Update/Release notes:
*** Guide created 1/20/2021 – I will keep this up to date as packages/versions change!
This is the Definitive Guide to Hosted UniFi – NEW for 2021. In this guide, we will set up a UniFi controller running on an Ubuntu 20.04 hosted server using Vultr (I have confirmed that all of these steps work fine on Digital Ocean as well, but Vultr will be our example in this guide), going through some best practice security settings such as enabling secure certificate authentication, installing UniFi, and finally setting up Let’s Encrypt.
The first thing you need for this guide is an account set up with Vultr (or Digital Ocean) – if you click on the Vultr link below, you can sign up using my referral code which gets me a few bucks for the referral – thanks!
SPECIAL OFFER! With my Vultr link – you currently get $100.00 FREE CREDIT towards your virtual servers for signing up! Click the Vultr logo below or use this link: https://www.vultr.com/?ref=8473585-6G
*** NOTE: As I said, the rest of this document will be focused on a Vultr install. I will be keeping this guide up to date periodically as things change with the setup – check back if you ever find that something isn’t working, and comment below if you have any trouble with any of the steps!
Also – here’s a Digital Ocean referral link if that floats your boat (pun intended):Â https://m.do.co/c/6de2bc2df3b8
If you’re already signed up with Vultr and/or Digital Ocean, but you still appreciate the work that went into this guide – you can always:
Part 1 – Install Vultr Virtual Server
Log into Vultr and get to the main dashboard (it should say ‘Products’). Click the blue circled ‘+’ symbol in the upper right. This will bring you to the new server setup page.
When you get the ‘Deploy New Instance’ screen, make sure ‘Cloud Compute’ is selected.
Next, select your location. Pick whichever data center you want – I however, tend to choose the data center closest to my (or my client’s) geographic location. In this case, I’m going to pick Seattle.
For Server Type, make sure ’64 bit OS’ is selected, and then click on Ubuntu and choose ‘20.04 x64’ from the drop-down.
Next, select your server size. UniFi will run on anything in the $5.00/month size or higher. For testing purposes, or for a production server with only a few sites, the $5.00/month tier is fine.
Next, you can select any options (Auto Backups are highly recommended for a production server).
Finally, give your server a hostname. Hostname should be something like unifi.company.com. For our demo, we’re going to use unifi2021.crosstalksolutions.com. This step is NOT optional – using an FQDN to inform your UniFi equipment is best practice to ensure that you can migrate later on down the road without much issue. In addition, Let’s Encrypt is going to depend on this DNS name as well. Startup script and SSH Keys can be left blank as we don’t have any startup scripts, and SSH keys will be created as part of this process.
Click ‘Deploy Now’ and you’re off to the races! You are taken back to the server summary screen. It will take 1-2 minutes for the server to spin up, so be patient. Once the ‘Status’ changes from ‘Installing’ to ‘Running,’ you should wait about another 30 seconds, and then you’re good to go. Click on the name of your server to see its detail screen.
Once the server is in a ‘Running’ state, you’ll see your IP address. Copy or make note of that IP address – we’re going to use it to create our DNS A record in the next step. You’ll also want to make note of or copy your default root password. (We will change that password immediately upon logging in). You can show the password by clicking the ‘eye’ icon, or simply copy it to your clipboard by clicking the copy icon.
Part 2 – Create DNS A Record
Since you now know your IP address, you should log into your DNS hosting provider or DNS server and create a new A record that points the hostname that you created in Step 1 to the IP address of your Vultr server. This will be needed in the future when we create the secure SSL certificate for the UniFi Controller, as well as for the Let’s Encrypt SSL certificate.
Part 3 – Log into your new server
At this point, you should have your Vultr username (root) and password from the server details. Copy the password to your clipboard and then open up PuTTY.
Enter in the IP address or hostname of your server and then click ‘Open.’
PuTTY will open up a terminal window and first ask you if you want to accept the new host (click ‘YES’). Then you will be given a login prompt. Use the information from the Vultr server properties:
User:Â Â root
Password: (the password from the Vultr server properties – you can do SHIFT+INS or right-click to paste it in)
The very first thing that you should do is change your root password.
passwd root
You will be asked to enter your root password twice – make sure it is a STRONG password. We will be disabling root access to this box later in this guide, but you will still need to know the root password in order to run sudo commands.
Part 4 – Create New User
Most Linux machines in the world have root as the default user. The first line of defense is to create a separate login account with the same privileges and then disable root.
Start by creating a new user – for simplicity, for this exercise, our username will be ‘unifiadmin‘:
adduser unifiadmin
This command will have you set a password for the new user, and you can also optionally enter in some additional information such as their real name and contact info.
Next give root (sudo group) privileges to the newly created user:
usermod -aG sudo unifiadmin
This new user will now be able to use the ‘sudo’ command to run commands as root.
At this point, we have created our new user, but we haven’t yet disabled root – we will do that in a moment. First, we will enable private key authentication as a second line of defense.
Part 5 – Create Public/Private Key Pair
Let’s now create our public and private key pair. The public key lives on the server, and the private key will be used to unlock access from any device that needs it.
ssh-keygen
When asked where to put the file, take the default. You can choose whether or not to enter in a passphrase – having a passphrase means that you need both the private key and passphrase to gain access. It provides an additional layer of security.
Once your keys have been created, you will find them in /home/root/.ssh – there should be id_rsa (private key) and id_rsa.pub (public key) files in that directory.
Next, we need to copy that key to the newly created user’s account:
ssh-copy-id unifiadmin@[server IP]
Choose ‘yes’ when asked if you want to continue, and enter unifiadmin’s password when prompted.
