Definitive Guide to Hosted UniFi 2021

Update/Release notes:

*** Guide created 1/20/2021 – I will keep this up to date as packages/versions change!

This is the Definitive Guide to Hosted UniFi – NEW for 2021.  In this guide, we will set up a UniFi controller running on an Ubuntu 20.04 hosted server using Vultr (I have confirmed that all of these steps work fine on Digital Ocean as well, but Vultr will be our example in this guide), going through some best practice security settings such as enabling secure certificate authentication, installing UniFi, and finally setting up Let’s Encrypt.

The first thing you need for this guide is an account set up with Vultr (or Digital Ocean) – if you click on the Vultr link below, you can sign up using my referral code which gets me a few bucks for the referral – thanks!

SPECIAL OFFER!  With my Vultr link – you currently get $100.00 FREE CREDIT towards your virtual servers for signing up!  Click the Vultr logo below or use this link:  https://www.vultr.com/?ref=8473585-6G

*** NOTE:  As I said, the rest of this document will be focused on a Vultr install.  I will be keeping this guide up to date periodically as things change with the setup – check back if you ever find that something isn’t working, and comment below if you have any trouble with any of the steps!

Also – here’s a Digital Ocean referral link if that floats your boat (pun intended):  https://m.do.co/c/6de2bc2df3b8

If you’re already signed up with Vultr and/or Digital Ocean, but you still appreciate the work that went into this guide – you can always:

Part 1 – Install Vultr Virtual Server

Log into Vultr and get to the main dashboard (it should say ‘Products’).  Click the blue circled ‘+’ symbol in the upper right.  This will bring you to the new server setup page.

When you get the ‘Deploy New Instance’ screen, make sure ‘Cloud Compute’ is selected.

Next, select your location.  Pick whichever data center you want – I however, tend to choose the data center closest to my (or my client’s) geographic location.  In this case, I’m going to pick Seattle.

For Server Type, make sure ’64 bit OS’ is selected, and then click on Ubuntu and choose ‘20.04 x64’ from the drop-down.

 

Next, select your server size.  UniFi will run on anything in the $5.00/month size or higher.  For testing purposes, or for a production server with only a few sites, the $5.00/month tier is fine.

Next, you can select any options (Auto Backups are highly recommended for a production server).

Finally, give your server a hostname.  Hostname should be something like unifi.company.com.  For our demo, we’re going to use unifi2021.crosstalksolutions.com.  This step is NOT optional – using an FQDN to inform your UniFi equipment is best practice to ensure that you can migrate later on down the road without much issue.  In addition, Let’s Encrypt is going to depend on this DNS name as well.  Startup script and SSH Keys can be left blank as we don’t have any startup scripts, and SSH keys will be created as part of this process.

 

Click ‘Deploy Now’ and you’re off to the races!  You are taken back to the server summary screen.  It will take 1-2 minutes for the server to spin up, so be patient.  Once the ‘Status’ changes from ‘Installing’ to ‘Running,’ you should wait about another 30 seconds, and then you’re good to go.  Click on the name of your server to see its detail screen.

Once the server is in a ‘Running’ state, you’ll see your IP address.  Copy or make note of that IP address – we’re going to use it to create our DNS A record in the next step.  You’ll also want to make note of or copy your default root password.  (We will change that password immediately upon logging in).  You can show the password by clicking the ‘eye’ icon, or simply copy it to your clipboard by clicking the copy icon.

Part 2 – Create DNS A Record

Since you now know your IP address, you should log into your DNS hosting provider or DNS server and create a new A record that points the hostname that you created in Step 1 to the IP address of your Vultr server. This will be needed in the future when we create the secure SSL certificate for the UniFi Controller, as well as for the Let’s Encrypt SSL certificate.

Part 3 – Log into your new server

At this point, you should have your Vultr username (root) and password from the server details.  Copy the password to your clipboard and then open up PuTTY.

Enter in the IP address or hostname of your server and then click ‘Open.’

PuTTY will open up a terminal window and first ask you if you want to accept the new host (click ‘YES’).  Then you will be given a login prompt.  Use the information from the Vultr server properties:

User:  root
Password:  (the password from the Vultr server properties – you can do SHIFT+INS or right-click to paste it in)

The very first thing that you should do is change your root password.

passwd root

You will be asked to enter your root password twice – make sure it is a STRONG password.  We will be disabling root access to this box later in this guide, but you will still need to know the root password in order to run sudo commands.

