Ubiquiti Unifi Controller on Synology with Let’s Encrypt
If you have Ubiquiti Unifi network equipment you also need the Unifi Controller. If you have a Synology NAS already available in your house there is no need to buy the Unifi Cloud Key Gen2. Since it is best to keep the controller running 24/7. We then use a Docker Image to run the Unifi Controller and also assign a valid Let’s Encrypt certificate to it. In this article, I will guide you through the installation for Synology NAS.
If you run Synology firewall you will need to create to following 2 rules:
- Create to add a Firewall Rule – select under Ports > Custom
- TCP – Ports: 8080,8443,8843,8880,6789
- Create to add a Firewall Rule – select under Ports > Custom
- UDP – Ports: 3478,10001
Before we can start we need to make sure that your Synology supports Docker. Login to your Synology and go to the Package Center, search in the top left corner for Docker. If it doesn’t return any results, then Docker isn’t supported for your model.
Installing Docker and Java8 on your Synology
First, we are going to install Docker. Docker allows you to run applications in containers. This way other application on the same machine won’t be harmed.
Second, we are going to install Java8. It contains the important keytool command. This command is needed to convert the Let’s Encrypt certificate later on from .pem to keystore
Reboot the NAS after installing JAVA in order to get keytool working.
Installing the Unifi Controller
Downloading the image
After Docker is installed you click on Open. Then click on Registry on the left hand side in the Docker App. Type in the search field “unifi” and click Search. Look for jacobalberty/unifi and double click it. This will then ask you what tag you would like to download. Leave at latest and click select. It will then download the image.
Starting the image
Go to the Image tab on the left side. Select jacobalberty/unifi. It may take a few minutes to download the image, you can see the progress on the right hand side. When the download is complete, select the image and click on Launch
After you clicked on Launch, the container configuration wizard will start. We need to change some settings.
- Give the Container a name. i use: Unifi-Controller.
- Enable resource limitation, this way the Unifi Controller can not use all the resources of your Synology.
- Click on Advanced Settings
- Enable auto-restart, when you restart your Synology the container will launch as well.
- Click on Volume tab
- Click on Add Folder, select docker and click create folder name it “unifi-controller” and press select
- point to mount path: /unify
- Click on Network tab
- Mark “Use the same network as Docker Host” This way we can reach the Unifi Controller on the same IP Address as our Synology NAS.
- Click on Environment tab
- Change BIND_PRIV and RUNAS_UID0 to “false”
- Click Apply
The Unifi Controller will now start and is accessible on your Synology address on port 8443. So if you can open your NAS on https://yourhostname then you can find the Unifi Controller on https://yourhostname:8443.
Under Docker Container you can see the controller is running if not you can switch it on manual.
Let’s Encrypt certificate for Unifi Controller
Assuming you already have a Let’s Encrypt certificate for your Synology running, we also want to use that certificate inside the Unifi Controller software.
If you don’t have a Let’s Encrypt certificate set-up yet you can so it by going to Control Panel > Security > Certificate > Add
- Add a new certificate
- Get a certificate from Let’s Encrypt and click next
- Fill i all the details requested and press Apply
Converting the certificate and replace the current self-signed
We need to use some cli here to make it easy later on. Open an SSH session to your Synology.
Make yourself root:
Backup the current self-signed certificate from Unifi:
cd /volume1/docker/unifi-controller/data/ cp keystore keystore.bak
Now let’s find our Let’s Encrypt certificate
cd /usr/syno/etc/certificate/_archive/ ls
It will show you some folder like this: B9ho1T DEFAULT INFO kCtrkf
Locate the folder with the Let’s Encrypt by doing an ls on the folder, the one that has the renew.json will be your Let’s Encrypt folder.
Let’s now build a simple script to make the certificate and also renew it for Unify. You can place the script anywhere you like. I placed it in the root of the /volume1/docker. Make sure you point to the correct folder in the script on line4!
#!/bin/bash # Let's encrypt echo "** Configuring new Let's Encrypt certs" cd /usr/syno/etc/certificate/_archive/kCtrkf openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out fullchain.p12 -name unifi -password pass:unifi keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /volume1/docker/unifi-controller/data/keystore -srckeystore fullchain.p12 -srcstoretype PKCS12 -srcstorepass unifi -alias unifi -noprompt rm -f fullchain.p12 echo "** Restarting container" docker restart Unifi-Controller
Make it executable:
chmod +x unifissl.sh
Run it to test:
Automate it in Synology
You can make custom script run automaticly inside you Synology
Control Panel > Task Sheduler > Create > Sheduled task > User-defined script
- Name your task and run as root
- Select the date when your Let’s Encrypt renews or the day after and Repeat every 3 months
- Point your Run Command to the correct path where the script is located.
Browse to your Unifi Controller on https://yourhostname:8443 it will now have a valid certificate. Enjoy!
Updating the Unifi Controller Container
Updating the Unifi Controller on the Synology is a little bit different. You can’t just download the latest version and run the installer inside the Docker container. There is no auto-update feature either, so when a new version comes out, you will need to download a new version of the Docker Unifi Image.
Before you start with updating you should always make and download a backup of your Unifi Controller. Login to the controller an select Settings > System > Maintenance > Backup/Restore and click Download Backup.
Downloading the latest version
To update the controller you need to follow these steps:
- Open Docker on the Synology
- Click on Registry and search again for unifi
- Select the jacobalbert/unifi and click download.
- Wait until the download is completed (check the image tab or wait for the notification)
Updating the container
When the download is finished we can start with updating or actually replacing, the Docker image. In Docker select Container:
- Stop the Unifi Controller container by flipping the on-off switch. Wait until the status is changed to stop
- Select the Unifi Controller container again
- Click on Action and select Reset
- Acknowledge that all the data in the container will be lost. (Settings and data are saved in the mapped folder)
- Start the container again by filliping the on-off switch
You can now log in again on your Unifi Controller.