Using Let's Encrypt addon's generated certs with Unifi addon?

[kahuitel]

It's been several days that I'm looking into this, but I can't find out if it is possible and how to use Let's Encrypt addon's generated certs to use with :8443 WebUI access of the Unifi addon. I've read the documentation but I can't find out where to set this up.
I've been trying to add these lines in Unifi addon settinfs, but I can't get this to work :
ssl: true certfile: /ssl/fullchain.pem keyfile: /ssl/privkey.pem

Could you please give advice ?

I'm on Home Assistant supervised on Debian 11.

Thank you very much.

[sebastianlorenzen]

I'm also interested in this topic.

[baghamut]

Yes, this would be very helpful option to have

[frenck]

It will not be added, if you want to have SSL the recommendation is to terminate it using an proxy.

[ArakniD]

It is possible by altering the certificate in the keystore with keytool. You first need to prepare your certificates from lets-encrypt and create a pkcs12 file.

Let's assume you sign your certificates and have them available via scp/ssh etc.

sudo openssl pkcs12 -export -legacy -inkey /etc/letsencrypt/live/**<domain name>**/privkey.pem -in /etc/letsencrypt/live/**<domain name>**/fullchain.pem -out /etc/letsencrypt/live/**<domain name>**/unifi.p12 -name unifi -password pass:aTempPassword

scp -i <ident key> /etc/letsencrypt/live/**<domain name>**/unifi.p12 <user>@<hassio_host>:unifi.p12

On your hassio box run.

echo "*** Updating the UniFi SSL Certificates"

# Backup the keystore..
cp /usr/share/hassio/addons/data/a0d7b954_unifi/unifi/data/keystore keystore.backup

echo "*** Removing the unifi SSL certificates"

keytool -delete -alias unifi -keystore /usr/share/hassio/addons/data/a0d7b954_unifi/unifi/data/keystore -deststorepass \
aircontrolenterprise

echo "*** Addding custom SSL certificates"

keytool -importkeystore -noprompt -deststorepass aircontrolenterprise -destkeypass \
aircontrolenterprise -destkeystore /usr/share/hassio/addons/data/a0d7b954_unifi/unifi/data/keystore -srckeystore \
ubnt.p12 -srcstoretype pkcs12 -srcstorepass aTempPassword -alias unifi

FWIW the old CloudKey method is below

#Below applies the certifice to an old ubnt gateway
# Start stop the services

echo "*** Restarting the web services"
service nginx stop

rm /etc/ssl/private/cloudkey.crt
rm /etc/ssl/private/cloudkey.key
cp /root/privkey.pem /etc/ssl/private/cloudkey.key
cp /root/fullchain.pem /etc/ssl/private/cloudkey.crt

service nginx start
service unifi restart

echo "*** Complete"

For bonus points add these scripts to your renewal-hooks/deploy and automate it.

Enjoy