Report bugs to unifi deploy hook

[medmunds]

This is the place to report bugs in the unifi deploy hook.

If you experience a bug with --deploy-hook unifi, please report it in this issue. (Please include the --debug output to assist in diagnosing any problems.)

Thanks!

[blackjack4494]

just curious tho this might not be related purely to the unifi deploy hook (first time using acmesh, used certbot before) but i couldn't find something on that matter: does the cronjob that comes with acme is also deploying the certs?
I wrote a brief 'how-to' gist on how to freshly install, issue and deploy a cert on a unifi controller. And the answer to my question would be nice to know.
Thanks in advance (:

[medmunds]

@blackjack4494 yes, acme.sh saves your deploy-hook settings, and re-deploys with those same settings after a successful cron certificate renewal. (This applies to all deploy hooks, not just unifi.)

[SupersixEvo]

I'm just replacing an Ubuntu 16.04 VM running Unifi with a new VM running 22.04.

When trying to use the unifi hook (which worked great on 16.04), I get

[Fri 22 Jul 22:49:28 UTC 2022] Installing certificate for Unifi Controller (Java keystore)
[Fri 22 Jul 22:49:28 UTC 2022] _unifi_keystore='/usr/lib/unifi/data/keystore'
[Fri 22 Jul 22:49:28 UTC 2022] Generate import pkcs12
[Fri 22 Jul 22:49:28 UTC 2022] Import into keystore: /usr/lib/unifi/data/keystore
Importing keystore /tmp/tmp.UHja0HRWf4 to /usr/lib/unifi/data/keystore...
keytool error: java.io.IOException: keystore password was incorrect
[Fri 22 Jul 22:49:29 UTC 2022] Error importing into Unifi Java keystore.
[Fri 22 Jul 22:49:29 UTC 2022] Please re-run with --debug and report a bug.
[Fri 22 Jul 22:49:29 UTC 2022] Error deploy for domain:unifi.xxx.me.uk
[Fri 22 Jul 22:49:29 UTC 2022] Deploy error.

I can run

keytool -list -v -keystore /usr/lib/unifi/data/keystore

and see 1 existing certificate in the keystore (either providing no password or the default one in the script).

I wonder if this relates to it as it mentions Ubuntu Jammy (which is v22) but I'm unsure if I can add the -legacy parameter in the script and if, so where.

[SupersixEvo]

I realised the topkcs routine called in unifi.sh lives in the main acme.sh file, so I added -legacy to the first call in that (line 1427 on my system). That line now reads:

${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" -name "$pfxName" -caname "$pfxCaname" -legacy

And the import now works.

[medmunds]

@SupersixEvo thanks for tracking this down.

@Neilpang this affects _toPkcs in the main acme.sh. When openssl is v3 or later, the unifi deploy script needs _toPkcs to invoke openssl with the -legacy parameter. What would be the best way to do that?

[Neilpang]

@medmunds add one more parameter to the _toPKcs() function, eg: usLegacy (or whatever), default is empty.

in the deploy hook, invoke it with value 1.

[Neilpang]

also, you should check if current openssl supports "-legacy" option first.

[cengbrecht]

${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword" -name "$pfxName" -caname "$pfxCaname" -legacy

Can confirm that this works, though my openssl does not accept -legacy directly?

[robinalden]

I had a problem with a CloudKey G2+. The deploy script seemed to think it was a Gen1, so deployment failed.

acme.sh --deploy -d unifi.MYDOMAIN.me --deploy-hook unifi --debug
[Mon Jan 30 12:35:20 GMT 2023] Lets find script dir.
[Mon Jan 30 12:35:20 GMT 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
[Mon Jan 30 12:35:20 GMT 2023] _script='/root/.acme.sh/acme.sh'
[Mon Jan 30 12:35:20 GMT 2023] _script_home='/root/.acme.sh'
[Mon Jan 30 12:35:20 GMT 2023] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.6
[Mon Jan 30 12:35:20 GMT 2023] Running cmd: deploy
[Mon Jan 30 12:35:20 GMT 2023] Using config home:/root/.acme.sh
[Mon Jan 30 12:35:20 GMT 2023] default_acme_server
[Mon Jan 30 12:35:20 GMT 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Mon Jan 30 12:35:21 GMT 2023] DOMAIN_PATH='/root/.acme.sh/unifi.MYDOMAIN.me'
[Mon Jan 30 12:35:21 GMT 2023] _deployApi='/root/.acme.sh/deploy/unifi.sh'
[Mon Jan 30 12:35:21 GMT 2023] _cdomain='unifi.MYDOMAIN.me'
[Mon Jan 30 12:35:21 GMT 2023] _ckey='/root/.acme.sh/unifi.MYDOMAIN.me/unifi.MYDOMAIN.me.key'
[Mon Jan 30 12:35:21 GMT 2023] _ccert='/root/.acme.sh/unifi.MYDOMAIN.me/unifi.MYDOMAIN.me.cer'
[Mon Jan 30 12:35:21 GMT 2023] _cca='/root/.acme.sh/unifi.MYDOMAIN.me/ca.cer'
[Mon Jan 30 12:35:21 GMT 2023] _cfullchain='/root/.acme.sh/unifi.MYDOMAIN.me/fullchain.cer'
[Mon Jan 30 12:35:21 GMT 2023] Installing certificate for Unifi Controller (Java keystore)
[Mon Jan 30 12:35:21 GMT 2023] _unifi_keystore='/usr/lib/unifi/data/keystore'
[Mon Jan 30 12:35:21 GMT 2023] Generate import pkcs12
[Mon Jan 30 12:35:21 GMT 2023] Import into keystore: /usr/lib/unifi/data/keystore
Importing keystore /tmp/tmp.zJAEBB7Qp6 to /usr/lib/unifi/data/keystore...
Warning: Overwriting existing alias unifi in destination keystore
[Mon Jan 30 12:35:24 GMT 2023] Import keystore success!
[Mon Jan 30 12:35:24 GMT 2023] Install Unifi Controller certificate success!
[Mon Jan 30 12:35:24 GMT 2023] Installing certificate for Cloud Key Gen1 (nginx admin pages)
[Mon Jan 30 12:35:24 GMT 2023] _cloudkey_certdir='/etc/ssl/private'
[Mon Jan 30 12:35:24 GMT 2023] Unsupported Cloud Key configuration: keystore not found at '/etc/ssl/private/unifi.keystore.jks'
[Mon Jan 30 12:35:24 GMT 2023] Error deploy for domain:unifi.MYDOMAIN.me
[Mon Jan 30 12:35:24 GMT 2023] Deploy error.

