Skip to main content

One of the most asked questions about the Unifi Controller is how to get rid of the certificate error when you open the controller. And I totally understand, it’s annoying to bypass the error/warning every time you log in to your controller.

So in this article, we are going to install a Letsencrypt SSL Certificate for our Unifi Controller. I am using a Rasberry Pi to run the controller, so this article is mostly written for a Pi.

Letsencrypt and Unifi

Letsencrypt certificates are free to use but need to be renewed every 90 days. The renewing can be automated, as I will show you in this article, but it requires that your controller is accessible from the internet.

To do this you will need a custom domain name that you can use to point a subdomain to your local controller. Also, we need to open and forward a specific port in the router.

Before we continue there is one thing you should know, we can’t create a certificate for a local IP Address. You are probably running your controller locally, so if you want to open your Unifi Controller, you go to for example.

Even if we make the controller accessible from the internet, with, then, by default, you still can’t access it locally with a certificate. You can’t open, because that will require you to make a U-turn on the internet, which won’t work. Opening the controller from the local IP Address will still give a warning because the cert is issued to

Local DNS Entries

But we have a solution for this, we can create a local DNS entry. You can do this locally on your computer, by changing your host file or on your router, by creating a static DNS entry. I prefer the router because this is device independent and will work in your whole network, but you will have to check if it’s possible with your router.

Static DNS entry EdgeRouter

If you have an EdgeRouter, you can create a static DNS route by opening your router through SSH. Simply use Putty or Windows Terminal for this:

1.  # Open the SSH connection to your EdgeRouter<font></font>
2.  ssh ubnt@<font></font>
3.  <font></font>
4.  # Open configure mode<font></font>
5.  configure<font></font>
6.  <font></font>
7.  # Add the DNS route. Use the domain name we create later<font></font>
8.  # Change to the IP Address of your Unifi Controller<font></font>
9.  set system static-host-mapping host-name <> inet<font></font>
10. <font></font>
11. commit<font></font>
12. save

Change your host file

On Windows, you can easily add local DNS routes by adding them to your host file. You will need to open the host file with admin rights to save the changes:

  • Open %windir%\System32\drivers\etc
  • Open the file hosts
  • At the end of the file, add:
  • Save and close the file

Change to the IP Address of your Unifi Controller.

Setup the Port Forwarding and Domain

So to get a certificate we need a domain name. You can get a domain name for less than $10 a year, for example here at NameCheap Now we don’t want to point the whole domain to our unifi controller, so I suggest you create a subdomain and point that to your local network.

Look up your public IP Address, here at, and create an A record with the name unifi and your IP Address.

Now you need to forward and open the following ports in your router. Port 80 is needed for LetsEncrypt to authenticate the SSL Certificate.

  • Original port: 80
  • Protocol: TCP/UDP
  • Forward-to address: IP Address of your Unifi Controller
  • Forward-to port: 80

If you also want to access your Unifi Controller from the internet, you could also forward the following port number. But keep in mind that your controller is only protected with a username and password. Another, saver, option to access your Unifi Controller is to use

  • Original port: 8443
  • Protocol: TCP/UDP
  • Forward-to address: IP Address of your Unifi Controller
  • Forward-to port: 8443

If you have an EdgeRouter you can enable Auto firewall, the EdgeRouter will open the specific port in the firewall for you then:

Install SSL Certificate on Unifi Controller

With everything set, we can start with installing the certificate for our Unifi Controller.

  1. Install Certbotsudo apt-get install certbot
  2. Generate a SSL certificatesudo certbot certonly --standalone -d

    You will need to enter an email address so you can receive a notification when you need to renew (when the auto-renew fails), Accept the Terms, and Accept or Decline the last request.
  3. Download import scriptWe need to import the Letsencrypt cert into the Unifi Controller. Steve Jenkins has created an import script that makes this a lot easier to do, so we are going to use this script.

    Download the script with the following cmd:

    sudo wget -O /usr/local/bin/

    We place it in /usr/local/bin as recommend by Steve.
  4. Make the script executableBy default, you can’t execute the script. Give it the correct permissions with the following cmd:

    sudo chmod +x /usr/local/bin/
  5. Edit the variables in the scriptNext, we need to edit some of the configuration variables in the script. Open the script with

    sudo nano -w /usr/local/bin/

    Add your domain

    Comment the three lines for Fedora/RedHat/Centos by placing a # for it:
    # Uncomment following three lines for Fedora/RedHat/CentOS

    Uncomment the three lines for Debian/Ubuntu
    # Uncomment following three lines for Debian/Ubuntu

    Set the Let’s Encrypt mode to true:
    If you only enable the line, by removing the #, you will get a loop ==Yes when running the script. So set it to true. Will still get some warning about missing [[:, but the doesn’t matter.

    Save and close the file
    Ctrl + X
  6. Run the import scriptWe can now import our new SSL cert into the Unifi Controller. Run the following cmd:

    sudo /usr/local/bin/

    If you get a loop with == yes, press ctrl + c and change LE_MODE to true (see step 5)
  7. Check the new CertificateThe script will restart the Unifi Controller. Give it a couple of minutes to start.
    If you open your controller you should now have a certificate and no errors or warnings anymore.

8. Creating the update scriptCerbot will renew the certificate every 3 months. So we will have to import the certificate as well every 3 months.

Create a new file
sudo nano -w /etc/cron.daily/unifi_ssl_import

And add the following content into it

Press Ctrl +X followed by Y and Enter to save and close the file.

Give the file the correct permissions so it can be executed:
sudo chown root:root /etc/cron.daily/unifi_ssl_import
sudo chmod +x /etc/cron.daily/unifi_ssl_import

That’s all, you should now be set with a nice SSL certificate for you Unifi Controller and the annoying warning should be gone. If you have any questions, just drop a comment below.

You probably also want to take care of your Unifi Controller backup. By default it’s stored on the controller self, but you can simply upload a copy of the backup to Dropbox for example. You can read all about it in this article.