UniFi - SSL Certificate Error


Overview


This article explains what to do if a SSL Certificate Error is shown upon attempting to open the UniFi controller page.


Table of Contents


  1. What does this error look like?
  2. Cause: Missing a Valid SSL Certificate
  3. Cause: Adopting UniFi for the First Time
  4. Related Articles

 What does this error look like?


Back to Top


Missing a Valid SSL Certificate


Back to Top

UniFi relies on HTTPS for extra security. This means that the browser will check for valid certificates when making a secure connection to the web server. Although the alert message may prove annoying, there's no risk to the connecting user. To avoid this error you must:
 
  1. Buy a signed SSL certificate from any web hosting provider (or if you decide to generate one, see a few notes on that below).
  2. Then make the following changes to the controller:
    sudo su -
    # cd <unifi_base> 
    # on Windows, "%USERPROFILE%/Ubiquiti Unifi"
    cd /usr/lib/unifi 
    
    # create new certificate (with csr)
    java -jar lib/ace.jar new_cert <hostname> <company> <city> <state> <country>
    
    #  Enter your password if prompted and then it will create your CSR in /var/lib/unifi
    # - unifi_certificate.csr.der
    # - unifi_certificate.csr.pem
    
    # have this CSR signed by a CA, you'll get a few certificates back...
    # copy the signed certificate(s) to <unifi_base>
    
    # import the signed certificate and other intermediate certificates
    java -jar lib/ace.jar import_cert <signed_cert> [<other_intermediate_root_certs>...]
info_i_25x25white.png NOTES:
  1. Following notes for X509 Subject Alternative Name:
    • If you're using Windows to generate the certificate, make sure the alternative name is set as DNS within the certificate's properties window, and fill out the value.
    • If you're on Ubuntu / Debian and using openssl to generate a certificate, make sure to use the SAN extensions or you will be promoted that the cert is invalid. Which is indication for the mission X509 Subject Alternative Name. See external documentation about Subject Alternative Name here.
  2. Once you have created the CSR it can be found in the %USERPROFILE%\Ubiquiti UniFi\data folder. On Mac find it here: /Users/username/Library/Application\ Support/UniFi/data. Not sure where to find <unifi_base>? See this article.

Troubleshooting


If the error "Unable to import certificate into keystore" appears when importing the signed certificate & intermediate certs, try the following steps:

1. Edit the certificate file and remove any blank spaces after each line of the cert.

2. Save changes re-import the certificate.


Adopting UniFi for the First Time


Back to Top

This error should not be confused with the one seen when adopting a Cloud Key for the first time. This error can be safely ignored by:

1. Click Advanced

2. Click Proceed to <your IP>

Verify if this is your case by seeing our UniFi - How to Setup your Cloud Key and UniFi Access Point (for beginners) article (in step 3.5 of the section 3. Configuring your Cloud Key & Access Point). 


 Related Articles


Back to Top

UniFi - How to Setup your Cloud Key and UniFi Access Point (for beginners)