The script was looking for /etc/ssl/private/cloudkey.key to identify it as a G1, and that file did exist but was > 2 years old. I wonder if it used to use nginx before it upgraded itself to use Unifi OS.
I moved the whole /etc/ssl/private directory with
mv /etc/ssl/private/ /etc/ssl/private-renamed

and then the deploy ran fine.

...
[Mon Jan 30 12:51:05 GMT 2023] Installing certificate for UnifiOS
[Mon Jan 30 12:51:05 GMT 2023] _unifi_core_config='/data/unifi-core/config'
[Mon Jan 30 12:51:05 GMT 2023] Install UnifiOS certificate success!
[Mon Jan 30 12:51:05 GMT 2023] Reload services (this may take some time): service unifi restart && systemctl restart unifi-core
[Mon Jan 30 12:52:46 GMT 2023] Reload success!
[Mon Jan 30 12:52:46 GMT 2023] Success

[robhardman]

#3359 (comment)

Just to add a +1 to robinalden's comment above. My CloudKey2 was upgraded from UnifiOS 1 --> 2.x --> 3.x and I had exactly the same issue with the deploy hook until I renamed /etc/ssl/private. Perhaps there is a better way to detect the OS version?

[bhannigan]

from unifi-utilities

case "$(ubnt-device-info firmware || true)" in
1*)
# version 1
;;
2*)
# version 2
;;
3*)
# version 3
;;
*)
# version not handled
exit 1
;;
esac

[kdknigga]

Not strictly a deploy issue, but ECC certs borked unifi-core on my CloudKey Gen2 Plus running firmware v3.1.13. Blew away the ECC certs, reissued RSA certs, and redeployed to fix.

[derekschrock]

There should be a status check var. You're assuming we're (FreeBSD) using systemd. The same for the other systectl usage.

[tapayne88]

I found I had trouble deploying my certs on my UDR running Unifi OS (3.1.16).

It seems I'd fall foul of this line as for some reason I had a keystore file at /usr/lib/unifi/data/keystore. This resulted in the deploy script erroring with keytool not found.

root@UDR:~# acme.sh --deploy --domain unifi.mydomain.com --deploy-hook unifi
[Fri Nov 17 13:51:46 GMT 2023] Installing certificate for Unifi Controller (Java keystore)
[Fri Nov 17 13:51:46 GMT 2023] keytool not found
[Fri Nov 17 13:51:46 GMT 2023] Error deploy for domain:unifi.mydomain.com
[Fri Nov 17 13:51:46 GMT 2023] Deploy error.

From a bit of searching around it seems that the guest hotspot portal (which I have enabled) may use the keystore file to manage its certs rather than the Unifi OS standard in /data/unifi-core/config (source).

I ended up hacking the deploy hook to avoid running the _unifi_keystore block and found it to complete successfully. The caveat being I wasn't able to enable SSL for the guest hotspot portal, only the admin interface.

[rtfmoz2]

Trying this on a Unifi Express ... wish me luck! == will delete this comment if no issues

No keytool (line 103) on Unifi Express. Wonder what they use? Asked in the community over there, see if I get a response. https://community.ui.com/questions/Keytool-alternative-on-UniFi-Express/5154559a-b064-4f41-a183-a106b9e690dc

[rtfmoz2]

We need a check for keytool and if it does not exist use openssl.

[3VAbdAVE]

We need a check for keytool and if it does not exist use openssl.

Running a Unifi Dream Machine with the same poblem. I'm not sure openssl can create a Java keystore. You'll notice that the java binaries are also removed.

I got my response from Ubiquiti support yesterday, told me SSL isn't their problem.

Hacky fix is just to reinstall keytool: apt update && apt install openjdk-11-jre-headless -y puts it in place with a few other packages that seem harmless enough. YMMV with support on that, and likely need to re-run after an update. openjdk-17 is newer, but loads a lot more packages.

There's also a minor problem with the UDM running hotspot portal. I need to redeploy a few times to see what's going on, but I think the keystore shouldn't have the CA as well. Error in the log is that "2 certificates were found, only 1 expected." Manually creating the keystore fixes it.

[3VAbdAVE]

Once the keytool problem is sorted and the certificates correctly converted to a JKS keystore, the next problem is that the default Unifi console uses weak ciphers that aren't compatible with the default RSA certificates from letsencrypt. The system configuration needs to be updated for hotspot portal (and potentially other services to work.)

[mcdoogs]

I recently updated my CloudKey G2 to Firmware version: v3.2.12. The update wiped the existing certs, and I ran into other problems (which turned out to be with my DNS provider, not acme.sh) that prompted me to update acme.sh to v3.0.8.

After getting the certs issued and running this hook, I could see /data/unifi-core/config/unifi-core.key and unifi-core.crt update at first, but when the unifi service restarted, both files were replaced with self-signed RSA certs. I noticed that the certs getting wiped out were ECC, which seemed new with this version of acme.sh. After fiddling with some different options, issuing with -k 4096 got the certs to persist through a unifi restart.

[rtfmoz2]

We need a check for keytool and if it does not exist use openssl.

Running a Unifi Dream Machine with the same poblem. I'm not sure openssl can create a Java keystore. You'll notice that the java binaries are also removed.

I got my response from Ubiquiti support yesterday, told me SSL isn't their problem.

Hacky fix is just to reinstall keytool: apt update && apt install openjdk-11-jre-headless -y puts it in place with a few other packages that seem harmless enough. YMMV with support on that, and likely need to re-run after an update. openjdk-17 is newer, but loads a lot more packages.

There's also a minor problem with the UDM running hotspot portal. I need to redeploy a few times to see what's going on, but I think the keystore shouldn't have the CA as well. Error in the log is that "2 certificates were found, only 1 expected." Manually creating the keystore fixes it.