This command will copy the public key to the unifiadmin user’s ~/.ssh directory as an authorized_keys file. You can now use the private key to authenticate with this server as user unifiadmin.
Part 6 – Secure SSH Settings
The next step is to modify the SSH settings so that we will both disable root user access and password authentication. Start by editing the SSH configuration file:
nano -w /etc/ssh/sshd_config
Now scroll down until you find the line that says:
PermitRootLogin yes
And change ‘yes’ to ‘no’:
PermitRootLogin no
This disables root user login. Next scroll down further and find:
PasswordAuthentication yes
And again change ‘yes’ to ‘no’:
PasswordAuthentication no
This disables password based authentication. (Private key authentication should already be enabled by default – you can verify this by ensuring that PubkeyAuthentication is set to ‘yes’ in the SSH config file).
Press CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit.
*** NOTE: This next command commits these changes. If you lose connectivity because you made any mistakes, you should just destroy the Vultr server and start over. ALSO – keep this original PuTTY session open as you go through the next few steps…even after we restart SSH, this session will still be connected, so if you can’t connect in with the private key, you still have the opportunity to make changes.
Restart SSH with:
sudo systemctl reload sshd
Part 7 – Download Private Key File
Now we need to download our private key file. Start by showing the contents of the id_rsa file:
cat ~/.ssh/id_rsa
Select the entire contents of the file with your mouse and press CTRL+INS to copy the text to your clipboard.
Next, open up a text editor such as Notepad and paste the entire block of text into a blank file. Save this file in a secure location.
Once saved, you can delete the id_rsa file from the server (though, you should probably test connectivity first if this is your first time making these changes):
rm ~/.ssh/id_rsa
Part 8 – Convert Private Key to PuTTY format
Before you can use your private key with PuTTY, you need to convert it to .PPK format. To do this, we’ll use another free program from the creators of PuTTY called PuTTYgen (you can download it from the same link as PuTTY above).
First, run PuTTYgen and click the ‘Load’ button. Browse to the private key file that you saved in step 7. When browsing for your private key, change the file type you are searching for from ‘PuTTY Private Key Files (*.ppk)’ to ‘All Files (*.*).’
Open your private key file, and you should receive a notice that the private key was successfully imported. Click OK to get off of this notification.
Now, click the ‘Save private key’ button and save your private key as a .ppk file (I usually just use the same directory that I used to save the original private key). You can now close PuTTYgen.
Part 9 – Log in as New User
Start a new PuTTY session – you can do this from the existing window by clicking the PuTTY icon in the upper left-hand corner and choosing ‘New Session.’
In the PuTTY window, enter the hostname of the server in the Host Name field.
Then, in the left-hand menu, expand the ‘SSH’ section underneath ‘Connection.’ Then click on ‘Auth.’ Here you will see a place to browse to your PuTTY .PPK private key file. Click ‘Browse…’ and find the .PPK file we created in step 8.
Once you have the file loaded, click back on ‘Session’ at the top of the left-hand menu.
If you want to SAVE these connection details, you should now enter in a friendly name into the ‘Saved Sessions’ box and click the ‘Save.’ button.
Now click ‘Open,’ and you should get a ‘Login as:’ prompt. Enter in the name of the user that you created in Part 4 (in our case, it was unifiadmin) and you should now connect to the server. If you have a passphrase on your private key pair, you will also be prompted for that passphrase.
Part 10 – Change SSH port
Now that we can log in with our secure key, let’s take our SSH security even further by changing the default SSH port from 22 to something non-standard.
Edit the SSH config file again with:
sudo nano -w /etc/ssh/sshd_config
Find the line that says:
Port 22
And change it to:
Port [different port number]
You can use any port number for your SSH connection, but I typically use port 2222 when I change to something non-standard. CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit Nano.
Restart SSH again with:
sudo systemctl reload sshd
Next, let’s start a new PuTTY session using all of the same settings from Part 9, but this time also change the port to whichever port you changed SSH to. In our case, it was port 2222. If you previously saved your PuTTY session, you should save it again with the new port number.
Part 11 – Enable UFW Firewall
At this point, we have now secured our SSH connection pretty well. Now, let’s secure our server even more by using some firewall rules to lock everything down.
Ubuntu uses the UFW firewall, however it is not enabled by default. First, we are going to add all of the firewall rules that we need to connect to UniFi, and then we will turn it on.
First, let’s allow our new SSH port and lock it down so that connections to this port are only allowed from our IP address:
sudo ufw allow from [IP address] to any port [SSH port number]
In this example, if your IP address is 1.2.3.4, and your SSH port is 2222, the command should be:
sudo ufw allow from 1.2.3.4 to any port 2222
Let’s also add a rule for Cockpit – which is an optional server monitoring GUI (don’t add this rule if you don’t plan on running Cockpit – it is optional…more info on Cockpit in Part 16 below):
sudo ufw allow from 1.2.3.4 to any port 9090
Once again, substitute 1.2.3.4 with your own IP address.
Next, let’s open up access to the UniFi GUI. Important note here – you don’t actually HAVE to open up this port to the outside world if you are instead using Ubiquiti’s Single Sign On (SSO) account to access your UniFi Controller through https://unifi.ubnt.com. BUT – you will have to use this port at least once to enable cloud access in UniFi. You can either wait to do your firewall rules until after cloud access has been enabled, or you can disable this rule afterwards.
sudo ufw allow from 1.2.3.4 to any port 8443
Next, there are a couple of ports that we need open to the whole wide world. These are the STUN port and the UniFi inform port:
sudo ufw allow 3478/udp sudo ufw allow 8080
Note that the STUN port running on 3478 is UDP.
