UniFi Dream Machine (UDM / UDM SE) does not natively manage or renew Let’s Encrypt certificates.
When UniFi OS updates occur, tools such as certbot are frequently removed, causing certificates to expire silently.
This document describes the manual, known-good recovery process for reinstalling certbot, re-issuing a certificate using DNS-01 validation via Cloudflare, and deploying it back into UniFi OS.
This process assumes:
rootYou may encounter one or more of the following:
certbot: command not found when attempting renewalssh root@udm.example.com
Use the hostname or IP address as needed.
Ensure apt is functional:
apt update
If this fails, resolve package repository issues before continuing.
apt install -y certbot python3-certbot-dns-cloudflare
Verify installation:
certbot --version
Create a persistent directory for certbot configuration:
mkdir -p /persistent/certbot
nano /persistent/certbot/cloudflare.ini
Add the API token:
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN
Set secure permissions:
chmod 600 /persistent/certbot/cloudflare.ini
Because renewal metadata may be lost during UniFi OS updates, re-issuing the certificate is the most reliable approach.
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /persistent/certbot/cloudflare.ini -d udm.example.com
On success, certificates are stored at:
/etc/letsencrypt/live/udm.example.com/
UniFi OS does not automatically consume certbot certificates.
Copy the files into UniFi’s expected paths:
cp /etc/letsencrypt/live/udm.example.com/fullchain.pem /data/unifi-core/config/unifi-core.crt
cp /etc/letsencrypt/live/udm.example.com/privkey.pem /data/unifi-core/config/unifi-core.key
Restart UniFi Core services:
systemctl restart unifi-core
If the UI does not recover cleanly, reboot:
reboot
From a browser, navigate to:
https://udm.example.com
Confirm:
Safari is especially strict and useful for validation.
certbot and Python dependencies/persistentRecommended long-term enhancements:
/persistent/bin