After struggling to get the built in command line tool to import my certificate, I found your script. I figured, what the hell, give it a try.

This actually works like a charm. Thanks!

This section no longer generates a working certificate with openssl 3.x, as the password gets mangled:

if [[ -f ${SIGNED_CRT} ]]; then
    openssl pkcs12 -export \
    -in "${CHAIN_FILE}" \
    -in "${SIGNED_CRT}" \
    -inkey "${PRIV_KEY}" \
    -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
    -name "${ALIAS}"
else
    openssl pkcs12 -export \
    -in "${CHAIN_FILE}" \
    -inkey "${PRIV_KEY}" \
    -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
    -name "${ALIAS}"
fi

Giving this issue:

Importing SSL certificate into UniFi keystore...
+ keytool -importkeystore -srckeystore /tmp/tmp.ruliTepb76 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststoretype pkcs12 -destkeystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -alias unifi -trustcacerts
Importing keystore /tmp/tmp.ruliTepb76 to /var/lib/unifi/keystore...
keytool error: java.io.IOException: keystore password was incorrect

The solution for openssl 3 is to add a check for openssl 3 and do this:

# Check for OpenSSL 3.x
OPENSSL_VERSION=$(openssl version -v | awk '{print $2}'| awk -F '.' '{print $1}')
if [[ "${OPENSSL_VERSION}" -ge '3' ]]; then
  OPENSSL_LEGACY_FLAG='-legacy'
else
  OPENSSL_LEGACY_FLAG=
fi

#If there is a signed crt we should include this in the export
if [[ -f ${SIGNED_CRT} ]]; then
    openssl pkcs12 -export \
    -in "${CHAIN_FILE}" \
    -in "${SIGNED_CRT}" \
    -inkey "${PRIV_KEY}" \
    -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
    -name "${ALIAS}" \
    ${OPENSSL_LEGACY_FLAG}
else
    openssl pkcs12 -export \
    -in "${CHAIN_FILE}" \
    -inkey "${PRIV_KEY}" \
    -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
    -name "${ALIAS}" \
    ${OPENSSL_LEGACY_FLAG}
fi

Which gives this:

Exporting SSL certificate and key data into temporary PKCS12 file...
++ openssl version -v
++ awk '{print $2}'
++ awk -F . '{print $1}'
+ OPENSSL_VERSION=3
+ [[ 3 -ge 3 ]]
+ OPENSSL_LEGACY_FLAG=-legacy
+ [[ -f /etc/ssl/certs/hostname.example.com.crt ]]
+ openssl pkcs12 -export -in /etc/letsencrypt/live/hostname.com/fullchain.pem -inkey /etc/letsencrypt/live/hostname.com/privkey.pem -out /tmp/tmp.mnx3wlaSE5 -passout pass:aircontrolenterprise -name unifi -legacy
+ printf '\nRemoving previous certificate data from UniFi keystore...\n'

Removing previous certificate data from UniFi keystore...
+ keytool -delete -alias unifi -keystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise
+ printf '\nImporting SSL certificate into UniFi keystore...\n'

Importing SSL certificate into UniFi keystore...
+ keytool -importkeystore -srckeystore /tmp/tmp.mnx3wlaSE5 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststoretype pkcs12 -destkeystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -alias unifi -trustcacerts
Importing keystore /tmp/tmp.mnx3wlaSE5 to /var/lib/unifi/keystore...
+ printf '\nRemoving temporary files...\n'

Line 163 in unifi_ssl_import.sh should be changed. This is the line now

printf "\nRestarting UniFi Controller to apply new Let's Encrypt SSL certificate...\n"

and it should be

printf "\nRestarting UniFi Controller to apply new SSL certificate...\n"

as the output gets printed, even when LE_MODE is false.

At least under Debian this won't work:
uap_list=( "192.168.0.2" "192.168.0.3" )

This is the error:
root@unifi:/etc/cron.daily# sh uap_reboot.sh
uap_reboot.sh: 20: uap_reboot.sh: Syntax error: "(" unexpected

but changing the line to
uap_list=( 192.168.0.2 192.168.0.3 )
solves the problem.