Part 4 – Create New User

Most Linux machines in the world have root as the default user.  The first line of defense is to create a separate login account with the same privileges and then disable root.

Start by creating a new user – for simplicity, for this exercise, our username will be ‘unifiadmin‘:

adduser unifiadmin

This command will have you set a password for the new user, and you can also optionally enter in some additional information such as their real name and contact info.

Next give root (sudo group) privileges to the newly created user:

usermod -aG sudo unifiadmin

This new user will now be able to use the ‘sudo’ command to run commands as root.

At this point, we have created our new user, but we haven’t yet disabled root – we will do that in a moment.  First, we will enable private key authentication as a second line of defense.

Part 5 – Create Public/Private Key Pair

Let’s now create our public and private key pair.  The public key lives on the server, and the private key will be used to unlock access from any device that needs it.

ssh-keygen

When asked where to put the file, take the default.  You can choose whether or not to enter in a passphrase – having a passphrase means that you need both the private key and passphrase to gain access.  It provides an additional layer of security.

Once your keys have been created, you will find them in /home/root/.ssh – there should be id_rsa (private key) and id_rsa.pub (public key) files in that directory.

Next, we need to copy that key to the newly created user’s account:

ssh-copy-id [email protected][server IP]

Choose ‘yes’ when asked if you want to continue, and enter unifiadmin’s password when prompted.

This command will copy the public key to the unifiadmin user’s ~/.ssh directory as an authorized_keys file.  You can now use the private key to authenticate with this server as user unifiadmin.

Part 6 – Secure SSH Settings

The next step is to modify the SSH settings so that we will both disable root user access and password authentication.  Start by editing the SSH configuration file:

nano -w /etc/ssh/sshd_config

Now scroll down until you find the line that says:

PermitRootLogin yes

And change ‘yes’ to ‘no’:

PermitRootLogin no

This disables root user login.  Next scroll down further and find:

PasswordAuthentication yes

And again change ‘yes’ to ‘no’:

PasswordAuthentication no

This disables password based authentication.  (Private key authentication should already be enabled by default – you can verify this by ensuring that PubkeyAuthentication is set to ‘yes’ in the SSH config file).

Press CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit.

*** NOTE:  This next command commits these changes.  If you lose connectivity because you made any mistakes, you should just destroy the Vultr server and start over.  ALSO – keep this original PuTTY session open as you go through the next few steps…even after we restart SSH, this session will still be connected, so if you can’t connect in with the private key, you still have the opportunity to make changes.

Restart SSH with:

sudo systemctl reload sshd

Part 7 – Download Private Key File

Now we need to download our private key file.  Start by showing the contents of the id_rsa file:

cat ~/.ssh/id_rsa

Select the entire contents of the file with your mouse and press CTRL+INS to copy the text to your clipboard.

Next, open up a text editor such as Notepad and paste the entire block of text into a blank file.  Save this file in a secure location.

Once saved, you can delete the id_rsa file from the server (though, you should probably test connectivity first if this is your first time making these changes):

rm ~/.ssh/id_rsa

Part 8 – Convert Private Key to PuTTY format

Before  you can use your private key with  PuTTY, you need to convert it to .PPK format.  To do this, we’ll use another free program from the creators of PuTTY called PuTTYgen (you can download it from the same link as PuTTY above).

First, run PuTTYgen and click the ‘Load’ button.  Browse to the private key file that you saved in step 7.  When browsing for your private key, change the file type you are searching for from ‘PuTTY Private Key Files (*.ppk)’ to ‘All Files (*.*).’

Open your private key file, and you should receive a notice that the private key was successfully imported.  Click OK to get off of this notification.

Now, click the ‘Save private key’ button and save your private key as a .ppk file (I usually just use the same directory that I used to save the original private key).  You can now close PuTTYgen.

Crosstalk PBX Servers

Part 9 – Log in as New User

Start a new PuTTY session – you can do this from the existing window by clicking the PuTTY icon in the upper left-hand corner and choosing ‘New Session.’

In the PuTTY window, enter the hostname of the server in the Host Name field.

Then, in the left-hand menu, expand the ‘SSH’ section underneath ‘Connection.’  Then click on ‘Auth.’  Here you will see a place to browse to your PuTTY .PPK private key file.  Click ‘Browse…’ and find the .PPK file we created in step 8.

Once you have the file loaded, click back on ‘Session’ at the top of the left-hand menu.

