Link LetsEncrypt and my FQDN again (unifi)

I recently installed version 7.2.94 of my Unifi network controller on a Google Cloud Platform server over an existing version of the controller because it was giving problems. The Unifi controller works fine again, but only the LetsEncrypt certificate no longer works. Checking the certificate on the server indicates that the certificate is installed correctly. How can I link it back to my FQDN correctly?

Hello @markladage, welcome to the Let's Encrypt community. :slightly_smiling_face:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

2 Likes

Hello @Bruce5051, thanks for the fast response. I am just a enthousiast amateur so i'm not sure if i will give you the correct information but i give it a try.
Domain: unifi.markladage.nl
Webserver: Google Cloud Platform
OS: Ubuntu 22.04.1 LTS
Certbot: 1.21.0

I don't know how to answer the other questions.

I hope this is enough information.

Gr. Mark

2 Likes

I guess I am not understanding the issue fully, can you elaborate.

Here is a list of the issued certificates for crt.sh | unifi.markladage.nl, the latest being 2022-10-07.

This is what I see with Firefox

And its certificate seems fine:

2 Likes

Maybe I don't quite understand what happened. I also think the certificate is good, but when I want to reach my UniFi controller via https://unifi.markladage.nl:8443/ I get a privacy error.

Whatever is listening on port 8443 is using a self-signed Unifi cert. Your Apache server listening on port 443 (https) uses the Let's Encrypt cert (as Bruce showed).

I don't know how to change your Unifi for this. Maybe someone else here will or try a Unifi forum

echo | openssl s_client -connect unifi.markladage.nl:8443  | head

depth=0 C = US, ST = New York, L = New York, O = Ubiquiti Inc., OU = UniFi, CN = UniFi
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = US, ST = New York, L = New York, O = Ubiquiti Inc., OU = UniFi, CN = UniFi
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:C = US, ST = New York, L = New York, O = Ubiquiti Inc., OU = UniFi, CN = UniFi
   i:C = US, ST = New York, L = New York, O = Ubiquiti Inc., OU = UniFi, CN = UniFi
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  9 09:46:21 2022 GMT; NotAfter: Jan 11 09:46:21 2025 GMT
3 Likes

Yep; UniFi does not have that certificate but Ubiquiti's own self signed certificate
Check here for Let's Encrypt on Ubiquiti's UniFi .


Replacing or renewing the existing certificate does not work. After deleting the certificate and reinstalling i get the next error:

.....:~$ sudo certbot --apache -d unifi.markladage.nl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/unifi.markladage.nl/fullchain.pem' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/unifi.markladage.nl/fullchain.pem' does not exist or is empty\n")

I guess i have to recreate my private key, is that correct?

No, not exactly.

It looks like you deleted the certs while your Apache config still needed them. The Certbot docs explain the safe way to delete certs.

https://eff-certbot.readthedocs.io/en/stable/using.html#deleting-certificates

Once you get Apache running again (following above instructions) you can get new certs using the same method you used before.

Why did you even delete them though? Your Apache was working fine. It was your Unifi Management panel that was not configured to use the Let's Encrypt certs. Bruce provided some links for that or maybe ask on the Unifi forum. Deleting valid certs and getting fresh ones won't fix that.

4 Likes

Well, as I said before, I am an enthusiastic amateur who sometimes does things that are not convenient, but through trial and error I hope to understand things. :grinning:

Followed the steps as described in the steps mentioned bij @Bruce5051 but keep getting the next error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/unifi.markladage.nl/fullchain.pem' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 34 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/unifi.markladage.nl/fullchain.pem' does not exist or is empty\n")

How do i get the fullchain.pem???

I've restored a snapshot of my disk but still my Unifi Controller is not linked to the certificate altough it says everything is ok.

Output ssl import script:
Starting UniFi Controller SSL Import...
Running in Let's Encrypt Mode...
Inspecting current SSL certificate...
Certificate is unchanged, no update is necessary.

Ps checking certificates:
Found the following certs:
Certificate Name: unifi.markladage.nl
Serial Number: 3f75df3cc82e2e1fd4ab8290da25ea78620
Key Type: RSA
Domains: unifi.markladage.nl
Expiry Date: 2023-01-05 07:17:57+00:00 (VALID: 63 days)
Certificate Path: /etc/letsencrypt/live/unifi.markladage.nl/fullchain.pem
Private Key Path: /etc/letsencrypt/live/unifi.markladage.nl/privkey.pem

Yes, you are back to what I described in post #6. Your Apache server is working correctly with your Let's Encrypt cert issued Oct7. But, your Unifi controller on port 8443 is using a self-signed Unifi cert.

You should ask how to configure that panel on a Unifi forum. We cannot be experts on every application that uses certs.

3 Likes

Where is this output coming from?

3 Likes

OK I understand. As far as I can see, the UniFi Controller is also configured correctly, see the output of the import script, and the certificate is also correct. I will discuss this topic further on the UniFi forums, thanks for all the help.

1 Like

This comes from a import script for the Unifi controller and is part of the solution @Bruce5051 introduced.

Bruce's link mentioned at least four possible scripts. One of them is a deployment script for acme.sh, which you aren't using, but that leaves three others. Which script are you using, and where did you get it from?

2 Likes

It s the one from Crisstalksolutions

A link? Or even spelling the name of the place correctly? You aren't making it easy to help you. But after clicking through three other links, the actual script is here:

Looking over the script and Chris' instructions, as well as the output you posted from the script, suggests that the script is trying to import the wrong cert. A few places that stand out as possible error points:

  • When you edited the script, did you enter the correct hostname (unifi.markladage.nl)?
  • Did you comment out the lines for RedHet etc., and uncomment the lines for Debian/Ubuntu?
  • Did you set LE_MODE=yes?
  • Are the certificate files actually in /etc/letsencrypt/live/unifi.markladage.nl/?
  • Do you have a file at /etc/letsencrypt/live/unifi.markladage.nl/privkey.pem.md5?
  • What's the output of ls -l /etc/letsencrypt/live/unifi.markladage.nl/?
3 Likes

Sorry if I'm not clear, I'm at work right now and can't spend the time it actually needs plus that I don't understand it all that well. In answer to your questions:
. The hostname is correct.
. Yes I commented on the correct lines.
. Yes I have set the LE_MODE to yes.
. All files are in the folder you mentioned.
. Yes the privkey.pem.md5 file is in the correct folder.
. ls -l /etc/letsencrypt/live/unifi.markladage.nl
total 8
-rw-r--r-- 1 root root 692 May 17 2019 README
lrwxrwxrwx 1 root root 44 Oct 7 10:18 cert.pem -> ../../archive/unifi.markladage.nl/cert22.pem
lrwxrwxrwx 1 root root 45 Oct 7 10:18 chain.pem -> ../../archive/unifi.markladage.nl/chain22.pem
lrwxrwxrwx 1 root root 49 Oct 7 10:18 fullchain.pem -> ../../archive/unifi.markladage.nl/fullchain22.pem
lrwxrwxrwx 1 root root 47 Oct 7 10:18 privkey.pem -> ../../archive/unifi.markladage.nl/privkey22.pem
-rw-r--r-- 1 root root 88 Oct 8 06:25 privkey.pem.md5