This should work on UniFi devices running UniFi OS 2.x or later, including:
- UniFi Dream Machine
- UniFi Dream Machine Pro
- UniFi Dream Machine SE
- UniFi Dream Router
- UniFi Dream Wall
- UniFi Express
- UniFi Network Video Recorder
- UniFi Network Video Recorder Professional
This script supports issuing Let's Encrypt SSL certificates via DNS using Lego.
Out of the box, it has tested support for select DNS providers but with little work you could get it working with any of the supported Lego DNS Providers.
- Copy the contents of this repo to your device at
/data/udm-le
. - Edit
/data/udm-le/udm-le.env
and tweak variables to meet your needs. - If necessary, create and populate the
/data/udm-le/.secrets
directory with the files required by your DNS provider. - Run
/data/udm-le/udm-le.sh initial
. This will handle your initial certificate generation and setup a systemd service to start the service on boot, as well as a systemd timer to attempt certificate renewal each morning between 0300 and 0305.
# Disable udm-le from running at boot
systemctl disable udm-le
# Delete any udm-le related data
rm -rf /data/udm-le /mnt/data/udm-le
rm -f /etc/systemd/system/udm-le.*
# Delete any generated certificates, and restart services to generate new self-signed certificates
rm -f /data/unifi-core/config/*.crt /data/unifi-core/config/*.key /data/unifi-core/config/*.pem
systemctl restart unifi-core
systemctl restart freeradius
If you use Amazon Route53 as your DNS provider, set the DNS_PROVIDER
to route53
and configure variables in udm-le.env
that start with AWS_
.
If not done already, delegate a domain to an Azure DNS zone.
Assuming the DNS zone lives in subscription 00000000-0000-0000-0000-000000000000
and resource group udm-le
, with help of the Azure CLI provision an identity to manage the DNS zone by running:
# Login
az login
# Create a service principal with contributor (default) permissions over the godns resource group
az ad sp create-for-rbac --name godns --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/udm-le --role contributor
In your Cloudflare account settings, create an API token with the following permissions:
- Zone > Zone > Read
- Zone > DNS > Edit
Once you have your token generated, add the value to udm-le.env
.
If you use DigitalOcean as your DNS provider, set your DNS_PROVIDER
to digitalocean
and configure your DO_AUTH_TOKEN
. Note: Quoting your DO_AUTH_TOKEN
seems to cause issues with Lego.
If you use DuckDNS as your DNS provider, set your DNS_PROVIDER
to duckdns
and configure your DUCKDNS_TOKEN
.
If you use Gandi Live DNS (v5) as your DNS provider, set your DNS_PROVIDER
to gandiv5
and configure your GANDIV5_API_KEY
. You can obtain your API key at your account settings.
GCP Cloud DNS can be configured by establishing a service account with the role roles/dns.admin
and exporting a service account key for that service account. Ensure that gcloud
is set for DNS_PROVIDER
in udm-le.env
, and GCE_SERVICE_ACCOUNT_FILE
references the path to the service account key (e.g. ./root/.secrets/my_service_account.json
) . Create a new directory called .secrets
in /data/udm-le
and add the service account file.
The CLI will output a JSON object. Use the printed properties to initialize your configuration in udm-le.env.
Note:
- The
password
value is a secret and as such you may want to omit it from udm-le.env and instead set it in a.secrets/client-secret.txt
file - The
appId
value is what Lego calls a client id
If you use Google Domains as your DNS provider, set the DNS_PROVIDER
to googledomains
and configure GOOGLE_DOMAINS_ACCESS_TOKEN
with your access token. You can create an access token in your Google Domains dashboard under YOUR_DOMAIN > Security > ACME DNS API.
If you use Linode as your DNS provider, set your DNS_PROVIDER
to linode
and configure LINODE_TOKEN
with the value of an API token. The API token must have a scope which allows Read/Write access to "Domains". API tokens can be created in the Linode Control panel.
If you use Loopia as your DNS provider, set your DNS_PROVIDER
to loopia
and configure LOOPIA_API_USER
and LOOPIA_API_PASSWORD
. The API user must be created at the loopia customer zone with the following privileges:
- addZoneRecord
- getZoneRecords
- removeZoneRecord
- removeSubdomain
Follow these instructions from name.com support to enable api access.
At the time of writing, the first few steps our out of date and I had to click API for resellers
under the more menu which should get you to step 3.
If using Multifactor to login then you will need to read this article about how to disable multifactor for api only.
There are two values needed for the udm-le.env
file: your name.com username; your generated api token for production.
To configure the Oracle Cloud Infrastructure (OCI) DNS provider, you will need a private API signing key and your tenancy and user account OCIDs. The quickest way to get all that is to install the OCI CLI locally and use its interactive setup process.
The setup process will create a ~/.oci/config
directory in which you can find your tenancy and user account OCIDs and key fingerprint and the API signing key will be stored in ~/.oci/oci_api_key.pem
. The following CLI command will return the compartment OCID for the specified OCI DNS zone:
$ oci dns zone get --zone-name-or-id example.com | jq -r '.data."compartment-id"'
ocid1.compartment.oc1..secret
**Important: do not wrap the values of the
OCI_*
variables inudm-le.env
with quotes. The lack of quotes around the example values provided inudm-le.env
is intentional and must be maintained.
- Set the
DNS_PROVIDER
value to"oraclecloud"
- Uncomment and copy the values from each
~/.oci/config
variable to the similarly namedOCI_*
variable inudm-le.env
. - Create a new directory at
/data/udm-le/.secrets
and copy theoci_api_key.pem
file that directory.
If you use Zonomi as your DNS provider, set your DNS_PROVIDER
to zonomi
and configure your ZONOMI_API_KEY
.
The API key can be obtained in your control panel under the DNS key type.