If you want to SAVE these connection details, you should now enter in a friendly name into the ‘Saved Sessions’ box and click the ‘Save.’ button.

Now click ‘Open,’ and you should get a ‘Login as:’ prompt.  Enter in the name of the user that you created in Part 4 (in our case, it was unifiadmin) and you should now connect to the server.  If you have a passphrase on your private key pair, you will also be prompted for that passphrase.

Part 10 – Change SSH port

Now that we can log in with our secure key, let’s take our SSH security even further by changing the default SSH port from 22 to something non-standard.

Edit the SSH config file again with:

sudo nano -w /etc/ssh/sshd_config

Find the line that says:

Port 22

And change it to:

Port [different port number]

You can use any port number for your SSH connection, but I typically use port 2222 when I change to something non-standard.  CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit Nano.

Restart SSH again with:

sudo systemctl reload sshd

Next, let’s start a new PuTTY session using all of the same settings from Part 9, but this time also change the port to whichever port you changed SSH to.  In our case, it was port 2222.  If you previously saved your PuTTY session, you should save it again with the new port number.

Part 11 – Enable UFW Firewall

At this point, we have now secured our SSH connection pretty well.  Now, let’s secure our server even more by using some firewall rules to lock everything down.

Ubuntu uses the UFW firewall, however it is not enabled by default.  First, we are going to add all of the firewall rules that we need to connect to UniFi, and then we will turn it on.

First, let’s allow our new SSH port and lock it down so that connections to this port are only allowed from our IP address:

sudo ufw allow from [IP address] to any port [SSH port number]

In this example, if your IP address is 1.2.3.4, and your SSH port is 2222, the command should be:

sudo ufw allow from 1.2.3.4 to any port 2222

Let’s also add a rule for Cockpit – which is an optional server monitoring GUI (don’t add this rule if you don’t plan on running Cockpit – it is optional…more info on Cockpit in Part 16 below):

sudo ufw allow from 1.2.3.4 to any port 9090

Once again, substitute 1.2.3.4 with your own IP address.

Next, let’s open up access to the UniFi GUI.  Important note here – you don’t actually HAVE to open up this port to the outside world if you are instead using Ubiquiti’s Single Sign On (SSO) account to access your UniFi Controller through https://unifi.ubnt.com.  BUT – you will have to use this port at least once to enable cloud access in UniFi.  You can either wait to do your firewall rules until after cloud access has been enabled, or you can disable this rule afterwards.

sudo ufw allow from 1.2.3.4 to any port 8443

Next, there are a couple of ports that we need open to the whole wide world.  These are the STUN port and the UniFi inform port:

sudo ufw allow 3478/udp
sudo ufw allow 8080

Note that the STUN port running on 3478 is UDP.

If you are going to be using a guest portal with UniFi, you will also want to open these ports:

sudo ufw allow 8880
sudo ufw allow 8843

We’re also going to need to open up ports 80 and 443 for Let’s Encrypt.  If anyone browses directly to those services, they will get a connection refused response.

sudo ufw allow 80
sudo ufw allow 443

At this point, we will now turn on our UFW firewall and take a look at the rules that we created.

sudo ufw enable

When prompted whether or not to proceed, choose yes.

Let’s take a look at our rules:

sudo ufw status

You should see something similar to this (note that I did not add the ports for guest portal access in my example):

The firewall is now running, and if you test your PuTTY connection again, you should still be able to connect.  But – if you test connecting in on the standard SSH port 22, you will not be able to connect.

Part 12 – Update Server

Now that access to the server is secured, let’s run our system updates.

sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y

It’s possible that no updates will be needed, but if you are asked whether or not to proceed on any of these steps, just answer Y.

Once the updates are done, let’s give the server a reboot:

sudo reboot

The server should only take about 2 minutes to reboot, and then you can reconnect.

Part 13 – Configure Time Zone

Set up your Time Zone by running:

sudo dpkg-reconfigure tzdata

A pink bordered window will appear – select your geographic area (use America for United States) and then select your city/time zone from the list.  You can press TAB, arrow keys, and SPACE to move around these screens and make selections.

Once your time zone has been selected, press OK, and you’re done with Step 6.

Part 14 – Install NTP

Next we will install NTP (Network Time Protocol).  Run the following commands:

sudo apt update && sudo apt install ntp -y

Once installed, make sure the NTP service has started by running:

service ntp status

You should see that NTP is ‘active (running)’ in green text.  If you type:

date

Your local time should show correctly.