I get the follow error after I follow https://blog.khophi.co/use-letsencrypt-unifi-controller-ubuntu/

sudo ./unifi_ssl_import.sh

Starting UniFi Controller SSL Import...

Running in Let's Encrypt Mode...

Inspecting current SSL certificate...

Updated SSL certificate available. Proceeding with import...

Missing one or more required files. Check your settings.

Either update inline comment saying: "2) Assumes you already have a valid private key, signed 2048bit certificate, ..."
Or eventually test certificate and stop, showing an error if provided cert is not 2048bit.

I was trying with a 4096bit cert, all was working fine, but unifi webUI was no longer reachable.

Thanks for the good work!

After running the unifi_ssl_import.sh and succesfully updating the keystore, browsers would not accept the certificate. The error displayed in Edge is ERR_SSL_VERSION_OR_CIPHER_MISMATCH, and you are unable to get to the webinterface.

To solve this I edited the "system.properties" file located in the data directory, and added this line:
unifi.https.ciphers=TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CCM,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

Since this is caused by adjusting the keystore this should be addressed here I think. This post might help other users and there might be a better way to tackle this issue. The only difference I could find within the keystores was the used encryption: Where Unifi has RSA 4069, the new one has SHA256withRSA.

After i user your script unifi-linux-utils/startup-scripts/unifi.service
i got the error: kernel: cgroup: fork rejected by pids controller in /system.slice/unifi.service
I added the line: TasksMax=infinity
into the unifi.service and solved the problem.
I use it in openSuSE Leap 42.2 and i sent it only to know it.

I was getting a strange error when using the current master of the ssl cert import tool.
DerInputStream.getLength(): lengthTag=109, too big.

It took a couple hours of searching to identify that the keystore in my Ubuntu instance (that has been upgraded many many times) still had the JKS format. Not sure if this really requires any code change to address as a keytool command to change the keystore from JKS to pkcs12 worked like a charm.

It could be worth looking at determining if the format of the destination keystore is JKS if that length=109 exception is thrown and doing the conversion automatically or at least suggesting verifying the keystore format in the output.

unifi_ssl_import.sh depends on Ubuntu's service script, which is not available on Debian :

unifi_ssl_import.sh: line 102: service: command not found

Using the standard systemd command instead of service solves the issue.

To make unifi_ssl_import.sh work with vanilla Debian, I had to make the following changes :

Line 102 : /bin/systemctl stop "${UNIFI_SERVICE}"

Line 163 : /bin/systemctl start "${UNIFI_SERVICE}"

A better option would certainly be wrapping these lines in a variable depending on the operating system and returning the correct systemd/service command.

I got log "./uap_reboot.sh: 20: ./uap_reboot.sh: Syntax error: "(" unexpected"

I just copy all your script and just change the IP address in the ( ) and I got error "./uap_reboot.sh: 20: ./uap_reboot.sh: Syntax error: "(" unexpected".

I using Ubuntu 16.04.3

Thanks
Faiz

How can you force the DNS to pihole for IPv6?

Also how can you have it so that not everything logs as coming from the USG IP in the pihole?

When using the "unifi_ssl_import.sh" script it seems to break the certificate required for Wifiman to work on my UXG-Pro with the error:

x509: certificate is valid for unifi.example.com, not UniFi

This error can be seen when accessing the following url:
https://lan_ip_of_uxg:8900/proxy/

Any ideas?

I'm running UniFi Controller 5.3.8.2 on Ubuntu 14.04.5 LTS.
After updating UNIFI_HOSTNAME, UNIFI_DIR, UNIFI_SERVICE and LE_MODE, the following are included in your script's messages:

Updating certificate MD5 checksum...
cp: cannot stat ‘/var/lib/unifi/data/keystore’: No such file or directory

Removing previous certificate data from UniFi keystore...
keytool error: java.lang.Exception: Keystore file does not exist: /var/lib/unifi/data/keystore

Importing SSL certificate into UniFi keystore...
keytool error: java.io.FileNotFoundException: /var/lib/unifi/data/keystore (No such file or directory)

Error: Unable to access jarfile /var/lib/unifi/lib/ace.jar

On the system in question, keystore is at /var/lib/unifi/keystore. There is no directory /var/lib/unifi/data, and sudo find /var/lib/unifi | grep ace returns only:

/var/lib/unifi/db/ace_stat.1
/var/lib/unifi/db/ace_stat.0
/var/lib/unifi/db/ace_stat.ns
/var/lib/unifi/db/ace.ns
/var/lib/unifi/db/ace.1
/var/lib/unifi/db/ace.0

I updated the script, setting KEYSTORE to ${UNIFI_DIR}/keystore and re-ran. This time, I only see:

Starting UniFi Controller SSL Import...
Running in Let's Encrypt Mode...
Inspecting current SSL certificate...
Certificate is unchanged, no update is necessary.

