UniFi Controller can't read keystore after deploying certificate from acme plugin

[CorvidShaman]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [x] The title contains the plugin to which this issue belongs

Describe the bug The Unifi controller starts successfully, but unifi doesn't have permissions to read / load the keystore as it's owned by root after deployment with 640. ~~However, after fixing permissions I am still unable to view the controller.~~

After manually fixing the unifi permissions (chown unifi keystore) on /usr/local/share/java/unifi/data/keystore and restarting the unifi service manually, I can access the controller successfully.

The acme.sh script seems to have permissions errors for changing who owns the keystore, which is strange as the new keystore created by acme is owned by root

Updated reproduction steps below

To Reproduce Steps to reproduce the behavior:

1. create an automation in acme client to reload the renewed certificate to the unifi keystore
2. force the automations for the related certificate
3. go to /usr/local/share/java/unifi/data/ and run ls -lsha and see owner / permissions of the keystore
4. restart unifi controller plugin
5. attempt to access the controller
6. run: sudo chown unifi /usr/local/share/java/unifi/data/keystore
7. restart the unifi controller plugin
8. sucessfully access the controller

Expected behavior acme automation to reloads the keystore successfully, gives unifi all required permissions, and restarts the unifi service

Screenshots

Relevant log files

from server.log [2025-08-04T02:09:26,441+02:00]

INFO system - [internal] unable to set file permission on /usr/local/share/java/unifi/data/system.properties_original: /usr/local/share/java/unifi/data/system.properties_original: Operation not permitted

[2025-08-04T02:09:26,444+02:00]