Openssl can create a java compatible keystore. If fact you should be using it instead of keytool these days for acme.sh. The instructions are here https://docs.oracle.com/cd/E19509-01/820-3503/ggfhb/index.html

Modern java implementations are moving away from the old proprietry keystore format to the new pkcs12 format which is the type openssl can create. Example below. The alias should be the same as the one it uses now for the current certificate and key in the keystore. You cannot use this to update a keystore, only create it. Please note a password is mandatory for it to be a java compatible keystore.

$ cat mykey.pem.txt mycertificate.pem.txt>mykeycertificate.pem.txt
$ openssl pkcs12 -export -in mykeycertificate.pem.txt -out mykeystore.pkcs12 
-name myAlias -noiter -nomaciter

[3VAbdAVE]

Openssl can create a java compatible keystore. If fact you should be using it instead of keytool these days for acme.sh. The instructions are here https://docs.oracle.com/cd/E19509-01/820-3503/ggfhb/index.html

It looks like you're correct. Every implementation of this Unifi certificate installation was converting to PKCS12 and then importing that to JKS. All the historical documents I could find from Unifi have that as the process as well. I just re-deployed, skipping the JKS import, and it handles the pkcs12 just fine.

[rtfmoz2]

Fantastic! Does that mean we have solved the problem? That would be a great outcome! Can you send me links to the historical documents? I am itching to use this on my UX. Happy to drop in a patched unifi deploy hook to test for here then I can write it up. You guys have a wiki or a pages site for this place?

[3VAbdAVE]

Potentially. Tested on a UDM (not the UDM Pro), and don't have any other devices to test with.

Welcome to take a look at my updates:
https://github.com/3VAbdAVE/acme.sh/blob/dev/deploy/unifi.sh

Here's where I am with it:
In addition to falling back to openssl, it now backs up existing cert/key/keystores, and makes a change to system.properties to support the correct cipher suites. This backup is not smart: If you don't move those backups, they'll get overwritten on next deploy.

I also had to change the logic for service restart. If unifi is running while unifi-core restarts, it throws an error:
ERROR system - Unable to read certificate from the unifi chain. There are 2 certificates, but exactly 1 is expected

This seems to break both wifiman and the hotspot portal, but I don't use wifiman. The hotspot portal now works, but you have to turn encryption off and back on after deploying a new cert for some reason. That's not a new bug though.

[medmunds]

Hey all: I no longer own a working CloudKey, so can't really provide support for the unifi deploy hook. (Also, I didn't create it—I just fixed a bug and opened this issue.)

If something's broken and you're able to fix it, please open a PR. And mention #3359 in your PR comments so it shows up here. Neilpang (the acme.sh creator/maintainer) has been really responsive about merging fixes while maintaining high project quality. (Especially considering the huge number of PRs this project gets.) But Neil also doesn't run Unifi, so the folks here that are using it will need to make sure proposed fixes work for all the versions of CloudKey and self-hosted Unifi Controller the unifi deploy hook supports.

If anyone is able to help with unifi deploy hook maintenance and wants to be on the "assignees" list for this issue, let Neilpang know. (I've removed myself as the assignee.)

Also, if the unifi deploy hook doesn't meet your needs, there are a couple of alternatives depending on your setup:

• You can run acme.sh elsewhere and deploy to your CloudKey or Unifi Controller using ssh: there's a Unifi example under Examples using SSH deploy in the acme.sh wiki.
• If you're self hosting the Unifi Controller in a container, you can map in a cert volume: see Certificate Support in jacobalberty/unifi-docker, and deploy to docker containers in the acme.sh wiki.

[petrus9]

Found a patch to unifi.sh tested on UnifiOS 4.0.7 on Cloud Gateway Ultra. Here it is. https://gist.github.com/mry/61125fba7b474c0c61cccc4100dd6e02
but this fix only works for the admin console and not the guest captive portal at domain.tld:8843/guest/s/default/#
Anyone have a fix for that?

[3VAbdAVE]

Kinda punted on this, moved @Dadeos concerns into DEPLOY environment variables. I did remove the explicit calls to systemctl. Probably safe to assume the service is running if the files/directories exist.

I just don't have any way to test it outside my UDM.

[joshuaspence]

On UnifiOS 4.0.18 with a CloudKey Gen 2 the Unifi deploy hook fails with the following error:

[Sat Sep 28 13:56:25 AEST 2024] Install Unifi Controller certificate success!
[Sat Sep 28 13:56:25 AEST 2024] Installing certificate for Cloud Key Gen1 (nginx admin pages)
[Sat Sep 28 13:56:25 AEST 2024] Unsupported Cloud Key configuration: keystore not found at '/etc/ssl/private/unifi.keystore.jks'
[Sat Sep 28 13:56:25 AEST 2024] Error deploying for domain: REDACTED
[Sat Sep 28 13:56:25 AEST 2024] Error encountered while deploying.

Commenting out https://github.com/acmesh-official/acme.sh/blob/master/deploy/unifi.sh#L186-L189 and run acme.sh did deploy the certificate correctly.

$ acme.sh --deploy --domain REDACTED --deploy-hook unifi
[Sat Sep 28 14:19:46 AEST 2024] Installing certificate for Unifi Controller (Java keystore)
[Sat Sep 28 14:19:46 AEST 2024] Previous keystore saved to /usr/lib/unifi/data/keystore_original.
Importing keystore /tmp/tmp.Wn9J9f7eBr to /usr/lib/unifi/data/keystore...
[Sat Sep 28 14:19:48 AEST 2024] Updating system configuration for cipher compatibility.
[Sat Sep 28 14:19:48 AEST 2024] Saved original system config to /usr/lib/unifi/data/system.properties_original
[Sat Sep 28 14:19:48 AEST 2024] System configuration updated.
[Sat Sep 28 14:19:48 AEST 2024] Install Unifi Controller certificate success!
[Sat Sep 28 14:19:48 AEST 2024] Installing certificate for Cloud Key Gen1 (nginx admin pages)
[Sat Sep 28 14:19:48 AEST 2024] Install Cloud Key Gen1 certificate success!
[Sat Sep 28 14:19:48 AEST 2024] Installing certificate for UnifiOS
[Sat Sep 28 14:19:49 AEST 2024] Previous certificate and key saved to /data/unifi-core/config/unifi-core_original.crt/key.
[Sat Sep 28 14:19:49 AEST 2024] Install UnifiOS certificate success!
[Sat Sep 28 14:19:49 AEST 2024] Reload services (this may take some time): systemctl stop unifi && service nginx restart && systemctl restart unifi-core
[Sat Sep 28 14:20:03 AEST 2024] Reload success!
[Sat Sep 28 14:20:03 AEST 2024] Success

[gfunkdave]

I’m getting this odd error on a Cloudkey gen1:

[Wed Nov 27 22:44:53 EST 2024] Unsupported Cloud Key configuration: keystore not found at '/etc/ssl/private/unifi.keystore.jks'.