If you are going to be using a guest portal with UniFi, you will also want to open these ports:
sudo ufw allow 8880 sudo ufw allow 8843
We’re also going to need to open up ports 80 and 443 for Let’s Encrypt. If anyone browses directly to those services, they will get a connection refused response.
sudo ufw allow 80 sudo ufw allow 443
At this point, we will now turn on our UFW firewall and take a look at the rules that we created.
sudo ufw enable
When prompted whether or not to proceed, choose yes.
Let’s take a look at our rules:
sudo ufw status
You should see something similar to this (note that I did not add the ports for guest portal access in my example):
The firewall is now running, and if you test your PuTTY connection again, you should still be able to connect. But – if you test connecting in on the standard SSH port 22, you will not be able to connect.
Part 12 – Update Server
Now that access to the server is secured, let’s run our system updates.
sudo apt update sudo apt upgrade -y sudo apt dist-upgrade -y
It’s possible that no updates will be needed, but if you are asked whether or not to proceed on any of these steps, just answer Y.
Once the updates are done, let’s give the server a reboot:
sudo reboot
The server should only take about 2 minutes to reboot, and then you can reconnect.
Part 13 – Configure Time Zone
Set up your Time Zone by running:
sudo dpkg-reconfigure tzdata
A pink bordered window will appear – select your geographic area (use America for United States) and then select your city/time zone from the list.  You can press TAB, arrow keys, and SPACE to move around these screens and make selections.
Once your time zone has been selected, press OK, and you’re done with Step 6.
Part 14 – Install NTP
Next we will install NTP (Network Time Protocol). Run the following commands:
sudo apt update && sudo apt install ntp -y
Once installed, make sure the NTP service has started by running:
service ntp status
You should see that NTP is ‘active (running)’ in green text. If you type:
date
Your local time should show correctly.
Part 15 – Set Up a Swap File
Setting up a swap file is completely optional – I have had some folks tell me that it isn’t necessary, and others tell me that performance is much improved when a swapfile is configured. The truth probably lies somewhere in the middle, but I tend to set up a swapfile anyway – I have never noticed a decrease in performance by setting this up, so what’s the harm?
Run the following commands to create and use a swap file.
sudo fallocate -l 4G /swapfile
The ‘fallocate’ command creates a file of a specific size – in this case we’re creating a 4GB file called ‘swapfile.’
sudo chmod 600 /swapfile
Sets permissions on the swap file that we just created.
sudo mkswap /swapfile
Formats the /swapfile for use as a swap file.
sudo swapon /swapfile
Tells the server to use that directory as a swap file.
Finally, we need to make sure that the swap file turns on every time we reboot the server. Â Run the following command to add the swap file information to the /etc/fstab file:
sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
To verify that the command worked, type:
cat /etc/fstab
and look for a line (at the bottom of the file) that says:
/swapfile none swap sw 0 0
If that line exists in the /etc/fstab file, you’re all good.
Part 16 – Install Misc. Programs
Now, we’re going to install two misc. programs to improve our installation. All of these are recommended, but completely optional.
The first is Cockpit – Cockpit is a system monitoring software for viewing CPU/RAM/Disk space. You can read more about Cockpit here: https://cockpit-project.org/
Install Cockpit by running:
sudo apt install cockpit -y
Once installed, you should be able to browse to https://[server IP or FQDN]:9090. Log in with the credentials you created in Part 4.
Next, we’ll install haveged. Haveged is an unpredictable random number generator for Linux. This program has historically helped to speed up launching UniFi.
sudo apt install haveged -y
Once finished, we’re all done with the optional programs.
Part 17 – Set up autoremove
As you run updates to your server, older versions of the Linux kernel are no longer needed, and they can potentially fill up your boot volume. To prevent this from happening, we can run:
sudo apt autoremove -y
(Go ahead and run this now). This clears out older versions that are no longer necessary, but this command should also be scheduled to run on a regular basis. To do this,
sudo sh -c 'echo "sudo apt autoremove -y" >> /etc/cron.monthly/autoremove'
This creates a new file called ‘autoremove’ in the /etc/cron.monthly directory which will automatically run once a month – but in order to run, this file must be made executable:
sudo chmod +x /etc/cron.monthly/autoremove
Now we’re good to go.
Part 18 – Install OpenJDK-8 (Java)
Install OpenJDK-8
sudo apt update && sudo apt install openjdk-8-jdk -y
That’s it.
Part 19 – Install UniFi
Finally, we’re going to install UniFi. There are a few different ways to download and install UniFi, but for me, the easiest way to install and maintain the UniFi package is to use apt, so that is what we will do in our example.
First, we need to add an apt source for UniFi. To do this, run the following commands:
echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg
These commands set up the apt repository for UniFi and installs the trusted GPG key. Now let’s install UniFi:
sudo apt update && sudo apt install unifi -y
You should now have installed the latest stable version of UniFi, which is version 6.0.43 as of the writing of this article.
Part 20 – UniFi Setup Wizard
Next, we need to go through the UniFi Setup Wizard.
Open a browser and connect to https://[server IP or FQDN]:8443. Note that this URL should ONLY be available to the WAN IP that you set up in Part 11.
You will be prompted with a warning screen that is warning you the site may be unsafe. This is because we have not yet installed our secure SSL certificate. Click through the warning.
For Step 1 of the UniFi Setup Wizard, set the name of your controller, and select the box to agree to the terms of service. If you need to restore a UniFi backup file, this is where you can select that option. Click ‘Next’ to move to Step 2.