After a while, I realized that though the first attempt to import failed, the script still created cert.pem.md5. After removing that file and re-running, the only error in the output is:

Error: Unable to access jarfile /var/lib/unifi/lib/ace.jar

But this time the import succeeded.

“reboot” seems different than using the restart command in the controller. Is there an analogous restart in terminal?

Is there a way to use the API to turn off the LED on a UAP, if so could you create a script for this?

The UAP in my room is really bright at night and I would like a script that could disable this at nights.

Hey Steve,

Love your work here, it is really helping me expand my knowledge of Linux.

I used the update script, but the current download from Ubiquiti is a .deb. Your script is trying to do unzip, so the script failed on that. Any chance you would update it to handle that?

I was thinking change your unzip to "dpkg -x package.deb /opt/UniFi" or ar
Cheers,
Dietmar

I tried to verify the SSL certificate via openssl (icinga/nagios) but it failed with missing certificates.

It turns out that unifi_ssl_import.sh doesn't include the intermediate cert in the bundle.

I modified the script to concatenate the $SIGNED_CERT and $CHAIN_FILE to another temporary file, and then included that. Now the SSL certificate is verifyable via openssl.

--- unifi_ssl_import.sh.dist	2023-03-29 11:24:55.970766471 +0300
+++ unifi_ssl_import.sh	2023-03-29 11:21:02.437590249 +0300
@@ -92,6 +92,7 @@
 	printf "\nImporting the following files:\n"
 	printf "Private Key: %s\n" "$PRIV_KEY"
 	printf "CA File: %s\n" "$CHAIN_FILE"
+	printf "Certificate File: %s\n" "$SIGNED_CERT"
 fi
 
 # Create temp files
@@ -126,9 +127,19 @@
 
 #If there is a signed crt we should include this in the export
 if [[ -f ${SIGNED_CRT} ]]; then
+
+	# 2023-03-29 Harald
+	tmpfile="/tmp/$(mcookie)"
+	if [ -f "${tmpfile}" ] ; then
+		echo "tmpfile $tmpfile exists, exiting"
+		exit 1
+	else # create a file containing cert + intermediate cert;
+		cat "${SIGNED_CRT}" "${CHAIN_FILE}" > "${tmpfile}"
+	fi
+
+#    -in "${CHAIN_FILE}" \
     openssl pkcs12 -export \
-    -in "${CHAIN_FILE}" \
-    -in "${SIGNED_CRT}" \
+    -in "${tmpfile}" \
     -inkey "${PRIV_KEY}" \
     -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
     -name "${ALIAS}"
@@ -156,7 +167,7 @@
 
 # Clean up temp files
 printf "\nRemoving temporary files...\n"
 -rm -f "${P12_TEMP}"
+rm -f "${P12_TEMP}" "${tmpfile}"

 # Restart the UniFi Controller to pick up the updated keystore
 printf "\nRestarting UniFi Controller to apply new Let's Encrypt SSL certificate...\n"

i wonder if the unifi_ssl_import.sh can support UDM and UDM Pro ?

my system is

cat /etc/os-release

NAME=UbiOS
VERSION=UDM.alpinev2.v1.7.3-rc.1.ae72cc6.200612.2018
ID=ubios
VERSION_ID=v1.7.3-rc.1.2623-ae72cc6
PRETTY_NAME="UbiOS 1.7.3-rc.1.2623"
BUILD_ID=200612.2018
VARIANT=UDM.alpinev2

Hi,

the certificate created by this script might be invalid for some web browsers as it doesn't seem to include the fullchain.pem.