But the file exists

root@UniFi-CloudKey:~# ls -l /etc/ssl/private total 28 -rw-r--r-- 1 root root 9216 Dec 6 2020 cert.tar -rw-r--r-- 1 root root 1444 Dec 6 2020 cloudkey.crt -rw-r--r-- 1 root root 1704 Dec 6 2020 cloudkey.key -rw-r----- 1 root ssl-cert 1704 Dec 6 2020 ssl-cert-snakeoil.key -rw-r--r-- 1 unifi ssl-cert 2717 Dec 6 2020 unifi.keystore.jks

so I’m not sure what the problem is.

[3VAbdAVE]

Per the comment above that error it's doing a comparison to the keystore that's replaced. Since they're different, you get that error, which isn't really accurate.

I don't have a cloudkey to test or check how things should be configure, but if I'm reading that comment right, then as a workaround you can create a symlink and try re-deploying:

# cp /etc/ssl/private/unifi.keystore.jks /etc/ssl/private/unifi.keystore.jks-backup

# ln -s /usr/lib/unifi/data/keystore /etc/ssl/private/unifi.keystore.jks

(If you've changed your DEPLOY_UNIFI_KEYSTORE variable in the environment or script, you want the symlink pointing to that.)

[gfunkdave]

Per the comment above that error it's doing a comparison to the keystore that's replaced. Since they're different, you get that error, which isn't really accurate.

I don't have a cloudkey to test or check how things should be configure, but if I'm reading that comment right, then as a workaround you can create a symlink and try re-deploying:

# cp /etc/ssl/private/unifi.keystore.jks /etc/ssl/private/unifi.keystore.jks-backup

# ln -s /usr/lib/unifi/data/keystore /etc/ssl/private/unifi.keystore.jks

(If you've changed your DEPLOY_UNIFI_KEYSTORE variable in the environment or script, you want the symlink pointing to that.)

Thanks, that got around the error but the Unifi service refused to start. In the end I used —install-cert instead, with the —reloadcmd as:

cd /root/.acme.sh/unifi.tld.com/ ; openssl pkcs12 -export -inkey unifi.tld.com.key -out unifi.p12 -name unifi -caname root -password pass:unifi -in fullchain.cer ; keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /etc/ssl/private/unifi.keystore.jks -srckeystore unifi.p12 -srcstoretype PKCS12 -srcstorepass unifi -alias unifi -noprompt ; service unifi restart

[3VAbdAVE]

That's basically the same command that the script runs to generate the keystore that you tried to link to. I'd just copy it into place if the symlink doesn't work, rather than generate a whole new one. Wouldn't surprise me if Ubiquiti stopped allowing symlinks or something though.

[ThiloGa]

I have a gen1 too.

That's basically the same command that the script runs to generate the keystore that you tried to link to.

Basically: yep. Your deploy-script (with default SAVED_DEPLOY_UNIFI_KEYSTORE='/usr/lib/unifi/data/keystore)

Importing keystore /tmp/tmp.KIgigeqBBT to /usr/lib/unifi/data/keystore...

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore 
-srckeystore /usr/lib/unifi/data/keystore -destkeystore /usr/lib/unifi/data/keystore -deststoretype pkcs12".
MAC verified OK

His script:

Importing keystore unifi.p12 to /etc/ssl/private/unifi.keystore.jks...
Warning: Overwriting existing alias unifi in destination keystore

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore 
-srckeystore /etc/ssl/private/unifi.keystore.jks -destkeystore /etc/ssl/private/unifi.keystore.jks -deststoretype pkcs12".

Status before using deploy-hook:

ls -la /usr/lib/unifi/data/keystore*
lrwxrwxrwx 1 root root 35 Nov 30 09:22 /usr/lib/unifi/data/keystore -> /etc/ssl/private/unifi.keystore.jks

ls -la /etc/ssl/private/unifi.keystore.jks
-rw-r--r-- 1 unifi ssl-cert 3925 Nov 30 09:09 /etc/ssl/private/unifi.keystore.jks

After deploy-hook

root@UniFi-CloudKey:/etc# ls -l /usr/lib/unifi/data/keystore*
-rw-r--r-- 1 root root 3925 Nov 30 09:42 /usr/lib/unifi/data/keystore
lrwxrwxrwx 1 root root   35 Nov 30 09:22 /usr/lib/unifi/data/keystore_original -> /etc/ssl/private/unifi.keystore.jks

So the symbolic-link is moved away

Next time starting deploy the compare fails.

After putting SAVED_DEPLOY_UNIFI_KEYSTORE='/etc/ssl/private/unifi.keystore.jks' into place
everything seems to work.

[3VAbdAVE]

I have a gen1 too.
Basically: yep. Your deploy-script (with default SAVED_DEPLOY_UNIFI_KEYSTORE='/usr/lib/unifi/data/keystore)
There's no SAVED_DEPLOY_UNIFI_KEYSTORE in the script?

Ok, so Gen1 Cloudkey still has keytool, which is good to know. It's probably not necessary to bother keeping the logic, since openssl pkcs12 works either way, but it currently seems to work.

Status before using deploy-hook:

ls -la /usr/lib/unifi/data/keystore*
lrwxrwxrwx 1 root root 35 Nov 30 09:22 /usr/lib/unifi/data/keystore -> /etc/ssl/private/unifi.keystore.jks

ls -la /etc/ssl/private/unifi.keystore.jks
-rw-r--r-- 1 unifi ssl-cert 3925 Nov 30 09:09 /etc/ssl/private/unifi.keystore.jks

Then I misread @medmunds comment, the symlink goes the other way.