For Step 2 – this is where you can sign in with your Ubiquiti SSO (Single Sign-on) account. Alternatively, if you would like to run your UniFi Controller locally without connecting out to the UniFi.UI.com cloud services, you can click ‘Switch to Advanced Setup’ to disable remote access and create local authentication credentials. For the purposes of this documentation, we are going to assume that you are using your Ubiquiti SSO account for authentication. Once you have entered your credentials, click ‘Next’ to get to Step 3.
The next step allows you to choose whether you would like the UniFi Controller to automatically optimize your network. It is OK to leave this on – you can always change your settings later. I also recommend enabling ‘Auto Backup’ – but keep in mind that the Auto Backups write to the local hosted machine. You will still need to download these backups in order to save a copy in case the server crashes. Click ‘Next’ to move onto Step 4.
There should be no devices detected in Step 4 since this is a hosted controller – this step is typically used for local controllers where there already may be devices pending adoption on the LAN.
Step 5 allows you to add a wireless network. For our purposes however, we are going to click ‘skip‘ since this post does not deal with actual UniFi setup (see one of my many YouTube videos for that). However, if you would like to create your first wireless SSID and password, you can do so here.
Step 6 allows you to verify your previous settings (click ‘Back’ if you want to change anything), and also allows you to set up your time zone which it pulls from the server. Since we set up the server time zone in Part 13, it should be set correctly already. Click ‘Finish’ to complete the setup.
You will see a screen that is ‘Configuring the UniFi Network Controller’ and then you will be dropped into the UniFi dashboard.
But we’re not done yet!!
Part 21 – Set Up Let’s Encrypt
We’re going to set up Let’s Encrypt for secure HTTPS communication with the server (and to get rid of those pesky security screens when we browse to UniFi). We’re going to use Certbot to set up Let’s Encrypt – this well help to automate the entire process.
Install Certbot and Apache connector:
sudo apt update && sudo apt install certbot python3-certbot-apache -y
Now Certbot is installed, so the next step is to generate our SSL certificate.
sudo certbot --apache -d unifi2021.crosstalksolutions.com
Substitute your own FQDN instead of unifi2021.crosstalksolutions.com. When prompted, enter in an email address for use with the SSL cert. Then press A to Agree when prompted followed by Y or N to share your email address with the Electronic Frontier Foundation (I said N). Next you will be asked if you want to redirect all HTTP traffic to HTTPS – choose option 2. Your Let’s Encrypt certificate has now been installed.
Next, we need to import that SSL certificate into UniFi – or in other words, we have to tell UniFi to use the Let’s Encrypt certificate.
A developer named Steve Jenkins created a really great script that automates the rest of the process, making it super easy. So, thanks to Steve, and let’s download his script and modify a few settings.
sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh sudo chmod +x /usr/local/bin/unifi_ssl_import.sh
Next, edit the /usr/local/bin/unifi_ssl_import.sh file that we imported:
sudo nano -w /usr/local/bin/unifi_ssl_import.sh
Find the line that says ‘UNIFI_HOSTNAME’ and change it to your own FQDN:
UNIFI_HOSTNAME=unifi2021.crosstalksolutions.com
Next, since we are on a Ubuntu Vultr server instead of a flavor of RedHat (which the script was based on), we need to comment out the RedHat stuff and uncomment the Debian/Ubuntu stuff:
# Uncomment following three lines for Fedora/RedHat/CentOS
#UNIFI_DIR=/opt/UniFi
#JAVA_DIR=${UNIFI_DIR}
#KEYSTORE=${UNIFI_DIR}/data/keystore
# Uncomment following three lines for Debian/Ubuntu
UNIFI_DIR=/var/lib/unifi
JAVA_DIR=/usr/lib/unifi
KEYSTORE=${UNIFI_DIR}/keystore
Next, enable Lets Encrypt mode (change LE_MODE=no to LE_MODE=yes):
LE_MODE=yes LE_LIVE_DIR=/etc/letsencrypt/live
Save and exit nano by doing CTRL+X followed by Y.
Finally, run the script!
sudo /usr/local/bin/unifi_ssl_import.sh
If you now close your browser and then re-open it to https://[your UniFi FQDN]:8443, you should no longer have the security warnings, and you will have a valid HTTPS certificate installed. And no more pesky security warnings.
This is excellent – BUT – every time certbot automatically renews your Let’s Encrypt certificate, it has to be re-imported into UniFi. So we need to run this same command on a regular basis. To do so, we’re going to create a small script and put it into the /etc/cron.daily folder.
sudo nano -w /etc/cron.daily/unifi_ssl_import
Add these lines to the file:
#!/bin/bash
/usr/local/bin/unifi_ssl_import.sh
CTRL+X followed by Y to save and exit.
Now we need to set the permissions on the file so that it runs as root and as an executable script.
sudo chown root:root /etc/cron.daily/unifi_ssl_import sudo chmod +x /etc/cron.daily/unifi_ssl_import
Let’s test this certificate further by running it against an SSL Server Test from SSLLabs.com. Open the following URL in your browser:
https://www.ssllabs.com/ssltest/analyze.html?d=unifi2021.crosstalksolutions.com&latest
Substitute my FQDN for your own. This test takes a couple of minutes to run, but when complete, it should verify that everything is A-OK.
Finally, when it comes to Let’s Encrypt certificate renewals, Certbot handles this automatically. You can verify this by checking out the cron file that Certbot created in /etc/cron.d:
cat /etc/cron.d/certbot
This will give you some info about the renewal process and let you know that it will try to renew the cert twice daily, which is really overkill since the certificate is good for 90 days.
If you want to test the certificate renewal process to make sure everything will renew properly, run the following command:
sudo certbot renew --dry-run
This will simulate the renewal process and you should see a ‘Congratulations all renewals succeeded’ message when complete assuming everything went OK.
