kchristensen/ udm-le

(1.0.7) about 1 month ago

Shell

unifi

ssl

ubiquiti

letsencrypt

View on GitHub

Need help with udm-le?

Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

kchristensen

146 Stars

24 Forks

MIT License

55 Commits

2 Opened issues

Description

Let's Encrypt support for Ubiquiti UbiOS firmwares

Services available

Need anything else?

Contributors list

Readme

Let's Encrypt for Ubiquiti UbiOS firmwares

Name: udm-le
Brand: udm-le
SKU: //kchristensen/udm-le
Rating: 2.115 (146 reviews)

Overview

This should work on UbiOS based firmware versions 1.7.0 onwards. This includes:

UniFi Dream Machine
UniFi Dream Machine Pro

It does NOT support the Cloud Key Gen 2 or Gen 2 Plus as they do not ship with Docker (podman) support.

This script supports issuing LetsEncrypt certificates via DNS using Lego.

Out of the box, it has tested support for select DNS providers but with little work you could get it working with any of the supported Lego DNS Providers.

Installation

Copy the contents of this repo to your device at
```
/mnt/data/udm-le
```
.
Edit
```
udm-le.env
```
and tweak variables to meet your needs.
Run
```
/mnt/data/udm-le/udm-le.sh initial
```
. This will handle your initial certificate generation and setup a cron task at
```
/etc/cron.d/udm-le
```
to attempt certificate renewal each morning at 0300.

Persistance

On firmware updates or just reboots, the cron file (

/etc/cron.d/udm-le

) gets removed, so if you'd like for this to persist, I suggest so you install boostchicken's on-boot-script package.

This script is setup such that if it determines that on-boot-script is enabled, it will set up an additional script at

/mnt/data/on_boot.d/99-udm-le.sh

which will attempt certificate renewal shortly after a reboot (and subsequently set the cron back up again).

DNS Providers

AWS Route53

AWS Route53 DNS challenge can use configuration and authentication values easily through shared credentials and configuration files as described here. This script will check for and include these files during the initial certificate generation and subsequent renewals. Ensure that

route53

is set for

DNS_PROVIDER

udm-le.env

, create a new directory called

.secrets

/mnt/data/udm-le

and add

credentials

and

config

files as required for your authentication. See the AWS CLI Documentation for more information. Currently only the

default

profile is supported.

GCP Cloud DNS

GCP Cloud DNS can be configured by establishing a service account with the role

roles/dns.admin

and exporting a service account key for that service account. Ensure that

gcloud

is set for

DNS_PROVIDER

udm-le.env

, and

GCE_SERVICE_ACCOUNT_FILE

references the path to the service account key (e.g.

./root/.secrets/my_service_account.json

) . Create a new directory called

.secrets

/mnt/data/udm-le

and add the service account file.

Cloudflare

In your Cloudflare account settings, create an API token with the following permissions:

Zone > Zone > Read
Zone > DNS > Edit

Once you have your token generated, add the value to

udm-le.env

Azure DNS

If not done already, delegate a domain to an Azure DNS zone.

Assuming the DNS zone lives in subscription

00000000-0000-0000-0000-000000000000

and resource group

udm-le

, with help of the Azure CLI provision an identity to manage the DNS zone by running:

# login az login

create a service principal with contributor (default) permissions over the godns resource group

az ad sp create-for-rbac --name godns --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/udm-le --role contributor

The CLI will output a JSON object. Use the printed properties to initialize your configuration in udm-le.env.

Note: - The

password

value is a secret and as such you may want to omit it from udm-le.env and instead set it in a

.secrets/client-secret.txt

file - The

appId

value is what Lego calls a client id