After putting SAVED_DEPLOY_UNIFI_KEYSTORE='/etc/ssl/private/unifi.keystore.jks' into place everything seems to work.

I'd prefer to use symlinks to keep the filesystem clean, but just copying seems reliable. Since I don't have a Cloudkey to test, I'm not terribly comfortable doing a pull request, but I did update my own repository with an attempted fix if anyone wants to test it. It's pretty ham-fisted. Moves any existing /etc/ssl/private/unifi.keystore.jks out of the way and copies the store from DEPLOY_UNIFI_KEYSTORE.

https://github.com/3VAbdAVE/acme.sh

[etec-masterofsynapse]

Hi all,
I just tried to install a usual LE cert to a new CloudKey G2 Plus.
I used the known commands to issue and deploy a cert.
However, after all that was done, the old cert was still present.

I checked the keystore and the /data/unifi-core/config/ .crt & .key.
The keystore, when opened with the acme.sh set PW, shows the LE cert. When opened with no PW, it shows the unifi.local cert.
And the unifi-core.crt & unifi-core.key also contain the unifi.local cert still, also have the same size as the _original files in the same folder.

UnifiOS ver is 4.1.9 and Network App is on 8.6.9.

[3VAbdAVE]

I checked the keystore and the /data/unifi-core/config/ .crt & .key. The keystore, when opened with the acme.sh set PW, shows the LE cert. When opened with no PW, it shows the unifi.local cert. And the unifi-core.crt & unifi-core.key also contain the unifi.local cert still, also have the same size as the _original files in the same folder.

I've seen Unifi replace the SSL certs with the defaults if there's a problem with whatever is in place. Not always though, I think the unifi service breaks with a bad keystore while unifi-core is able to recover with the defaults. (Or maybe vice-versa). I never did find anything in the logs to prove it though.

I don't have a cloudkey, but if you run in debug mode, you can post logs, might offer some clues.

Also see above for my changes in my own repo. If you test that version successfully, I can do a pull request on it.

[etec-masterofsynapse]

I re-executed the deploy with --debug, here is the output:

acme.sh --deploy -d xx.xx.de --deploy-hook unifi --debug

[Fri Dec  6 14:20:07 CET 2024] Let's find the script directory.
[Fri Dec  6 14:20:07 CET 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
[Fri Dec  6 14:20:07 CET 2024] _script='/root/.acme.sh/acme.sh'
[Fri Dec  6 14:20:07 CET 2024] _script_home='/root/.acme.sh'
[Fri Dec  6 14:20:07 CET 2024] Using config home: /root/.acme.sh
[Fri Dec  6 14:20:07 CET 2024] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.1.0
[Fri Dec  6 14:20:07 CET 2024] Running cmd: deploy
[Fri Dec  6 14:20:07 CET 2024] Using config home: /root/.acme.sh
[Fri Dec  6 14:20:07 CET 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Fri Dec  6 14:20:07 CET 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Dec  6 14:20:07 CET 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Fri Dec  6 14:20:07 CET 2024] _ACME_SERVER_PATH='directory'
[Fri Dec  6 14:20:07 CET 2024] The domain 'xx.xx.de' seems to already have an ECC cert, let's use it.
[Fri Dec  6 14:20:07 CET 2024] DOMAIN_PATH='/root/.acme.sh/xx.xx.de_ecc'
[Fri Dec  6 14:20:07 CET 2024] DOMAIN_CONF='/root/.acme.sh/xx.xx.de_ecc/xx.xx.de.conf'
[Fri Dec  6 14:20:07 CET 2024] _deployApi='/root/.acme.sh/deploy/unifi.sh'
[Fri Dec  6 14:20:07 CET 2024] _cdomain='xx.xx.de'
[Fri Dec  6 14:20:07 CET 2024] _ckey='/root/.acme.sh/xx.xx.de_ecc/xx.xx.de.key'
[Fri Dec  6 14:20:07 CET 2024] _ccert='/root/.acme.sh/xx.xx.de_ecc/xx.xx.de.cer'
[Fri Dec  6 14:20:07 CET 2024] _cca='/root/.acme.sh/xx.xx.de_ecc/ca.cer'
[Fri Dec  6 14:20:07 CET 2024] _cfullchain='/root/.acme.sh/xx.xx.de_ecc/fullchain.cer'
[Fri Dec  6 14:20:07 CET 2024] DEPLOY_UNIFI_KEYSTORE
[Fri Dec  6 14:20:07 CET 2024] DEPLOY_UNIFI_KEYPASS
[Fri Dec  6 14:20:07 CET 2024] DEPLOY_UNIFI_CLOUDKEY_CERTDIR
[Fri Dec  6 14:20:07 CET 2024] DEPLOY_UNIFI_CORE_CONFIG
[Fri Dec  6 14:20:07 CET 2024] DEPLOY_UNIFI_RELOAD
[Fri Dec  6 14:20:08 CET 2024] _unifi_keystore='/usr/lib/unifi/data/keystore'
[Fri Dec  6 14:20:08 CET 2024] Installing certificate for Unifi Controller (Java keystore)
[Fri Dec  6 14:20:08 CET 2024] Generate import pkcs12
[Fri Dec  6 14:20:08 CET 2024] _toPkcs /tmp/tmp.mwcJi5XaxZ /root/.acme.sh/xx.xx.de_ecc/xx.xx.de.key /root/.acme.sh/xx.xx.de_ecc/xx.xx.de.cer /root/.acme.sh/xx.xx.de_ecc/ca.cer aircontrolenterprise unifi root
[Fri Dec  6 14:20:08 CET 2024] Previous keystore saved to /usr/lib/unifi/data/keystore_original.
[Fri Dec  6 14:20:08 CET 2024] Import into keystore: /usr/lib/unifi/data/keystore
Importing keystore /tmp/tmp.mwcJi5XaxZ to /usr/lib/unifi/data/keystore...
[Fri Dec  6 14:20:10 CET 2024] Import keystore success!
[Fri Dec  6 14:20:10 CET 2024] Updating system configuration for cipher compatibility.
[Fri Dec  6 14:20:10 CET 2024] Saved original system config to /usr/lib/unifi/data/system.properties_original
[Fri Dec  6 14:20:10 CET 2024] System configuration updated.
[Fri Dec  6 14:20:10 CET 2024] Install Unifi Controller certificate success!
[Fri Dec  6 14:20:10 CET 2024] Installing certificate for UnifiOS
[Fri Dec  6 14:20:10 CET 2024] _unifi_core_config='/data/unifi-core/config'
[Fri Dec  6 14:20:10 CET 2024] Previous certificate and key saved to /data/unifi-core/config/unifi-core_original.crt/key.
[Fri Dec  6 14:20:10 CET 2024] Install UnifiOS certificate success!
[Fri Dec  6 14:20:10 CET 2024] Reload services (this may take some time): systemctl stop unifi && systemctl restart unifi-core
[Fri Dec  6 14:20:24 CET 2024] Reload success!
[Fri Dec  6 14:20:25 CET 2024] Success

[etec-masterofsynapse]

I swapped the unifi.sh for the one in your repo and reran the command.
Didnt change anything sadly.