Part 22 – Buy Chris a Beer!
Conclusion
Well, that’s it – the Definitive Guide to Hosted UniFi. If you have any questions, comments, updates, or suggestions on how this process can be made even more definitive, put those in the comments below. A ton of work went into the creation of this document – please subscribe to the Crosstalk Solutions YouTube page, and use our referral links for Vultr and/or Digital Ocean if you appreciate the effort! Also, we do full network deployment projects for businesses if you are interested in those services – be sure to click ‘Contact’ above to get in touch with us – thanks!
-Chris
Did you enjoy this guide? We would love to hear your feedback – if you have any suggestions for improvements, corrections, or any other suggestions, post a comment below!
Comments 86
Hi Chris
thanks so much for this guide, when a new version of the controller comes out, how do you go about updating?
You just run the command
sudo apt upgrade -y
The updates are in the repository. Aside from that if you want to see what will be updating you can run
sudo apt update
run that before you upgrade to see what all will get upgraded.
What about making a revised and complete install of the UDM Pro, lan, IoT, NoT and firewall rules. That would be howsome to see with the new interface!
Author
I’ve got something like that in the works…
Hi Chris,
Can that also be used with USG-Pro4 with UCK-Gen2+?
I think an extension to this guide would be how to update to Ubuntu 20.04 if you used the old guide which recommended Ubuntu 16.04. I am assuming that those previous users just need to update from 16.04 to 18.04 to 20.04 on Digital Ocean or Vultr.
That would save a few hours of Googling lol
I came here hoping for the same. I built my controller on the previous guide, and I am NOT a frequent user of Linux. I can figure most things out, but I’d love to have a streamlined guide on the upgrade process to avoid screwing it up.
I have heard there is a way to put either Apache or Nginx to reverse proxy Cockpit with a Let’s Encrypt Certificate? Are you familiar with such a procedure?
Using info here: https://ryan.lovelett.me/posts/letsencrypt-cockpit/
I created the file: /etc/letsencrypt/renewal-hooks/post/001-restart-cockpit.sh
With the provided contents, changing ‘$FQDN’ with my FQDN for the instance and removing the ‘chown’ statement:
——————————————————————————–
#!/usr/bin/env bash
echo “SSL certificates renewed”
cp /etc/letsencrypt/live/$FQDN/fullchain.pem /etc/cockpit/ws-certs.d/$FQDN.crt
cp /etc/letsencrypt/live/$FQDN/privkey.pem /etc/cockpit/ws-certs.d/$FQDN.key
echo “Restarting Cockpit”
systemctl restart cockpit
——————————————————————————–
Then ran the script (after chmod +x /etc/letsencrypt/renewal-hooks/post/001-restart-cockpit.sh) as root and Cockpit now uses my LetsEncrypt certificate
Thanks for the guide, Chris!
On Part 21 – Set Up Let’s Encrypt, I propose some improvement :
You use a separate cronfile that calls /usr/local/bin/unifi_ssl_import.sh (Steve’s script)
But most of the times, Steve’s script will do nothing (but maybe causing log entries), as it figures out the LE certificate is not changed/renewed.
I simply place a symbolic link to Steve’s script in the letsencrypt renewal-hook dir , as stated in https://certbot.eff.org/docs/using.html?highlight=hook#pre-and-post-validation-hooks
ln -s /usr/local/bin/unifi_ssl_import.sh /etc/letsencrypt/renewal-hooks/deploy/01-unifi_ssl_import
This way a renewal of LE certificates will instantly worked through (by the script) to Unifi.
Even in the event a manual / forced renewal is done.
Greetz,
Bart Koppers
Author
Excellent suggestion – I’ll try this out.
Hello Chris,
Long time fan/follower here. I just wanted to stop by and say thank you very much for your hard work and dedication to the community. I know that putting this together took a lot of time and effort. I was able to successfully follow your instructions without running into a single issue. I used your referral link. I hope that little bit helps.
Thanks again Sir, you Rock!
Author
Cheers – thanks for the feedback. Glad you enjoyed the guide.
Thanks! Learned a lot!
Hi Chris! Great post! I really appreciated it. One question I have, is there a simple way to use the Let’s Encrypt cert for cockpit as well? Thanks.
This is why you are the top on YouTube for Unifi video !
One question, you showed going thru the Unifi and at the end of the process – no devices were found. Which is normal since there were no devices . But if this is going to be a setup for a remote site – how do you add the devices that site has and will be using.
Sorry if I am confused about this.
I would suggest you set up a controller on site with the equipment you wish to use ( At least the router – ie USG or Gateway 4 Pro). Then migrate your site to your cloud site. All devices added to the network after that will be recognised as pending adoption.
Maybe Chris can assist with how we adopt the UDM-Pro to our cloud site? I was able to adopt all switches and access points but not the UDM-Pro itself. Thanks a million though!
Worked perfectly on Linode as well – Ubuntu 20.04 LTS. Thanks.
Instead of manually installing Java and UniFi, I used this script – https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776
I followed the rest of the steps to the letter including Bart Koppers suggestion for Certbot and Steve Jenkins script.
FANTASTIC! Worked like a champ. Thanks so much. Beer is coming your way!
Hi Chris, thank you so much for this. It is indeed a definitive guide. Everything worked perfectly as you said. I had some trouble initially but that was due to some unnoticed error on my part. I had to reinstall the server more than once before I was able to get it.
I had never configured a server before. It gave me so much joy when it finally worked.
I really wanted to buy you a beer because I’m so grateful for the help. It’s quite unfortunate that I can’t because PayPal doesn’t work in my country. I don’t know any other way to show my gratitude.