Part 15 – Set Up a Swap File

Setting up a swap file is completely optional – I have had some folks tell me that it isn’t necessary, and others tell me that performance is much improved when a swapfile is configured.  The truth probably lies somewhere in the middle, but I tend to set up a swapfile anyway – I have never noticed a decrease in performance by setting this up, so what’s the harm?

Run the following commands to create and use a swap file.

sudo fallocate -l 4G /swapfile

The ‘fallocate’ command creates a file of a specific size – in this case we’re creating a 4GB file called ‘swapfile.’

sudo chmod 600 /swapfile

Sets permissions on the swap file that we just created.

sudo mkswap /swapfile

Formats the /swapfile for use as a swap file.

sudo swapon /swapfile

Tells the server to use that directory as a swap file.

Finally, we need to make sure that the swap file turns on every time we reboot the server.  Run the following command to add the swap file information to the /etc/fstab file:

sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'

To verify that the command worked, type:

cat /etc/fstab

and look for a line (at the bottom of the file) that says:

/swapfile none swap sw 0 0

If that line exists in the /etc/fstab file, you’re all good.

Part 16 – Install Misc. Programs

Now, we’re going to install two misc. programs to improve our installation.  All of these are recommended, but completely optional.

The first is Cockpit – Cockpit is a system monitoring software for viewing CPU/RAM/Disk space.  You can read more about Cockpit here:  https://cockpit-project.org/

Install Cockpit by running:

sudo apt install cockpit -y

Once installed, you should be able to browse to https://[server IP or FQDN]:9090.  Log in with the credentials you created in Part 4.

Next, we’ll install haveged.  Haveged is an unpredictable random number generator for Linux.  This program has historically helped to speed up launching UniFi.

sudo apt install haveged -y

Once finished, we’re all done with the optional programs.

Part 17 – Set up autoremove

As you run updates to your server, older versions of the Linux kernel are no longer needed, and they can potentially fill up your boot volume.  To prevent this from happening, we can run:

sudo apt autoremove -y

(Go ahead and run this now).  This clears out older versions that are no longer necessary, but this command should also be scheduled to run on a regular basis.  To do this,

sudo sh -c 'echo "sudo apt autoremove -y" >> /etc/cron.monthly/autoremove'

This creates a new file called ‘autoremove’ in the /etc/cron.monthly directory which will automatically run once a month – but in order to run, this file must be made executable:

sudo chmod +x /etc/cron.monthly/autoremove

Now we’re good to go.

Part 18 – Install OpenJDK-8 (Java)

Install OpenJDK-8

sudo apt update && sudo apt install openjdk-8-jdk -y

That’s it.

Part 19 – Install UniFi

Finally, we’re going to install UniFi.  There are a few different ways to download and install UniFi, but for me, the easiest way to install and maintain the UniFi package is to use apt, so that is what we will do in our example.

First, we need to add an apt source for UniFi.  To do this, run the following commands:

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ubnt.com/unifi/unifi-repo.gpg

These commands set up the apt repository for UniFi and installs the trusted GPG key.  Now let’s install UniFi:

sudo apt update && sudo apt install unifi -y

You should now have installed the latest stable version of UniFi, which is version 6.0.43 as of the writing of this article.

Part 20 – UniFi Setup Wizard

Next, we need to go through the UniFi Setup Wizard.

Open a browser and connect to https://[server IP or FQDN]:8443.  Note that this URL should ONLY be available to the WAN IP that you set up in Part 11.

You will be prompted with a warning screen that is warning you the site may be unsafe.  This is because we have not yet installed our secure SSL certificate.  Click through the warning.

For Step 1 of the UniFi Setup Wizard, set the name of your controller, and select the box to agree to the terms of service.  If you need to restore a UniFi backup file, this is where you can select that option.  Click ‘Next’ to move to Step 2.

For Step 2 – this is where you can sign in with your Ubiquiti SSO (Single Sign-on) account.  Alternatively, if you would like to run your UniFi Controller locally without connecting out to the UniFi.UI.com cloud services, you can click ‘Switch to Advanced Setup’ to disable remote access and create local authentication credentials.  For the purposes of this documentation, we are going to assume that you are using your Ubiquiti SSO account for authentication.  Once you have entered your credentials, click ‘Next’ to get to Step 3.