INFO system - [internal] unable to set file permission on /usr/local/share/java/unifi/data/keystore: /usr/local/share/java/unifi/data/keystore: Operation not permitted [2025-08-04T02:09:26,654+02:00] INFO startup - Initiating startup [2025-08-04T02:09:26,946+02:00] INFO system - ====================================================================== [2025-08-04T02:09:26,947+02:00] INFO system - UniFi 9.1.120 (build atag_9.1.120_29197 - release/release) is started [2025-08-04T02:09:26,948+02:00] INFO system - Environment: UniFi-OS[false], UniFi-Cloud[false], UniFi-MongoService[false] [2025-08-04T02:09:26,948+02:00] INFO system - ====================================================================== x x x [2025-08-04T02:09:26,957+02:00] INFO system - ubic.env: prod [2025-08-04T02:09:26,957+02:00] INFO system - System loaded [2025-08-04T02:09:26,996+02:00] INFO mongo - Checking if database needs to be shut down [2025-08-04T02:09:28,092+02:00] INFO mongo - Database was not running [2025-08-04T02:09:28,092+02:00] INFO mongo - Starting database process... [2025-08-04T02:09:29,128+02:00] INFO mongo - Database process is started [2025-08-04T02:09:29,139+02:00] INFO mongo - Connected to database (v6.0.23@mongodb://localhost:27117, journal enabled) [2025-08-04T02:09:29,141+02:00] WARN startup - component[mongoRuntimeService] initialization took 2145ms [2025-08-04T02:09:29,244+02:00] INFO db - Starting database service initialization... [2025-08-04T02:09:29,307+02:00] INFO db - Database service initialized... [2025-08-04T02:09:29,558+02:00] WARN system - Valid keystore is missing or invalid. Generating one ... [2025-08-04T02:09:29,559+02:00] INFO system - Generating Certificate[UniFi]... please wait... [2025-08-04T02:09:29,786+02:00] INFO system - Certificate generation failed java.io.FileNotFoundException: /usr/local/share/java/unifi/data/keystore (Permission denied) at java.base/java.io.FileOutputStream.open0(Native Method) at java.base/java.io.FileOutputStream.open(FileOutputStream.java:293) at java.base/java.io.FileOutputStream.(FileOutputStream.java:235) at java.base/java.io.FileOutputStream.(FileOutputStream.java:123) at com.ubnt.service.system.floatString.Ø00000(Unknown Source) at com.ubnt.service.system.floatString.ôÒ0000(Unknown Source) at com.ubnt.service.system.floatString.ÓÓ0000(Unknown Source) at com.ubnt.service.system.floatString.(Unknown Source) at com.ubnt.net.B.whilesuper(Unknown Source) at com.ubnt.net.B.ÕO0000(Unknown Source) at com.ubnt.net.B.ÓO0000(Unknown Source) at com.ubnt.net.B.Ö00000(Unknown Source) at com.ubnt.net.B.ö00000(Unknown Source) at com.ubnt.net.B.null(Unknown Source) at com.ubnt.net.S.õÔ0000(Unknown Source) at com.ubnt.net.S.ÕÔ0000(Unknown Source) at com.ubnt.net.S.ØÔ0000(Unknown Source) at com.ubnt.service.ooOO.Òo0000(Unknown Source) at com.ubnt.ace.Launcher.Ó00000(Unknown Source) at com.ubnt.ace.Launcher.main(Unknown Source) [2025-08-04T02:09:29,791+02:00] INFO tomcat - Adding basic REST API support during the startup [2025-08-04T02:09:30,079+02:00] ERROR LifecycleBase - Failed to start component [Connector["https-jsse-nio-8443"]] org.apache.catalina.LifecycleException: Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:1082) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:428) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:870) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437) at com.ubnt.net.S.ØÔ0000(Unknown Source) at com.ubnt.service.ooOO.Òo0000(Unknown Source) at com.ubnt.ace.Launcher.Ó00000(Unknown Source) at com.ubnt.ace.Launcher.main(Unknown Source) Caused by: java.lang.IllegalArgumentException: /usr/local/share/java/unifi/data/keystore (Permission denied) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:70) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:199) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1304) at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1390) at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:644) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1079) ... 10 common frames omitted Caused by: java.io.FileNotFoundException: /usr/local/share/java/unifi/data/keystore (Permission denied) at java.base/java.io.FileInputStream.open0(Native Method) at java.base/java.io.FileInputStream.open(FileInputStream.java:216) at java.base/java.io.FileInputStream.(FileInputStream.java:157) at org.apache.catalina.startup.CatalinaBaseConfigurationSource.getResource(CatalinaBaseConfigurationSource.java:93) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:210) at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:254) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:308) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) ... 16 common frames omitted [2025-08-04T02:09:30,083+02:00] ERROR LifecycleBase - Failed to start component [Connector["https-jsse-nio-8843"]] org.apache.catalina.LifecycleException: Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:1082) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:428) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:870) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437) at com.ubnt.net.S.ØÔ0000(Unknown Source) at com.ubnt.service.ooOO.Òo0000(Unknown Source) at com.ubnt.ace.Launcher.Ó00000(Unknown Source) at com.ubnt.ace.Launcher.main(Unknown Source) Caused by: java.lang.IllegalArgumentException: /usr/local/share/java/unifi/data/keystore (Permission denied) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:70) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:199) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1304) at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1390) at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:644) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1079) ... 10 common frames omitted Caused by: java.io.FileNotFoundException: /usr/local/share/java/unifi/data/keystore (Permission denied) at java.base/java.io.FileInputStream.open0(Native Method) at java.base/java.io.FileInputStream.open(FileInputStream.java:216) at java.base/java.io.FileInputStream.(FileInputStream.java:157) at org.apache.catalina.startup.CatalinaBaseConfigurationSource.getResource(CatalinaBaseConfigurationSource.java:93) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:210) at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:254) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:308) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) ... 16 common frames omitted [2025-08-04T02:09:30,084+02:00] INFO system - Tomcat startup took 3422ms [2025-08-04T02:09:41,013+02:00] WARN system - cannot load native lib - ubnt_webrtc_jni [2025-08-04T02:09:46,582+02:00] INFO startup - Startup complete [2025-08-04T02:09:56,435+02:00] WARN blebridge - unable to load local keystore for BLE bridge /usr/local/share/java/unifi/data/keystore (Permission denied) [2025-08-04T02:10:06,435+02:00] WARN blebridge - unable to load local keystore for BLE bridge /usr/local/share/java/unifi/data/keystore (Permission denied)

