I finally got sick of seeing a certificate error when connecting to my Ubuiquiti Unifi WiFi controller.

There are a bunch of shitty howtos describing how to install a cert, and one good one. But in order to make it more copy-paste for future me when the certificate needs renewing, and because the paths are not quite the same since I run the controller in a Docker container on a raspberry pi, here are the commands (after copying fullchain.pem and privkey.pem into the stateful data dir):

host$ docker ps  # make note of the docker ID
host$ docker exec ID_HERE -ti bash
docker$ openssl pkcs12 \
        -export \
        -inkey privkey.pem \
        -in fullchain.pem \
        -out cert.p12 \
        -name unifi \
        -password pass:secret
docker$ keytool \
        -importkeystore \
        -deststorepass aircontrolenterprise \
        -destkeypass aircontrolenterprise \
        -destkeystore /usr/lib/unifi/data/keystore \
        -srckeystore cert.p12 \
        -srcstorepass secret \
        -alias unifi \
        -noprompt
docker$ exit
host$ docker stop ID_HERE
host$ docker start ID_HERE

I’m mostly happy with the Ubiquiti access points. I have an AP-AC-LR and an AP-M. My complaints are:

  • When I reported a bug about access to SSH on non-management interfaces, they responded by turning off management over IPv6 alltogether.
  • Even their latest firmware doesn’t support UNII-3 channels, which have been allowed in UK since 2017, and DFS-free since mid-2020.
  • You can’t select fallback channel when DFS channels detect radar, so you may end up with both APs on the same channel.

I solved some of the channel mess by creating two “sites”. One “in the US” running on UNII-3, and since it’s DFS-free there’s no risk of both APs ending up on the same channel.

This works great for everything except with:

  • Google Pixelbook
  • Google Nest
  • Google Chromecast

They absolutely refuse to connect to an UNII-3 channel. Apparently because the manufacturer chose to hard code this, non-upgradable, and not simply trust the AP. So I just live with them connecting to the other AP. My home is not that big.

Apple devices, Pixel 3 phone, Lenovo etc… etc… are all fine.