The next step allows you to choose whether you would like the UniFi Controller to automatically optimize your network.  It is OK to leave this on – you can always change your settings later.  I also recommend enabling ‘Auto Backup’ – but keep in mind that the Auto Backups write to the local hosted machine.  You will still need to download these backups in order to save a copy in case the server crashes.  Click ‘Next’ to move onto Step 4.

There should be no devices detected in Step 4 since this is a hosted controller – this step is typically used for local controllers where there already may be devices pending adoption on the LAN.

 

Step 5 allows you to add a wireless network.  For our purposes however, we are going to click ‘skip‘ since this post does not deal with actual UniFi setup (see one of my many YouTube videos for that).  However, if you would like to create your first wireless SSID and password, you can do so here.

Step 6 allows you to verify your previous settings (click ‘Back’ if you want to change anything), and also allows you to set up your time zone which it pulls from the server.  Since we set up the server time zone in Part 13, it should be set correctly already.  Click ‘Finish’ to complete the setup.

You will see a screen that is ‘Configuring the UniFi Network Controller’ and then you will be dropped into the UniFi dashboard.

But we’re not done yet!!

Part 21 – Set Up Let’s Encrypt

We’re going to set up Let’s Encrypt for secure HTTPS communication with the server (and to get rid of those pesky security screens when we browse to UniFi).  We’re going to use Certbot to set up Let’s Encrypt – this well help to automate the entire process.

Install Certbot and Apache connector:

sudo apt update && sudo apt install certbot python3-certbot-apache -y

Now Certbot is installed, so the next step is to generate our SSL certificate.

sudo certbot --apache -d unifi2021.crosstalksolutions.com

Substitute your own FQDN instead of unifi2021.crosstalksolutions.com.  When prompted, enter in an email address for use with the SSL cert.  Then press A to Agree when prompted followed by Y or N to share your email address with the Electronic Frontier Foundation (I said N).  Next you will be asked if you want to redirect all HTTP traffic to HTTPS – choose option 2.  Your Let’s Encrypt certificate has now been installed.

Next, we need to import that SSL certificate into UniFi – or in other words, we have to tell UniFi to use the Let’s Encrypt certificate.

A developer named Steve Jenkins created a really great script that automates the rest of the process, making it super easy.  So, thanks to Steve, and let’s download his script and modify a few settings.

sudo wget https://raw.githubusercontent.com/stevejenkins/unifi-linux-utils/master/unifi_ssl_import.sh -O /usr/local/bin/unifi_ssl_import.sh

sudo chmod +x /usr/local/bin/unifi_ssl_import.sh

Next, edit the /usr/local/bin/unifi_ssl_import.sh file that we imported:

sudo nano -w /usr/local/bin/unifi_ssl_import.sh

Find the line that says ‘UNIFI_HOSTNAME’ and change it to your own FQDN:

UNIFI_HOSTNAME=unifi2021.crosstalksolutions.com

Next, since we are on a Ubuntu Vultr server instead of a flavor of RedHat (which the script was based on), we need to comment out the RedHat stuff and uncomment the Debian/Ubuntu stuff:

# Uncomment following three lines for Fedora/RedHat/CentOS
#UNIFI_DIR=/opt/UniFi
#JAVA_DIR=${UNIFI_DIR}
#KEYSTORE=${UNIFI_DIR}/data/keystore

# Uncomment following three lines for Debian/Ubuntu
UNIFI_DIR=/var/lib/unifi
JAVA_DIR=/usr/lib/unifi
KEYSTORE=${UNIFI_DIR}/keystore

Next, enable Lets Encrypt mode (change LE_MODE=no to LE_MODE=yes):

LE_MODE=yes
LE_LIVE_DIR=/etc/letsencrypt/live

Save and exit nano by doing CTRL+X followed by Y.

Finally, run the script!

sudo /usr/local/bin/unifi_ssl_import.sh

If you now close your browser and then re-open it to https://[your UniFi FQDN]:8443, you should no longer have the security warnings, and you will have a valid HTTPS certificate installed.  And no more pesky security warnings.

This is excellent – BUT – every time certbot automatically renews your Let’s Encrypt certificate, it has to be re-imported into UniFi.  So we need to run this same command on a regular basis.  To do so, we’re going to create a small script and put it into the /etc/cron.daily folder.

sudo nano -w /etc/cron.daily/unifi_ssl_import

Add these lines to the file:

#!/bin/bash
/usr/local/bin/unifi_ssl_import.sh

CTRL+X followed by Y to save and exit.

