I found the best way to handle the certificate on a self hosted unifi controller was to switch to Lets Encrypt. Now, my unifi controller is behind a firewall, so we have to enable the DNS Challenge. We do this as follows:

First – Thanks to glennr.nl for his fantastic scripts!!!

Second – download his script

curl -sO https://get.glennr.nl/unifi/extra/unifi-easy-encrypt.sh

Run his script

bash unifi-easy-encrypt.sh --fqdn unifi.mydomain.com --server-ip my.unifi.ip.address --dns-challenge --email my@email.com

replace:
– unifi.mydomain.com with the correct FQDN of your server
– my.unifi.ip.address with the ip address of your unifi server
-my@email.com with your email address for notifications about the certificates

During the process you will be prompted to enter a txt record into your PUBLIC dns server (not your internal dns server) Create the record and confirm that it is working correctly before completing the script. (If there is some error in creating the txt record, the creation of the certificate will fail and you will have to start over again – including creating or updating the txt record).

That’s it!!