This should work on UbiOS based firmware versions 1.7.0 onwards. This includes:
It does NOT support the Cloud Key Gen 2 or Gen 2 Plus as they do not ship with Docker (podman) support.
This script supports issuing LetsEncrypt certificates via DNS using Lego.
udm-le.envand tweak variables to meet your needs.
/mnt/data/udm-le/udm-le.sh initial. This will handle your initial certificate generation and setup a cron task at
/etc/cron.d/udm-leto attempt certificate renewal each morning at 0300.
On firmware updates or just reboots, the cron file (
/etc/cron.d/udm-le) gets removed, so if you'd like for this to persist, I suggest so you install boostchicken's on-boot-script package.
This script is setup such that if it determines that on-boot-script is enabled, it will set up an additional script at
/mnt/data/on_boot.d/99-udm-le.sh which will attempt certificate renewal shortly after a reboot (and subsequently set the cron back up again).
AWS Route53 DNS challenge can use configuration and authentication values easily through shared credentials and configuration files as described here. This script will check for and include these files during the initial certificate generation and subsequent renewals. Ensure that
route53 is set for
udm-le.env, create a new directory called
/mnt/data/udm-le and add
config files as required for your authentication. See the AWS CLI Documentation for more information. Currently only the
default profile is supported.
If not done already, delegate a domain to an Azure DNS zone.
Assuming the DNS zone lives in subscription
00000000-0000-0000-0000-000000000000 and resource group
udm-le, with help of the Azure CLI provision an identity to manage the DNS zone by running:
# login az login # create a service principal with contributor (default) permissions over the godns resource group az ad sp create-for-rbac --name godns --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/udm-le --role contributor
In your Cloudflare account settings, create an API token with the following permissions:
Once you have your token generated, add the value to
If you use DigitalOcean as your DNS provider, set your
digitalocean and configure your
DO_AUTH_TOKEN. Note: Quoting your
DO_AUTH_TOKEN seems to cause issues with Lego.
If you use DuckDNS as your DNS provider, set your
duckdns and configure your
GCP Cloud DNS can be configured by establishing a service account with the role
roles/dns.admin and exporting a service account key for that service account. Ensure that
gcloud is set for
GCE_SERVICE_ACCOUNT_FILE references the path to the service account key (e.g.
./root/.secrets/my_service_account.json) . Create a new directory called
/mnt/data/udm-le and add the service account file.
The CLI will output a JSON object. Use the printed properties to initialize your configuration in udm-le.env.