Now we need to set the permissions on the file so that it runs as root and as an executable script.

sudo chown root:root /etc/cron.daily/unifi_ssl_import

sudo chmod +x /etc/cron.daily/unifi_ssl_import

Let’s test this certificate further by running it against an SSL Server Test from SSLLabs.com.  Open the following URL in your browser:

https://www.ssllabs.com/ssltest/analyze.html?d=unifi2021.crosstalksolutions.com&latest

Substitute my FQDN for your own.  This test takes a couple of minutes to run, but when complete, it should verify that everything is A-OK.

Finally, when it comes to Let’s Encrypt certificate renewals, Certbot handles this automatically.  You can verify this by checking out the cron file that Certbot created in /etc/cron.d:

cat /etc/cron.d/certbot

This will give you some info about the renewal process and let you know that it will try to renew the cert twice daily, which is really overkill since the certificate is good for 90 days.

If you want to test the certificate renewal process to make sure everything will renew properly, run the following command:

sudo certbot renew --dry-run

This will simulate the renewal process and you should see a ‘Congratulations all renewals succeeded’ message when complete assuming everything went OK.

Part 22 – Buy Chris a Beer!

Conclusion

Well, that’s it – the Definitive Guide to Hosted UniFi.  If you have any questions, comments, updates, or suggestions on how this process can be made even more definitive, put those in the comments below.  A ton of work went into the creation of this document – please subscribe to the Crosstalk Solutions YouTube page, and use our referral links for Vultr and/or Digital Ocean if you appreciate the effort!  Also, we do full network deployment projects for businesses if you are interested in those services – be sure to click ‘Contact’ above to get in touch with us – thanks!

-Chris

Did you enjoy this guide?  We would love to hear your feedback – if you have any suggestions for improvements, corrections, or any other suggestions, post a comment below!

 

Comments 49

    1. You just run the command
      sudo apt upgrade -y

      The updates are in the repository. Aside from that if you want to see what will be updating you can run
      sudo apt update
      run that before you upgrade to see what all will get upgraded.

  1. What about making a revised and complete install of the UDM Pro, lan, IoT, NoT and firewall rules. That would be howsome to see with the new interface!

    1. Post
      Author
  2. I think an extension to this guide would be how to update to Ubuntu 20.04 if you used the old guide which recommended Ubuntu 16.04. I am assuming that those previous users just need to update from 16.04 to 18.04 to 20.04 on Digital Ocean or Vultr.

    That would save a few hours of Googling lol

    1. I came here hoping for the same. I built my controller on the previous guide, and I am NOT a frequent user of Linux. I can figure most things out, but I’d love to have a streamlined guide on the upgrade process to avoid screwing it up.

  3. I have heard there is a way to put either Apache or Nginx to reverse proxy Cockpit with a Let’s Encrypt Certificate? Are you familiar with such a procedure?

    1. Using info here: https://ryan.lovelett.me/posts/letsencrypt-cockpit/

      I created the file: /etc/letsencrypt/renewal-hooks/post/001-restart-cockpit.sh

      With the provided contents, changing ‘$FQDN’ with my FQDN for the instance and removing the ‘chown’ statement:

      ——————————————————————————–
      #!/usr/bin/env bash

      echo “SSL certificates renewed”

      cp /etc/letsencrypt/live/$FQDN/fullchain.pem /etc/cockpit/ws-certs.d/$FQDN.crt
      cp /etc/letsencrypt/live/$FQDN/privkey.pem /etc/cockpit/ws-certs.d/$FQDN.key

      echo “Restarting Cockpit”
      systemctl restart cockpit
      ——————————————————————————–

      Then ran the script (after chmod +x /etc/letsencrypt/renewal-hooks/post/001-restart-cockpit.sh) as root and Cockpit now uses my LetsEncrypt certificate

  4. Thanks for the guide, Chris!

    On Part 21 – Set Up Let’s Encrypt, I propose some improvement :

    You use a separate cronfile that calls /usr/local/bin/unifi_ssl_import.sh (Steve’s script)
    But most of the times, Steve’s script will do nothing (but maybe causing log entries), as it figures out the LE certificate is not changed/renewed.

    I simply place a symbolic link to Steve’s script in the letsencrypt renewal-hook dir , as stated in https://certbot.eff.org/docs/using.html?highlight=hook#pre-and-post-validation-hooks


    ln -s /usr/local/bin/unifi_ssl_import.sh /etc/letsencrypt/renewal-hooks/deploy/01-unifi_ssl_import

    This way a renewal of LE certificates will instantly worked through (by the script) to Unifi.
    Even in the event a manual / forced renewal is done.

