diff --git a/deploy/unifi.sh b/deploy/unifi.sh
index 4d8c058e..9ee7114c 100644
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@@ -135,6 +135,15 @@ unifi_deploy() {
       cp -f "$_import_pkcs12" "$_unifi_keystore"
     fi
 
+    # correct file ownership according to the directory, the keystore is placed in
+    _unifi_keystore_dir=$(dirname "${_unifi_keystore}")
+    _unifi_keystore_dir_owner=$(ls -ld "${_unifi_keystore_dir}" | awk '{print $3}')
+    _unifi_keystore_owner=$(ls -l "${_unifi_keystore}" | awk '{print $3}')
+    if ! [ "${_unifi_keystore_owner}" = "${_unifi_keystore_dir_owner}" ] ; then
+      _debug "Changing keystore owner to ${_unifi_keystore_dir_owner}"
+      chown $_unifi_keystore_dir_owner "${_unifi_keystore}" >/dev/null 2>&1 # fail quietly if we're not running as root
+    fi
+
     # Update unifi service for certificate cipher compatibility
     if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \
       -in "$_import_pkcs12" \