[3VAbdAVE]

[Fri Dec 6 14:20:07 CET 2024] _ckey='/root/.acme.sh/xx.xx.de_ecc/xx.xx.de.key

There's your problem. Default LE certificates are ECC, unifi won't use them. Re-issue the certificate, using "-k 2048" and it'll pull a non-ecc cert.

[etec-masterofsynapse]

[Fri Dec 6 14:20:07 CET 2024] _ckey='/root/.acme.sh/xx.xx.de_ecc/xx.xx.de.key

There's your problem. Default LE certificates are ECC, unifi won't use them. Re-issue the certificate, using "-k 2048" and it'll pull a non-ecc cert.

Interesting. I reissued a cert with the option you supplied, and then deployed again, this time it worked.
Also deleted the _ecc folder to prevent the incompatible cert from being detected.

Can we put a warning in this section (https://github.com/acmesh-official/acme.sh/wiki/deployhooks#23-deploy-the-cert-on-a-unifi-controller-or-cloud-key) to inform about this ECC issue?

[adn77]

We stumbled upon file permission issues for the keystore.
The self-hosted controller is running as another user than Acme.sh is.

opnsense/plugins#4417 lists a possible solution by adding a chown to the RELOAD variable.

A cleaner way would be to have env variables containing the desired owner and do the chown in the deploy script if run as root.
Another way could be to check ownership of the keystore directory and assign the same.

Would you be open to this kind of addition? Then I would propose a PR with the required changes.

[linickx]

Gen1 Appliance here (unifi os 4.1.9), updated to acme.sh v3.1.0 , cert renew didn't work first time to fix....

1. mv /etc/ssl/private/ /etc/ssl/private-renamed
2. acme.sh --issue -k 2048 xxx
3. acme.sh --deploy --deploy-hook unifi xxx

[danb35]

I've been running into trouble lately with this deploy script on my Cloud Key Gen2+ running Unifi OS 4.1.9, Network 8.6.9. The cert/key I'm trying to deploy are 2048-bit RSA. Output of --debug is below:

root@UniFi-CloudKey-Gen2-Plus:~# acme.sh --deploy -d unifi.familybrown.org --deploy-hook unifi --debug
[Sat Dec 28 13:02:19 EST 2024] Let's find the script directory.
[Sat Dec 28 13:02:19 EST 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Dec 28 13:02:19 EST 2024] _script='/root/.acme.sh/acme.sh'
[Sat Dec 28 13:02:19 EST 2024] _script_home='/root/.acme.sh'
[Sat Dec 28 13:02:19 EST 2024] Using config home: /root/.acme.sh
[Sat Dec 28 13:02:20 EST 2024] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.1.0
[Sat Dec 28 13:02:20 EST 2024] Running cmd: deploy
[Sat Dec 28 13:02:20 EST 2024] Using config home: /root/.acme.sh
[Sat Dec 28 13:02:20 EST 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Sat Dec 28 13:02:20 EST 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Dec 28 13:02:20 EST 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sat Dec 28 13:02:20 EST 2024] _ACME_SERVER_PATH='directory'
[Sat Dec 28 13:02:20 EST 2024] DOMAIN_PATH='/root/.acme.sh/unifi.familybrown.org'
[Sat Dec 28 13:02:20 EST 2024] DOMAIN_CONF='/root/.acme.sh/unifi.familybrown.org/unifi.familybrown.org.conf'
[Sat Dec 28 13:02:20 EST 2024] _deployApi='/root/.acme.sh/deploy/unifi.sh'
[Sat Dec 28 13:02:20 EST 2024] _cdomain='unifi.familybrown.org'
[Sat Dec 28 13:02:20 EST 2024] _ckey='/root/.acme.sh/unifi.familybrown.org/unifi.familybrown.org.key'
[Sat Dec 28 13:02:20 EST 2024] _ccert='/root/.acme.sh/unifi.familybrown.org/unifi.familybrown.org.cer'
[Sat Dec 28 13:02:20 EST 2024] _cca='/root/.acme.sh/unifi.familybrown.org/ca.cer'
[Sat Dec 28 13:02:20 EST 2024] _cfullchain='/root/.acme.sh/unifi.familybrown.org/fullchain.cer'
[Sat Dec 28 13:02:20 EST 2024] DEPLOY_UNIFI_KEYSTORE
[Sat Dec 28 13:02:20 EST 2024] DEPLOY_UNIFI_KEYPASS
[Sat Dec 28 13:02:20 EST 2024] DEPLOY_UNIFI_CLOUDKEY_CERTDIR
[Sat Dec 28 13:02:20 EST 2024] DEPLOY_UNIFI_CORE_CONFIG
[Sat Dec 28 13:02:20 EST 2024] DEPLOY_UNIFI_RELOAD
[Sat Dec 28 13:02:20 EST 2024] _unifi_keystore='/usr/lib/unifi/data/keystore'
[Sat Dec 28 13:02:20 EST 2024] Installing certificate for Unifi Controller (Java keystore)
[Sat Dec 28 13:02:20 EST 2024] Generate import pkcs12
[Sat Dec 28 13:02:20 EST 2024] _toPkcs /tmp/tmp.ialMFhz4gA /root/.acme.sh/unifi.familybrown.org/unifi.familybrown.org.key /root/.acme.sh/unifi.familybrown.org/unifi.familybrown.org.cer /root/.acme.sh/unifi.familybrown.org/ca.cer aircontrolenterprise unifi root
[Sat Dec 28 13:02:20 EST 2024] Previous keystore saved to /usr/lib/unifi/data/keystore_original.
[Sat Dec 28 13:02:20 EST 2024] Import into keystore: /usr/lib/unifi/data/keystore
Importing keystore /tmp/tmp.ialMFhz4gA to /usr/lib/unifi/data/keystore...
[Sat Dec 28 13:02:22 EST 2024] Import keystore success!
[Sat Dec 28 13:02:22 EST 2024] Updating system configuration for cipher compatibility.
[Sat Dec 28 13:02:22 EST 2024] Saved original system config to /usr/lib/unifi/data/system.properties_original
[Sat Dec 28 13:02:23 EST 2024] System configuration updated.
[Sat Dec 28 13:02:23 EST 2024] Install Unifi Controller certificate success!
[Sat Dec 28 13:02:23 EST 2024] Installing certificate for Cloud Key Gen1 (nginx admin pages)
[Sat Dec 28 13:02:23 EST 2024] _cloudkey_certdir='/etc/ssl/private'
[Sat Dec 28 13:02:23 EST 2024] Unsupported Cloud Key configuration: keystore not found at '/etc/ssl/private/unifi.keystore.jks'
[Sat Dec 28 13:02:23 EST 2024] Error deploying for domain: unifi.familybrown.org
[Sat Dec 28 13:02:23 EST 2024] Error encountered while deploying.
root@UniFi-CloudKey-Gen2-Plus:~#

