- Want to expose the Unifi console via a public domain like
unifi.mydomain.com. - Theoretically if
unifi.ui.comgoes down this proxy would continue to work. - Also just good practice hackin'
- UCG-Ultra doing PPPoE
- Note: important not to be double NAT'd
- Enable Direct Remote Access in
/console/settings, this opens up:443 - Enable SSH while we move the certs around
We need to spin up a Cloudflare worker following willswire's guide/repo: https://github.com/willswire/unifi-ddns
Follow configuration and test that it works by restarting your system.
Create a new Origin CA Certificate in Cloudflare. You want RSA2048 (not ECC) format and save the keys in PEM format.
Assuming you save the keys as cert.crt and private.key -- you will then want to combine the given cert.crt with the
Cloudflare root cert. Simply concatenate the 2 keys in one file and be sure to trim any trailing newlines. See here for the cert:
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate
Your .crt file is now a combination of the 2 certificate public keys. Now you need to convert the PKCS#8 private key to
PKCS#1. Run openssl rsa -in private.key -out private-pkcs1.key -traditional (assuming you have OpenSSL 3.0+ installed, otherwise
omit the -traditional flag).
Now we need to SSH into UCG-Ultra and swap the keys in place of the self-signed certificates being used already.
The certs and keys are in /data/unifi-core/config as unifi-core.crt and unifi-core.key.
Back up the old files: mv unifi-core.crt unifi-core.crt.bak; mv unifi-core.key unifi-core.key.bak;
Now you should copy over and replace the certificate and key files with the certificate and key file you have created from Cloudflare.
Assuming your router is at 10.1.1.1, from your host machine:
scp cert.crt root@10.1.1.1:/data/unifi-core/config/unifi-core.crt
scp private-pkcs1.key root@10.1.1.1:/data/unifi-core/config/unifi-core.keyThen back in the SSH terminal reload Unifi services:
service restart unifi-core