Please check out this thread as reference:
https://community.ubnt.com/t5/UniFi-Wireless/Problem-with-guest-portal-and-Let-s-Encrypt-certificate/m-p/2540899

Some installations run the controller as a dedicated user, ubnt in many cases. The script does not check for permissions and can render the controller unusable as the keystore cannot be loaded. The simple hardcoded solution was adding two variables:

UBNT_USER=ubnt
UBNT_GROUP=ubnt

And this addition before the controller is restarted.

#Fix permissions
chown ${UBNT_USER}.${UBNT_GROUP} ${KEYSTORE}

Storing the existing permissions during the backup process may be cleaner, but since this variables must be modified before use anyway this method is sufficient.

Everything appears to work, but I'm getting an error:

Importing certificate authority into UniFi keystore...
 
Unable to import the certificate into keystore

Again, I get no certificate errors when going to my unifi controller, just this script throws the error above.

I manually tried running the the code from the script and get the same error.

Something like this:

~$ sudo java -jar /usr/lib/unifi/lib/ace.jar import_cert /etc/letsencrypt/live/example.com/cert.pem /etc/letsencrypt/live/example.com/chain.pem /tmp/tmp.80vtybdzmD
Unable to import the certificate into keystore

Is this step really necessary? I looked at some of the tutorials on the Unifi Forums and don't see this ace.jar file mentioned in them.

My controller version is 5.9.29.

For locations with multiple APs, it would be nice to allow a string of IP addresses inside the script, or possibly support importing a text file containing a list of IPs.

Hi Stevenjenkins !

How to run your script with another port ssh ?

Thanks

Script assumes service name of "UniFi." Need to make this a configurable option for users who might have their service called "unifi" or anything else.

Hello,

first a big thank you for your scripts!
It was very easy to make the Pi-hole running as DNS in my network.

Unfortunately every request is listed with the client "USG-Pro-4".
How can I change the configuration of my USG or Pi-hole, so that the real client IPs/hostnames are listed in the Pi-hole logs?

Thank you in advance!

Best regards,

Brovning

When running unifi_ssl_import.sh, it runs through everything fine, until it tries to import the cert authority into the keystore.

Importing SSL certificate into UniFi keystore...

Importing certificate authority into UniFi keystore...

Unable to import the certificate into keystore

Removing temporary files...

Restarting UniFi Controller to apply new Let's Encrypt SSL certificate...

Done!

Even though it says it's done, the controller is inaccessable.

I'm running Unifi Controller 5.9.29 on Raspbian 9.4

Any help would be greatly appreciated, thanks!

I am using this script to import a Let's Encrypt signed ssl cert into the Ubiquiti Unifi Controller I have hosted on a server running Ubuntu 16.04.5 LTS. When I execute the script I get an infinite loop of "==yes" printed in my terminal. Any leads on the issue? Have you seen this behavior before?

I have made only these changes to the script:
hostname changed from default to FDQN matching the Let's Encrypt Cert
UNIFI_HOSTNAME=wifi.herebedragons.com

I commented following three lines for Fedora/RedHat/CentOS
UNIFI_DIR=/opt/UniFi
JAVA_DIR=${UNIFI_DIR}
KEYSTORE=${UNIFI_DIR}/data/keystore

I uncomment following three lines for Debian/Ubuntu
UNIFI_DIR=/var/lib/unifi
JAVA_DIR=/usr/lib/unifi
KEYSTORE=${UNIFI_DIR}/keystore

changed LE_MODE= from "no" to "yes"
LE_MODE=yes
LE_LIVE_DIR=/etc/letsencrypt/live

Here is my kernel version:
uname -a
Linux 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Any support the community can provide would be appreciated!

Best,
Ben

Hi Steve, and thank you for the script that made it so easy to redirect all my internal devices to use my pihole server. I was really confused trying to figure out how to implement such rules using the Unifi controller gui interface.

But I have a question, if you don't mind. At https://labzilla.io/blog/force-dns-pihole the author describes an approach that configures a pfSense firewall with 3 rules for achieving a similar purpose:

NAT Rule 1: Redirect DNS queries to PiHole
NAT Rule 2: Exempt PiHole from DNS query redirects
NAT Rule 3: Prevent clients from giving unexpected source errors

I believe the first 2 rules are precisely what you have provided in the script, but I'm unsure about the third and wonder if it is something worth adding? I'm not clear which devices would get indigestion from a so-called "unexpected source error", but I doubt the error handling and recovery logic is robust in devices that are hard-coding DNS server ip addresses.