[3VAbdAVE]

[Sat Dec 28 13:02:23 EST 2024] Unsupported Cloud Key configuration: keystore not found at '/etc/ssl/private/unifi.keystore.jks'

There's a potential fix for this in my fork, but since I don't have a Cloud Key, I can't test it, and I don't want to pull an untested fix upstream. You're welcome to give it a shot and I can pull request if it works.

https://github.com/3VAbdAVE/acme.sh.git

[danb35]

Your branch of the deploy script worked. There were some errors reported in the output:

root@UniFi-CloudKey-Gen2-Plus:~# acme.sh --deploy -d unifi.familybrown.org --deploy-hook unifi
[Sat Dec 28 20:38:51 EST 2024] Installing certificate for Unifi Controller (Java keystore)
[Sat Dec 28 20:38:51 EST 2024] Previous keystore saved to /usr/lib/unifi/data/keystore_original.
Importing keystore /tmp/tmp.piWhQpOG8i to /usr/lib/unifi/data/keystore...
[Sat Dec 28 20:38:54 EST 2024] Updating system configuration for cipher compatibility.
[Sat Dec 28 20:38:54 EST 2024] Saved original system config to /usr/lib/unifi/data/system.properties_original
[Sat Dec 28 20:38:54 EST 2024] System configuration updated.
[Sat Dec 28 20:38:54 EST 2024] Stopping Unifi Controller for later restart.
[Sat Dec 28 20:38:56 EST 2024] Unifi Controller stopped.
[Sat Dec 28 20:38:56 EST 2024] Install Unifi Controller certificate success!
[Sat Dec 28 20:38:56 EST 2024] Installing certificate for Cloud Key Gen1 (nginx admin pages)
[Sat Dec 28 20:38:56 EST 2024] Updating /etc/ssl/private/unifi.keystore.jks
cp: cannot stat '_unifi_keystore': No such file or directory
tar: unifi.keystore.jks: Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
[Sat Dec 28 20:38:56 EST 2024] Install Cloud Key Gen1 certificate success!
[Sat Dec 28 20:38:56 EST 2024] Installing certificate for UnifiOS
[Sat Dec 28 20:38:56 EST 2024] Previous certificate and key saved to /data/unifi-core/config/unifi-core_original.crt.key.
[Sat Dec 28 20:38:56 EST 2024] Install UnifiOS certificate success!
[Sat Dec 28 20:38:56 EST 2024] Reload services (this may take some time): systemctl restart unifi && service nginx restart && systemctl restart unifi-core
[Sat Dec 28 20:40:49 EST 2024] Reload success!
[Sat Dec 28 20:40:50 EST 2024] Success

But as you see, it ultimately reported success and the cert was deployed.

[3VAbdAVE]

cp: cannot stat '_unifi_keystore': No such file or directory

This is exactly why I don't want to merge without testing. The original code tars the certificates. I'm not sure if it's for backup or because the cloudkey needs it. One of the variables wasn't referenced correctly.

My fork should be fixed now, if anyone with a CloudKey wants to test it.

[joshuaspence]

cp: cannot stat '_unifi_keystore': No such file or directory

This is exactly why I don't want to merge without testing. The original code tars the certificates. I'm not sure if it's for backup or because the cloudkey needs it. One of the variables wasn't referenced correctly.

My fork should be fixed now, if anyone with a CloudKey wants to test it.

Works for me with a Cloud Key gen 2!

[Fri Jan 10 11:47:36 AEDT 2025] Installing certificate for Unifi Controller (Java keystore)
[Fri Jan 10 11:47:36 AEDT 2025] Previous keystore saved to /usr/lib/unifi/data/keystore_original.
Importing keystore /tmp/tmp.pUnC7DYr4V to /usr/lib/unifi/data/keystore...
[Fri Jan 10 11:47:38 AEDT 2025] Updating system configuration for cipher compatibility.
[Fri Jan 10 11:47:38 AEDT 2025] Saved original system config to /usr/lib/unifi/data/system.properties_original
[Fri Jan 10 11:47:38 AEDT 2025] System configuration updated.
[Fri Jan 10 11:47:38 AEDT 2025] Stopping Unifi Controller for later restart.
[Fri Jan 10 11:47:40 AEDT 2025] Unifi Controller stopped.
[Fri Jan 10 11:47:40 AEDT 2025] Install Unifi Controller certificate success!
[Fri Jan 10 11:47:40 AEDT 2025] Installing certificate for Cloud Key Gen1 (nginx admin pages)
[Fri Jan 10 11:47:40 AEDT 2025] Updating /etc/ssl/private/unifi.keystore.jks
[Fri Jan 10 11:47:40 AEDT 2025] Install Cloud Key Gen1 certificate success!
[Fri Jan 10 11:47:40 AEDT 2025] Installing certificate for UnifiOS
[Fri Jan 10 11:47:40 AEDT 2025] Previous certificate and key saved to /data/unifi-core/config/unifi-core_original.crt.key.
[Fri Jan 10 11:47:40 AEDT 2025] Install UnifiOS certificate success!
[Fri Jan 10 11:47:40 AEDT 2025] Reload services (this may take some time): systemctl restart unifi && service nginx restart && systemctl restart unifi-core
[Fri Jan 10 11:49:23 AEDT 2025] Reload success!
[Fri Jan 10 11:49:24 AEDT 2025] Success

[rdsmith24]

Hi all, trying to get a cert on my self-hosted system running on Debian 12.

