Certificates for unifi cloudkey


I am having a lot of trouble getting a certificate for use on my Unifi CloudKey (gen2). I used to have valid Let’s Encrypt certificates, but they expired, and for the life of me I cannot renew them (primarily, it seems, due to the deprication of some archive called jessie-backports). This is NOT for a public domain, it’s for a local wifi domain; in other words, it is using private IP addresses which resolve to the CloudKey.

In the absence of a new means of generating keys on the CloudKey itself, is there a way to generate them on my Mac? I haven’t been able to do so using the certbot. If I can generate them on my Mac, I could export them to the CloudKey.

Thanks for your help.

Well, there's your problem--Let's Encrypt will only issue certs for public domains. However, it's entirely possible to generate certs on the cloud key itself; I've been doing it for the past 9 months or so. I'm generally following this guide:

Thank you for your response. I’ve tried to do that, but the process always fails on the DNS challenge. I use Cloudflare and put in the proper key and such, but no luck. How are you doing it?

Thanks again.

To be more clear, I receive this error:

[Wed Sep 4 14:33:11 CST 2019] Run reload cmd: sh /root/.acme.sh/cloudkey-renew-hook.sh

sh: 0: Can’t open /root/.acme.sh/cloudkey-renew-hook.sh

[Wed Sep 4 14:33:11 CST 2019] Reload error for :

Hi @stlblufan

please share your domain name.

Never mind, I finally got it to work by manually entering the commands for the cloudkey-renew-hook portion of the script.

This is your problem, not anything to do with your DNS. Obviously the file needs to be there, but you also need to make sure it's executable.

Yes, I understand that. For some reason it is not being created when I follow the rest of the script that you referenced. I also typically receive a DNS-related error when I try to create the keys, but today I manually created the keys and then ran the script, so it skipped creation because they already existed. In any event, Unifi seems to make it harder and harder to put certificates on the UCK. Thank you for your help.

If it isn't being created, it's because you aren't creating it--that page calls for you to directly create that script; there's no other process that would be doing that. You create /root/.acme.sh/cloudkey-renew-hook.sh with the contents mentioned there (being careful of line wraps), and then call it from with the acme.sh command.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.