Is this something you feel might be significant?

I use this function in a script as a Home Assistant addon, so if you use this, you might have to change a few logging lines. It also remotes to SSH and i removed the functionality which i didn't need. Thanks for your work!

function unifi_renew() {

    bashio::log.info "Starting UniFi Controller SSL Import..."
    
    local domainWithoutWildcard=${DOMAIN:1}
    local domainString="${domainWithoutWildcard//[\.]/_}"
    local CERT_DIR_NAME="star${domainString}"
    local UNIFI_HOSTNAME=$(bashio::config 'unifi.hostname')
    local UNIFI_USERNAME=$(bashio::config 'unifi.username')
    export SSHPASS=$(bashio::config 'unifi.password') 

    # CONFIGURATION OPTIONS FOR CLOUDKEY
    local UNIFI_SERVICE=unifi
    local UNIFI_DIR=/var/lib/unifi
    local JAVA_DIR=/usr/lib/unifi
    local KEYSTORE=${JAVA_DIR}/data/keystore
    local ALIAS=unifi
    local PASSWORD=aircontrolenterprise

    bashio::log.info "Running in Let's Encrypt Mode..."
    local PRIV_KEY=${CERT_DIR}/${CERT_DIR_NAME}/privkey.pem
    local CHAIN_FILE=${CERT_DIR}/${CERT_DIR_NAME}/fullchain.pem
    local PRIV_KEY_MD5=${CERT_DIR}/${CERT_DIR_NAME}/privkey.pem.md5
    local PRIV_KEY_CLOUDKEY=/etc/ssl/private/cloudkey.key
    local CHAIN_FILE_CLOUDKEY=/etc/ssl/private/cloudkey.crt

    # Check to see whether LE certificate has changed
     bashio::log.info "Inspecting current SSL certificate..."
    if md5sum -c "${PRIV_KEY_MD5}" &>/dev/null; then
        # MD5 remains unchanged, exit the script
         bashio::log.info "Certificate is unchanged, no update is necessary."
        return 0
    else
        # MD5 is different, so it's time to get busy!
         bashio::log.warning "Updated SSL certificate available. Proceeding with import..."
    fi

    # Verify required files exist
    if [[ ! -f ${PRIV_KEY} ]] || [[ ! -f ${CHAIN_FILE} ]]; then
        bashio::log.error "Missing one or more required files. Check your settings."
        return 1
    else
        # Everything looks OK to proceed
        bashio::log.info "Importing the following files:"
        bashio::log.info "Private Key: $PRIV_KEY"
        bashio::log.info "CA File: $CHAIN_FILE"

        local PRIV_KEY_CONTENT=$( cat $PRIV_KEY )
        local CHAIN_FILE_CONTENT=$( cat $CHAIN_FILE )
    fi

    # Write a new MD5 checksum based on the updated certificate	
    bashio::log.info "Updating certificate MD5 checksum..."
    md5sum "${PRIV_KEY}" > "${PRIV_KEY_MD5}"

    # Set verbose parameter
    if [ "$DEBUG"=true ] ; then
        DEBUG_PARAM="-v"
    else
        DEBUG_PARAM=""
    fi

    bashio::log.info "Starting SSH session to Unifi CloudKey controller..."
    sshpass $DEBUG_PARAM -e ssh $DEBUG_PARAM -T -o StrictHostKeyChecking=accept-new ${UNIFI_USERNAME}@${UNIFI_HOSTNAME} <<:

    # Create temp files
    P12_TEMP=\$(mktemp)

    # Stop the UniFi Controller
    printf "\nStopping UniFi Controller...\n"
    service "${UNIFI_SERVICE}" stop

    # Create double-safe keystore backup
    if [[ -s "${KEYSTORE}.orig" ]]; then
        printf "\nBackup of original keystore exists!\n"
        printf "\nCreating non-destructive backup as keystore.bak...\n"
        cp "${KEYSTORE}" "${KEYSTORE}.bak"
    else
        cp "${KEYSTORE}" "${KEYSTORE}.orig"
        printf "\nNo original keystore backup found.\n"
        printf "\nCreating backup as keystore.orig...\n"
    fi
    