from ACME log: 2025-08-04T02:09:25 acme.sh [Mon Aug 4 02:09:25 CEST 2025] Success 2025-08-04T02:09:25 acme.sh [Mon Aug 4 02:09:25 CEST 2025] Reload success! 2025-08-04T02:09:22 acme.sh [Mon Aug 4 02:09:22 CEST 2025] Reload services (this may take some time): service unifi restart 2025-08-04T02:09:22 acme.sh [Mon Aug 4 02:09:22 CEST 2025] Install Unifi Controller certificate success! 2025-08-04T02:09:22 acme.sh [Mon Aug 4 02:09:22 CEST 2025] System configuration updated. 2025-08-04T02:09:22 acme.sh [Mon Aug 4 02:09:22 CEST 2025] Saved original system config to /usr/local/share/java/unifi/data/system.properties_original 2025-08-04T02:09:22 acme.sh [Mon Aug 4 02:09:22 CEST 2025] Updating system configuration for cipher compatibility. 2025-08-04T02:09:22 acme.sh [Mon Aug 4 02:09:22 CEST 2025] Previous keystore saved to /usr/local/share/java/unifi/data/keystore_original. 2025-08-04T02:09:22 acme.sh [Mon Aug 4 02:09:22 CEST 2025] Installing certificate for Unifi Controller (Java keystore)

Additional context The service actually starts and is listening on ports 8080 and 8443, but theres the SSL error on 8080, and a timeout on 8443 root@opnsense:/usr/local/share/java/unifi # sockstat -l | grep 8080 unifi java 69478 180 tcp46 *:8080 : root@opnsense:/usr/local/share/java/unifi # sockstat -l | grep 8443 unifi java 69478 186 tcp46 *:8443 :

I saw this, but I don't have crowdstrike and this only occured after enabling the automation: https://github.com/mimugmail/opn-repo/issues/217

Environment Software version used and hardware type if relevant. e.g.: os-acme-client (installed) | 4.10 os-unifi9-maxit (installed) | 1.4 OPNsense 25.7.1_1-amd64 Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz

[CorvidShaman]

The harddrive failed in my opnsense recently and as I was restoring stuff, I ran into this problem again. I successfully fixed the issue by running sudo chown unifi /usr/local/share/java/unifi/data/keystore and restarting the controller.

@fraenki

[CorvidShaman]

Potentially linked to the issue? https://github.com/acmesh-official/acme.sh/blob/master/deploy/unifi.sh

# correct file ownership according to the directory, the keystore is placed in

the unifi plugin creates the directory owned by root, and so when it tries to redeploy, it sees root is the directory owner. /usr/local/share/java/unifi/ seems to be owned by root, and a mix/match of folders are owned by root, too.

however, it still deploys as root-owned keystore.

[simonryf]

Quick and dirty workaround:

/usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeUnifi.php

// $this->acme_env['DEPLOY_UNIFI_RELOAD'] = 'service unifi restart';
$this->acme_env['DEPLOY_UNIFI_RELOAD'] = 'chown unifi:wheel ' . (string)$this->config->acme_unifi_keystore . '; service unifi restart';

[adn77]

There have been multiple PRs upstream. This (https://github.com/acmesh-official/acme.sh/pull/6604) is now finally released as v3.1.2 which is included in opnsense v25.7.5

[CorvidShaman]

I can confirm the new update does now set the permissions correctly. There's a log entry and I also checked the owner of the keystore after renewing the certificate. Closing this ticket now.