a cronjob which is doing everything for you:

After upgrading the controller firmware make sure the cronjob is still present (crontab -l).
If not, easily install the cronjob again:

[UPDATE: 09.07.2018 22:23]
I just upgraded my Controller from 5.7.23 to 5.8.24 and the cronjob for updating the SSL cert still exists.

3 thoughts on “Secure Ubiquiti UniFi Controller / CloudKey with an Let’s Encrypt certificate – The Cloudflare way

Daniel 08-02-2019 at 14:00

Hey thanks for the article,

Everything seems to work fine though i get the following warning

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore /usr/lib/unifi/data/keystore -destkeystore /usr/lib/unifi/data/keystore -deststoretype pkcs12”.
[Fri Feb 8 04:55:00 PST 2019] Import keystore success!
[Fri Feb 8 04:55:00 PST 2019] Run reload: service unifi restart
[Fri Feb 8 04:55:44 PST 2019] Reload success!
[Fri Feb 8 04:55:44 PST 2019] Success


debian – Updating SSL Certs with PKCS12 or PEM via Bash Script – ITTone 04-05-2022 at 07:21

[…] More Clarifications The SSL auth is being done through Cloudflare using these instructions originally for Unifi. These can be used until the actual renewal.… […]


Leave a Reply

Your email address will not be published.