    # Create double-safe certificate private key backup
    if [[ -s "${PRIV_KEY_CLOUDKEY}.orig" ]]; then
        printf "\nBackup of original certificat eprivate key exists!\n"
        printf "\nCreating non-destructive backup as cloudkey.key.bak...\n"
        cp "${PRIV_KEY_CLOUDKEY}" "${PRIV_KEY_CLOUDKEY}.bak"
    else
        cp cp "${PRIV_KEY_CLOUDKEY}" "${PRIV_KEY_CLOUDKEY}.orig"
        printf "\nNo original certificate private key backup found.\n"
        printf "\nCreating backup as cloudkey.key.orig...\n"
    fi

    # Create double-safe certificate chain file backup
    if [[ -s "${CHAIN_FILE_CLOUDKEY}.orig" ]]; then
        printf "\nBackup of original certificate chain file exists!\n"
        printf "\nCreating non-destructive backup as cloudkey.crt.bak...\n"
        cp "${CHAIN_FILE_CLOUDKEY}" "${CHAIN_FILE_CLOUDKEY}.bak"
    else
        cp "${CHAIN_FILE_CLOUDKEY}" "${CHAIN_FILE_CLOUDKEY}.orig"
        printf "\nNo original certificate chain file backup found.\n"
        printf "\nCreating backup as cloudkey.crt.orig...\n"
    fi

    # Export your new SSL key, cert, and CA data to a PKCS12 file
    printf "\nExporting SSL certificate and key data into temporary PKCS12 file...\n"
    printf "%s" "$PRIV_KEY_CONTENT" > "\$PRIV_KEY_CLOUDKEY"
    printf "%s" "$CHAIN_FILE_CONTENT" > "\$CHAIN_FILE_CLOUDKEY"
    openssl pkcs12 -export -in "\${CHAIN_FILE_CLOUDKEY}" -inkey "\${PRIV_KEY_CLOUDKEY}" -out "\${P12_TEMP}" -passout pass:"${PASSWORD}" -name "${ALIAS}"

    # Delete the previous certificate data from keystore to avoid "already exists" message
    printf "\nRemoving previous certificate data from UniFi keystore...\n"
    keytool -delete -alias "${ALIAS}" -keystore "${KEYSTORE}" -deststorepass "${PASSWORD}"
        
    # Import the temp PKCS12 file into the UniFi keystore
    printf "\nImporting SSL certificate into UniFi keystore...\n"
    keytool -importkeystore -srckeystore "\${P12_TEMP}" -srcstoretype PKCS12 -srcstorepass "${PASSWORD}" -destkeystore "${KEYSTORE}" -deststorepass "${PASSWORD}" -destkeypass "${PASSWORD}" -alias "${ALIAS}" -trustcacerts

    # Clean up temp files
    printf "\nRemoving temporary files...\n"
    rm -f "\${P12_TEMP}"
        
    # Restart the UniFi Controller to pick up the updated keystore
    printf "\nRestarting UniFi Controller to apply new Let's Encrypt SSL certificate...\n"
    service "${UNIFI_SERVICE}" start
    
    # Reloading the UniFi CloudKey management interface to pick up the updated certificates
    printf "\nReloading the UniFi CloudKey management interface to apply the new Let's Encrypt SSL certificate...\n"    
    nginx -s reload

    # That's all, folks!
    printf "\nDone!\n"
:
    bashio::log.info "Certificate succesfully updated on the Unifi CloudKey controller..."
    return 0
}

Steve,

In unifi_ssl_import, this must be set.
UNIFI_HOSTNAME=hostname.example.com

But ... what should I enter for an NVR that is on the local LAN (only) and has no public FQDN?

Rob

From the merged pull request two days ago of #28

The SIGNED_CRT value is now entirely ignored, and in turn caused the script to create a corrupted(empty?) keystore, which in turn blocked the unifi web ui from loading. The unifi service still ran, but the web ui would not load. This parameter is important for people using their own certificate.

I simply used this, but I'm sure there is a more elegant solution
cat mydomain.crt >> mydomain-chain.crt

This was the error from the server.log which led me to figure out the cause.