Currently installs UniFi 5.6.26 with Let's Encrypt auto-renew support!
This Jail makes use of VNET emulated/virtual network interfaces rather than sharing your main interface; this is needed for proper network discovery, but may not be required as this Jail is tested more.
The jail mounts paths that I call unifi/data, unifi/logs, and unifi/dehydrated outside of the jail for persistent storage of the UniFi/LE files. The jail also mounts portsnap/ports and portsnap/db outside of the jail for persistent storage of BSD Ports files; useful when you're building things over multiple jails.
These persistent jail mounts are technically optional as the installation or OS will create them as needed, but they will become part of the jail and lost if the jail is destroyed, resulting in a complete re-configure of the UniFi Controller on the next build of the jail. If you chose to not use persistent jail mounts, remove them from the unifi-jail.sh before running.
Let's Encrypt has a little bit of manual setup. This has only been tested as a DNS-01 challenge with CloudFlare. However, once this is setup, with the persistant storage, you'll never really have to do this again.
The script defaults to generating a valid LE-issued SSL certificate with Dehydrated1. If you don't want to use this, remove references to dehydrated from the unifi-jail.sh script and UniFi will use a self-signed certificate. Steps below are listed with OPT for Optional as they are related to the Dehydrated client setup.
- CloudFlare Account (Basic/Free works) and Global API Key
- One public domain setup in CloudFlare
- FQDN created on your internal DNS that will resolve to your UniFi Controller's IP; the FQDN must use the same domain name, but does not need a record created in CloudFlare, only on the internal DNS.
- Example: I own example.com and its DNS is handled by CloudFlare. I create a record on my internal DNS server for unifi.example.com to point to 172.16.10.2 and use that IP address for my Jail as that is part of my internal network.
- Update JAIL_PATH, JAIL_IP, and DEFAULT_GW_IP inside of unifi-jail.sh. Change JAIL_NAME if you want to.
- (OPT) Put the files within the repo's bin directory into the unifi/dehydrated directory before you run the main jail script.
- (OPT) Place your UniFi Controller's fully qualified domain name (FQDN, i.e. unifi.example.com) into unifi/dehydrated/domains.txt.
- (OPT) Update FQDN variable in unifi/dehydrated/deploy.sh.
- (OPT) Create unifi/dehydrated/config using the bare config below, updating CF_EMAIL and CF_KEY with your CloudFlare info.
- Put unifi-jail.sh somewhere accessible on your FreeNAS system and run it.
- Management page will be available at https://[FQDN]:8443/.
unifi/dehydrated/config:
CHALLENGETYPE="dns-01"
CERTDIR="${BASEDIR}/certs"
ACCOUNTDIR="${BASEDIR}/accounts"
HOOK=/opt/letsencrypt-cloudflare-hook/hook.py
[email protected]
export CF_EMAIL='[email protected]'
export CF_KEY='KEUMY69kDTErhFHZXSrvMS'
- Disable Let's Encrypt Auto-renew:
- Run
iocage exec unifi sysrc -f /etc/periodic.conf weekly_dehydrated_enable="NO"
- Run
- Restart UniFi Controller:
- Run
iocage exec unifi service unifi restart
- Run
- Restart entire jail:
- Run
iocage restart unifi
- Run
- Manually Renew Let's Encrypt Certificate:
- Run
iocage exec unifi sh /etc/dehydrated/deploy.sh
- Run