I’m posting this so that you know that your post was very helpful to me and I’m really grateful you put out this great content for people like me.
Thank you very and God bless you.
Ike, that’s awesome. There’s nothing quite like the feeling of configuring your first server. I got you covered on the beer. Just make sure to pay it forward.
Chris, thanks for all the great content over the years. Enjoy a couple of beers!
Worked like a charm and easy to follow! You are a great teacher and I enjoy your tutorials and instructions. Since I set this up officially for non-profits (our church and my wilderness ministry for folks in recovery) I can’t “officially” give you a beer. However, a donation is headed your way and what you use it for… well… what I don’t hear, I don’t know! Thanks so much!
Hey, just a little tip… on the part where you change the port number from the default of Port 22 to something unique, you may want to add the little detail of uncommenting the line. It’s commented by default and I somehow missed that. I did figure it out fairly quickly but folks that are new to editing in the console could miss it.
Assessment failed: Unable to connect to the server:
I’m getting the above message when I test the cert, any suggestion on what may be the issue? My controller seems to be working fine though.
Awesome tutorial! What’s the best way to set up the firewall when I don’t have a static IP address? Starlink isn’t able to issue them until IPv6 comes around. For now, I’ve skipped the firewall rule that only allows access from my WAN IP. This is a home network.
look into dynamic dns (DDNS) and it should provide for a dynamically assigned IP address to your host name. So you use a host name in the FW rules. The host name maps to your IP address. When using DDNS, your IP changes and the DDNS service updates that change to your hostname. Viola!
I too would love to see a guide for this as here in the UK we don’t really get given static IPs.
Hello Chris,
Thanks for the tutorial, its easy to follow, specially for someone like me who has never done this ever. I did not get any error messages in the process. However, when I use my public IP the site does not resolve. I think has to do with the DNS because I did not do step 2 because when it says “you should log into your DNS hosting provider or DNS server and create a new A record that points the hostname that you created in Step 1” Im not sure who is the DNS provider. How do I create a DNS record, or who do I create the DNS record with I should say? Also, Am I supposed to purchase a domain with another vendor like Go daddy? or is the droplet the domain itself? Can I use a Public DNS Server and if so can I add a record to that?
I can ping the Public IP for the droplet so I know is online, but I’m stuck in trying to access the controller online via https://FQDN:8443 or https://Public IP:8443.
Thanks.
Update:
I got it working on the IP address. Still cannot access via FQDN. Again Great Guide!
Hola Manuel. Para resolver el problema debes comprar un dominio y agregar un “A record” (busca en google) a los registros DNS de tu administrador de dominio (generalmente en el portal donde compras el dominio) para que el dominio que compraste apunte a la direccion IP que tiene tu servidor. De esa forma se establece un FQDN. Cuando escribes el dominio en un navegador y este te redireccion a la ip de tu servidor. Ojala se entienda.
That is a great guide! I really like how it is clear for all the linux configuration and unifi.
For me, the only hard part is to understand the domain and SSL part. Would you kindly provide more details? For example, how could I setup a A record on a google domain I own?
Or moreover, maybe use unifi.mydomain.ca. I was reading the google documentation and felt even more confused lol!
Thank you very much 🙂
Thats the same thing I had Issues with and actually still making some research on getting my FQDN to resolve. If you find out please post solution, ill do the same. Thanks
Thanks for the great guide. This is my first time setting a cloud server. I am using a Mac and using terminal to ssh with. All goes well until I get to the reboot after enabling the firewall. After that I can’t get back in. It either times out. Or I get the message that says. Unable to connect. Any thoughts guidance would be helpful. Thanks.
Marcel,
Same thing was happening to me. I realized that when it says to load “your IP” on the Firewall policies is not the cloud server or Controller IP but the actual WAN IP at your location. So for instance in my case it was my comcast IP. If you are on DHCP like me you can go to whatsmyip.com and it will tell you what your current address is. Hope this helps.
Hi and thanks for the information, just a quick question. Why would you create you own Unifi server when Ubiquiti already provide one for us?
Thanks,
Chet
Hi Chris,
Excellent instructions, especially if I’m able to follow them! 🙂
Unfortunately I appear to have fallen at the final hurdle installing the certificate. When running the script I receive the following message:
Starting UniFi Controller SSL Import…
Running in Let’s Encrypt Mode…
Inspecting current SSL certificate…
Updated SSL certificate available. Proceeding with import…
Missing one or more required files. Check your settings.
Any ideas where I’ve gone wrong? As far as I’m aware I’ve edited the script as per your guide. I’ll use the controller without the cert for now but it would be nice just to dot the ‘i’ and cross the ‘t’.
Cheers
I am getting the same error.
Other than this *1* problem everything was perfect. Thank you!!!!
Got it working!!! I ended up running the following and then redoing “Part 21 – Set Up Let’s Encrypt”
sudo apt-get remove certbot
sudo apt-get autoremove
sudo apt-get clean
sudo reboot
sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo reboot
“Part 21 – Set Up Let’s Encrypt”
Scott,
Did you get the SSL working?
Did the same Matt. All working now!
Cheers!!
The last thing I like to do is run this command:-
sudo apt-mark hold unifi
This allows you to install upgrades to the rest of your packages, while not upgrading unifi to the latest version.
If you want to upgrade unifi later, just run:-
sudo apt-mark unhold unifi
or – download the specific controller version and use dpkg to install it.
Anyone using the guest portal with SSL? I am getting an error “Cannot Verify Server Identity The identity of “IP of my server” cannot be verified by the Wi-Fi. Review the certificate details to continue.” Then the details show my domain name issued by R3 Not Trusted Expires 7/17/21
Hye,
informing and adoption is working fine from LAN.