Have tried everything in this thread, last resort was the generate the key (letsencrypt) using the -k 2048 option.

My keystone is in the correct location for a standard install:

1. /var/lib/unifi/keystore
2. /usr/lib/unifi/data/keystore

Have tried editing the unifi.sh to point at both, same result every time.

Here is the debug output....
❯ ./acme.sh --deploy -d unifi.XXXXXX.net --deploy-hook unifi --debug
[Sun Jan 26 01:59:08 PM CST 2025] Let's find the script directory.
[Sun Jan 26 01:59:08 PM CST 2025] SCRIPT='./acme.sh'
[Sun Jan 26 01:59:09 PM CST 2025] _script='/home/rdsmith24/.acme.sh/acme.sh'
[Sun Jan 26 01:59:09 PM CST 2025] _script_home='/home/rdsmith24/.acme.sh'
[Sun Jan 26 01:59:09 PM CST 2025] Using default home: /home/rdsmith24/.acme.sh
[Sun Jan 26 01:59:09 PM CST 2025] Using config home: /home/rdsmith24/.acme.sh
[Sun Jan 26 01:59:09 PM CST 2025] LE_WORKING_DIR='/home/rdsmith24/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.1.0
[Sun Jan 26 01:59:09 PM CST 2025] Running cmd: deploy
[Sun Jan 26 01:59:09 PM CST 2025] Using config home: /home/rdsmith24/.acme.sh
[Sun Jan 26 01:59:09 PM CST 2025] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Sun Jan 26 01:59:09 PM CST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun Jan 26 01:59:09 PM CST 2025] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sun Jan 26 01:59:09 PM CST 2025] _ACME_SERVER_PATH='directory'
[Sun Jan 26 01:59:09 PM CST 2025] DOMAIN_PATH='/home/rdsmith24/.acme.sh/unifi.XXXXXX.net'
[Sun Jan 26 01:59:09 PM CST 2025] DOMAIN_CONF='/home/rdsmith24/.acme.sh/unifi.XXXXXX.net/unifi.XXXXXX.net.conf'
[Sun Jan 26 01:59:09 PM CST 2025] _deployApi='/home/rdsmith24/.acme.sh/deploy/unifi.sh'
[Sun Jan 26 01:59:09 PM CST 2025] _cdomain='unifi.XXXXXX.net'
[Sun Jan 26 01:59:09 PM CST 2025] _ckey='/home/rdsmith24/.acme.sh/unifi.XXXXXX.net/unifi.XXXXXX.net.key'
[Sun Jan 26 01:59:09 PM CST 2025] _ccert='/home/rdsmith24/.acme.sh/unifi.XXXXXX.net/unifi.XXXXXX.net.cer'
[Sun Jan 26 01:59:09 PM CST 2025] _cca='/home/rdsmith24/.acme.sh/unifi.XXXXXX.net/ca.cer'
[Sun Jan 26 01:59:09 PM CST 2025] _cfullchain='/home/rdsmith24/.acme.sh/unifi.XXXXXX.net/fullchain.cer'
[Sun Jan 26 01:59:09 PM CST 2025] DEPLOY_UNIFI_KEYSTORE='/usr/lib/unifi/data/keystore'
[Sun Jan 26 01:59:09 PM CST 2025] DEPLOY_UNIFI_KEYPASS
[Sun Jan 26 01:59:09 PM CST 2025] DEPLOY_UNIFI_CLOUDKEY_CERTDIR
[Sun Jan 26 01:59:09 PM CST 2025] DEPLOY_UNIFI_CORE_CONFIG
[Sun Jan 26 01:59:09 PM CST 2025] DEPLOY_UNIFI_RELOAD
[Sun Jan 26 01:59:09 PM CST 2025] The specified DEPLOY_UNIFI_KEYSTORE='/usr/lib/unifi/data/keystore' is not valid, please check.
[Sun Jan 26 01:59:09 PM CST 2025] Error deploying for domain: unifi.XXXXXX.net
[Sun Jan 26 01:59:09 PM CST 2025] Error encountered while deploying.

I'm out of ideas that this point, if someone can help, please.

[3VAbdAVE]

[Sun Jan 26 01:59:09 PM CST 2025] DEPLOY_UNIFI_RELOAD [Sun Jan 26 01:59:09 PM CST 2025] The specified DEPLOY_UNIFI_KEYSTORE='/usr/lib/unifi/data/keystore' is not valid, please check. [Sun Jan 26 01:59:09 PM CST 2025]

_unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
  if [ -f "$_unifi_keystore" ]; then

... <snipped> ....

elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
    _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
    return 1
  fi

You are setting DEPLOY_UNIFI_KEYSTORE to an invalid location. It either doesn't exist, is not a file (a directory or maybe symlink?) or else you don't have permission to it.

[rdsmith24]

Thanks for the push in the right direction. I changed the permissions to 777 for the keystore and the directory and that did the trick.

The reason I hesitated do that was the impression that the script did not want one to make all those changes.

[3VAbdAVE]

The reason I hesitated do that was the impression that the script did not want one to make all those changes.

It assumes you're running the script as root, in which case the permissions shouldn't matter. 777 is bad, especially for something like a keystore. The file needs to be readable by whatever user the unifi services are running under, and writable by whatever user you're running acme.sh as.

[rdsmith24]

I tried rolling back (it's installed in a VM) and installing it as root yesterday. However there was another issue that I didn't write down when I ran the script to create the certificate.

It works for now, I will adjust the permissions.

Thanks again