    Greetz,

    Bart Koppers

    1. Post
      Author
  5. Hello Chris,

    Long time fan/follower here. I just wanted to stop by and say thank you very much for your hard work and dedication to the community. I know that putting this together took a lot of time and effort. I was able to successfully follow your instructions without running into a single issue. I used your referral link. I hope that little bit helps.

    Thanks again Sir, you Rock!

    1. Post
      Author
  6. Hi Chris! Great post! I really appreciated it. One question I have, is there a simple way to use the Let’s Encrypt cert for cockpit as well? Thanks.

  7. This is why you are the top on YouTube for Unifi video !

    One question, you showed going thru the Unifi and at the end of the process – no devices were found. Which is normal since there were no devices . But if this is going to be a setup for a remote site – how do you add the devices that site has and will be using.

    Sorry if I am confused about this.

    1. Hi Chris, thank you so much for this. It is indeed a definitive guide. Everything worked perfectly as you said. I had some trouble initially but that was due to some unnoticed error on my part. I had to reinstall the server more than once before I was able to get it.
      I had never configured a server before. It gave me so much joy when it finally worked.

      I really wanted to buy you a beer because I’m so grateful for the help. It’s quite unfortunate that I can’t because PayPal doesn’t work in my country. I don’t know any other way to show my gratitude.

      I’m posting this so that you know that your post was very helpful to me and I’m really grateful you put out this great content for people like me.

      Thank you very and God bless you.

      1. Ike, that’s awesome. There’s nothing quite like the feeling of configuring your first server. I got you covered on the beer. Just make sure to pay it forward.

        Chris, thanks for all the great content over the years. Enjoy a couple of beers!

  8. Worked like a charm and easy to follow! You are a great teacher and I enjoy your tutorials and instructions. Since I set this up officially for non-profits (our church and my wilderness ministry for folks in recovery) I can’t “officially” give you a beer. However, a donation is headed your way and what you use it for… well… what I don’t hear, I don’t know! Thanks so much!

  9. Hey, just a little tip… on the part where you change the port number from the default of Port 22 to something unique, you may want to add the little detail of uncommenting the line. It’s commented by default and I somehow missed that. I did figure it out fairly quickly but folks that are new to editing in the console could miss it.

  10. Assessment failed: Unable to connect to the server:

    I’m getting the above message when I test the cert, any suggestion on what may be the issue? My controller seems to be working fine though.

  11. Awesome tutorial! What’s the best way to set up the firewall when I don’t have a static IP address? Starlink isn’t able to issue them until IPv6 comes around. For now, I’ve skipped the firewall rule that only allows access from my WAN IP. This is a home network.

    1. look into dynamic dns (DDNS) and it should provide for a dynamically assigned IP address to your host name. So you use a host name in the FW rules. The host name maps to your IP address. When using DDNS, your IP changes and the DDNS service updates that change to your hostname. Viola!

  12. Hello Chris,

    Thanks for the tutorial, its easy to follow, specially for someone like me who has never done this ever. I did not get any error messages in the process. However, when I use my public IP the site does not resolve. I think has to do with the DNS because I did not do step 2 because when it says “you should log into your DNS hosting provider or DNS server and create a new A record that points the hostname that you created in Step 1” Im not sure who is the DNS provider. How do I create a DNS record, or who do I create the DNS record with I should say? Also, Am I supposed to purchase a domain with another vendor like Go daddy? or is the droplet the domain itself? Can I use a Public DNS Server and if so can I add a record to that?
    I can ping the Public IP for the droplet so I know is online, but I’m stuck in trying to access the controller online via https://FQDN:8443 or https://Public IP:8443.
    Thanks.

      1. Hola Manuel. Para resolver el problema debes comprar un dominio y agregar un “A record” (busca en google) a los registros DNS de tu administrador de dominio (generalmente en el portal donde compras el dominio) para que el dominio que compraste apunte a la direccion IP que tiene tu servidor. De esa forma se establece un FQDN. Cuando escribes el dominio en un navegador y este te redireccion a la ip de tu servidor. Ojala se entienda.

  13. That is a great guide! I really like how it is clear for all the linux configuration and unifi.

    For me, the only hard part is to understand the domain and SSL part. Would you kindly provide more details? For example, how could I setup a A record on a google domain I own?