With “set-inform http://unifi.XXXXX.com:8080/inform”
Public DNS set unifi.XXXXX.com with my WAN ip.
i’va made a NAT rule to my unifi server in my Router in port 8080.
Got:
Mon Apr 26 20:11:37 2021 user.err : mcad[2241]: ace_reporter.reporter_fail(): Server Reject (http://unifi.XXXXX.com:8080/inform)
Mon Apr 26 20:11:37 2021 user.err : mcad[2241]: ace_reporter.reporter_fail(): initial contact failed #5, url=http://unifi.XXXXX.com:8080/inform, rc=5
ufw rules set properly
any idea?
Hi Chris,
Just to let you know, I used your Vultr signup referal link, its only giving $10 credit, not the $100.
Thanks
I got an erro after installer unifi software, when i check the status i recieve failed instead of active
This work on facebook check-in?
I have a Nanohd device and need this feature working without ssl issues.
How much sites can handle a 1core, 1gb ram VPS controller..??
Thanks a lot, just one question, I just can access with my IP addres, How can I access with my FQDN??
I don;t think works as of Unifi 6.4
$(HOSTNAME) uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Hi, help!
unifi.service – unifi
Loaded: loaded (/lib/systemd/system/unifi.service; enabled; vendor preset:>
Active: failed (Result: start-limit-hit) since Fri 2021-09-24 16:27:10 -04>
Process: 1796 ExecStart=/usr/lib/unifi/bin/unifi.init start (code=exited, s>
Process: 1929 ExecStop=/usr/lib/unifi/bin/unifi.init stop (code=exited, sta>
Warning: some journal files were not opened due to insufficient permissions.
Vultr has not been a positive experience. The credit expires in 30 days and the actual costs are much higher than advertised. At very best they are misleading, practically speaking its a fraud. AWS is much cheaper and provides a world class platform.
Hi
I followed numerous tutorials but always got stuck on a step here or there. Today 12/10/21 I tollowed your tutorial with vultr.
I was impressed, everything went well until step 19. It cant find “unifi” — E: Unable to locate package unifi
Any ideas how i can proceed from here?
unifiadmin@unifi:~$ sudo apt update && sudo apt install unifi -y
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease [101 kB]
Get:4 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Fetched 328 kB in 0s (673 kB/s)
Reading package lists… Done
Building dependency tree
Reading state information… Done
All packages are up to date.
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package unifi
unifiadmin@unifi:~$ sudo apt install unifi -y
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package unifi
unifiadmin@unifi:~$
Hey Chris,
Thanks for doing this video. It was very informative. I have set up like shown on the video, but I have 12 sites on my server. I have the smallest server like you set up. I’ve been having issues with the server, what appears to be, rebooting. If I add another site or start setting up devices or adding devices to a site I lose connection. My guess is that it may because I have only a 1 core server. Can you give me an idea as to how large of a server I would need for 12 sites. Is it the core size that is my limitation? If you have any info in this regard thanks in advance.
Hey Chris,
Your video was great as usual and the blog post helped tremendously. The only problem I have is that on the second and subsequent times trying to log in to Cockpit I got a connection failed error and I have no clue as to why! I have tried rebooting the server instance on Vultr to no avail. Any ideas on how to at least diagnose the error would be appreciated. Thanks!
I followed the steps,the main site comes up without an SSL error, however when I access https:/:8443 -> I get an error.
Its just showing the UNIFI cert
Anyone use this method on cloudkey gen2 with 2.2.12 version?
Great video.
I would love two extra issues solved:
1: co-existing UNMS/UISP and Unifi controller on same host
2: Both controllers, and eventual Cockpit, running Docker, and eventual Portainer.
Thanks
Børge Mūller
This would be endgame.
Hello Chris, I have been a follower of your YouTube channel for a few years. I have used your links to purchase Ubiquity products as well. I am following this blog and cant get past step 8. I have copied the file from puTTY to a .txt file successfully, but when I use the most current version of PuTTY Key Generator and try to load the .txt file, I get an error message of “Couldn’t load private key (not a recognised key file format)” Would you have any suggestions for me?
Hi, I just had the same issue. Not sure if anyone answered this yet, but here is my solution:
Open PuttyGen
Load the key as you did the first time
Open menu option “key”
Open “Parameters for saving key files …
Now change PPK file version from 3 to 2
Click OK
Save Private key
It should work now.
Hi Chris,
As first I wanted to thank you for this guide and nice advice about hosting (Vultr). However I am not sure your referral code is still valid…
I have found out that Vultr provides their own firewall which can be configured before server deployment – maybe it will be nice to describe it as optional feature so you can set all rules before deploying the appliance for additional security?
Awesome work Chris,
I anyone else getting a :
Status: Unknown[11] (https://unifiXXXXXX.com:8080/inform) message after they do the,
set-inform http://unifiXXXXXX.com:8080/inform cmd?
If i wanted to use CentOS instead of Ubuntu, what are the repositories and Unifi download that i would use?
I can only see a Debian download for the Unifi software.
Hi,
if i would like to install a older version of the unifi controller (6.0.43) on ubuntu 20.04 what would be the command for it?
thank you
Hey Chris,
In the UFW steps for port 80 and 443, you indicate that browsing to the site on those ports will return a “connection refused response”. However, While browsing to the base site on 80 or 443, I am getting the apache2 ubuntu default page. How do I stop this from happening?