    Or moreover, maybe use unifi.mydomain.ca. I was reading the google documentation and felt even more confused lol!

    Thank you very much 🙂

    1. Thats the same thing I had Issues with and actually still making some research on getting my FQDN to resolve. If you find out please post solution, ill do the same. Thanks

  14. Thanks for the great guide. This is my first time setting a cloud server. I am using a Mac and using terminal to ssh with. All goes well until I get to the reboot after enabling the firewall. After that I can’t get back in. It either times out. Or I get the message that says. Unable to connect. Any thoughts guidance would be helpful. Thanks.

    1. Marcel,
      Same thing was happening to me. I realized that when it says to load “your IP” on the Firewall policies is not the cloud server or Controller IP but the actual WAN IP at your location. So for instance in my case it was my comcast IP. If you are on DHCP like me you can go to whatsmyip.com and it will tell you what your current address is. Hope this helps.

  15. Hi and thanks for the information, just a quick question. Why would you create you own Unifi server when Ubiquiti already provide one for us?

    Thanks,
    Chet

  16. Hi Chris,

    Excellent instructions, especially if I’m able to follow them! 🙂

    Unfortunately I appear to have fallen at the final hurdle installing the certificate. When running the script I receive the following message:

    Starting UniFi Controller SSL Import…
    Running in Let’s Encrypt Mode…
    Inspecting current SSL certificate…
    Updated SSL certificate available. Proceeding with import…
    Missing one or more required files. Check your settings.

    Any ideas where I’ve gone wrong? As far as I’m aware I’ve edited the script as per your guide. I’ll use the controller without the cert for now but it would be nice just to dot the ‘i’ and cross the ‘t’.

    Cheers

      1. Got it working!!! I ended up running the following and then redoing “Part 21 – Set Up Let’s Encrypt”

        sudo apt-get remove certbot
        sudo apt-get autoremove
        sudo apt-get clean
        sudo reboot

        sudo apt update
        sudo apt upgrade -y
        sudo apt dist-upgrade -y
        sudo reboot

        “Part 21 – Set Up Let’s Encrypt”

  17. The last thing I like to do is run this command:-

    sudo apt-mark hold unifi

    This allows you to install upgrades to the rest of your packages, while not upgrading unifi to the latest version.

    If you want to upgrade unifi later, just run:-
    sudo apt-mark unhold unifi

    or – download the specific controller version and use dpkg to install it.

  18. Anyone using the guest portal with SSL? I am getting an error “Cannot Verify Server Identity The identity of “IP of my server” cannot be verified by the Wi-Fi. Review the certificate details to continue.” Then the details show my domain name issued by R3 Not Trusted Expires 7/17/21

  19. Hye,

    informing and adoption is working fine from LAN.

    With “set-inform http://unifi.XXXXX.com:8080/inform
    Public DNS set unifi.XXXXX.com with my WAN ip.
    i’va made a NAT rule to my unifi server in my Router in port 8080.

    Got:
    Mon Apr 26 20:11:37 2021 user.err : mcad[2241]: ace_reporter.reporter_fail(): Server Reject (http://unifi.XXXXX.com:8080/inform)
    Mon Apr 26 20:11:37 2021 user.err : mcad[2241]: ace_reporter.reporter_fail(): initial contact failed #5, url=http://unifi.XXXXX.com:8080/inform, rc=5

    ufw rules set properly

    any idea?

  20. Hi Chris,

    Just to let you know, I used your Vultr signup referal link, its only giving $10 credit, not the $100.
    Thanks

  21. I got an erro after installer unifi software, when i check the status i recieve failed instead of active

  22. Hi, help!

    unifi.service – unifi
    Loaded: loaded (/lib/systemd/system/unifi.service; enabled; vendor preset:>
    Active: failed (Result: start-limit-hit) since Fri 2021-09-24 16:27:10 -04>
    Process: 1796 ExecStart=/usr/lib/unifi/bin/unifi.init start (code=exited, s>
    Process: 1929 ExecStop=/usr/lib/unifi/bin/unifi.init stop (code=exited, sta>

    Warning: some journal files were not opened due to insufficient permissions.

  23. Vultr has not been a positive experience. The credit expires in 30 days and the actual costs are much higher than advertised. At very best they are misleading, practically speaking its a fraud. AWS is much cheaper and provides a world class platform.

Leave a Reply to Matus Kunik Cancel reply

Your email address will not be published. Required fields are marked *