I’m getting the same thing here – I’d love have a connection refused page instead…
For anyone having problem (1/2022) connecting or changing ssh port after editing and reloading run command sudo ufw allow 2222/tcp
Hey Chris. Awesome video, as always. Any trick to using a dynamic DNS from https://www.dynu.com? I don’t have a static IP and I’m curious if the firewall will cause issues. I just inserted the ipv4 address that I have on my dynu.com dashboard as my ip for the firewall settings — perhaps that’s all that I need? I have my edgerouter providing updates to dynu of my ip through the config tree stuff. Thanks!!
I would like to know this as well!
i have problem with renew cert on domain. ./unifi_ssl_import.sh
Starting UniFi Controller SSL Import…
Running in Let’s Encrypt Mode…
Inspecting current SSL certificate…
Certificate is unchanged, no update is necessary.
But in browser i have unsecure connection. How can i solved? Thx
Hi Chris,
Thank you for taking the time to share this amazing guide, it was really easy to follow all the way through to the end despite having no experience in Linux based systems.
I am however encountering an issue when running sudo certbot renew –dry-run , it presents the following error:
Attempting to renew cert (unificloud.techsonsite.com.au) from /etc/letsencrypt/renewal/unificloud.techsonsite.com.au.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unificloud.techsonsite.com.au/fullchain.pem (failure)
I have done some research and it appears that it may be caused by NGINX utilizing the same port or any other service listening on port 80 and therefore conflicting.
I have therefore tried to stop / uninstall NGINX however this does not make any difference and the error keeps persisting.
Would you know what the reason could be by chance?
Thank you kindly
Hi Chris!
I followed your amazing guide (great job!) but i’m stuck on part 20.
I get connection refused when trying to reach port 8443 on my server ip.
UFW rule is added so i dont get what I’m doing wrong…
Hi Chris,
Does your guide also work with Ubuntu 22.04 LTS?
I didn’t try it yet, that’s why I’m asking.
Or should I keep it on 20.04 LTS?
Thanks.
Gr,
Amar.
Pretty good guide… Thanks Chris!
Some things to note:
-It seems that UFW come enabled already on vultr instances with Ubuntu 20.04 and as such port 2222 (or whichever one is used) will need to be added to the rule list prior to actually changing the SSH port if you disconnect from you putty session prior to updating the firewall rules
-I found it odd that instructions were only given for updating (copying) the let’s encrypt cert for Unifi but not also for Cockpit.
Thank Chris for the guide. However I wanted to know if this would also work on a raspberry pi 4?
If you’re on a Mac, the program Termius can be used instead of Putty. Adding a private key can be done with Preferences > Keychain > +New Key. The key can be pasted into the key field.
On changing the Port to 2222. I’m a novice and I don’t know why, but when I was trying to change the port to 2222 I couldn’t login using it.
After about an hour, I figured out that the firewall is ALREADY enabled and that Port 2222 needs to be allowed in the firewall before it can work.
This is different than the instructions here, which tell you to change the port first but not until the next step to allow the port in the firewall.
On the Swapfile creation:
When I went to create the swapfile following the instructions I got this error:
“fallocate: fallocate failed: Text file busy ubuntu”
From what I can gather there already is a swapfile running on the server by default.
So you have to turn it off to follow the instructions here. This site gave me this command to turn it off
swapoff -a
(https://askubuntu.com/questions/920595/fallocate-fallocate-failed-text-file-busy-in-ubuntu-17-04)
The rest of the instructions worked fine.
@Chris Sherwood – Yet another AWESOME guide! Thanks for everything that you and your team do in helping the world do technology right!
Just ran through this guide for the third time this year to get yet another client spun up in a Focal-based self-hosted environment and yet again, it worked like a charm!
One question that I still have not been able to sort out – How to setup automatic back-ups to a dedicated direct-attached storage device? Ubiquiti has been less than helpful and my Google-Fu hasn’t been able to find anything that remotely looks like it will work all the time every time. I’m getting tired of manually pulling back-ups every time I make a configuration change and manually pulling maintenance back-ups every 30-days…
On step 19 (install UniFi) I’ve run into this problem (see below). Can anyone help?
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
unifi : Depends: mongodb-server (>= 2.4.10) but it is not installable or
mongodb-10gen (>= 2.4.14) but it is not installable or
mongodb-org-server (>= 2.6.0) but it is not installable
Depends: mongodb-server (< 1:4.0.0) but it is not installable or
mongodb-10gen (< 4.0.0) but it is not installable or
mongodb-org-server (< 4.0.0) but it is not installable
E: Unable to correct problems, you have held broken packages.
It’s because you installed Ubuntu v22.04.
MongoDB doesn’t have a candidate/release package yet for v22.04. There’s a whole bunch of workarounds you need to do in order to force the packages to install. MongoDB has other dependencies like libssl1.1 (depreciated, since libssl is at v3 now). Some more info here and workarounds if you want to stick with 22.04: https://askubuntu.com/questions/1403619/mongodb-install-fails-on-ubuntu-22-04-depends-on-libssl1-1-but-it-is-not-insta
I ended up wiping my server and installing v20.04. Didn’t want to deal with forcing packages in a workaround state.
Quick update: if you start the server on a 20.04, do all the steps that Chris outlined above, you can then update to 22.04 without any issues. Just tested this myself and this works.
After the error: “E: Unable to correct problems, you have held broken packages.”
You just need to run:
sudo apt install –fix-missing
Then you can re-run the command:
sudo apt update && sudo apt install unifi -y
double dashes before ‘fix missing’ above
I did this and it worked without issue, great guide!!
Was looking for you guide to self hosting UNMS (UISP), did I miss it??
Hi Chris!
keep it simple and start at point 18 with this script from glennr:
https://glennr.nl/s/unifi-network-controller
😉
br,
rowie
Hello, Would this work for an AWS install?