Initial import

DSTROOTCAX3.txt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----

apache-le-alias.conf

@@ -0,0 +1,11 @@
+<IfModule alias_module>
+	Alias /.well-known/acme-challenge "/var/www/letsencrypt-root/.well-known/acme-challenge"
+
+	<Directory "/var/www/letsencrypt-root/.well-known/acme-challenge">
+		Options FollowSymlinks
+		AllowOverride None
+		Order allow,deny
+		Allow from all
+		#Require all granted
+	</Directory>
+</IfModule>

apache-le-proxy.conf

@@ -0,0 +1,12 @@
+# Proxy method of letsencrypt auth
+# a2enmod proxy proxy_http
+<IfModule mod_proxy.c>
+	ProxyPass "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" retry=1
+	ProxyPassReverse "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/"
+         ProxyPreserveHost On
+	<Location "/.well-known/acme-challenge/">
+          Order allow,deny
+          Allow from all
+          #Require all granted
+	</Location>
+</IfModule>

gen-cert.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Easy letsencrypt certs using a bash script.
+# v1.2 - 12/13/2015
+# By Brielle Bruns <bruns@2mbit.com>
+# http://www.sosdg.org
+
+
+# Use like:  gen-cert.sh -d domain1.com -d domain2.com
+#
+# There are three options for authentication:
+#
+# 1) Webroot (normal)
+#	Specify -r flag with -d and -e flags.
+#	gen-cert.sh -d domain1.com -r /var/www/domain1.com
+#
+# 2) Webroot (alias)
+#	Same as #1, but also include an alias directive in apache like in:
+#	http://users.sosdg.org/~bruns/lets-encrypt/apache-le-alias.conf
+#	And:
+#	mkdir -p /var/www/letsencrypt-root/.well-known/acme-challenge
+#	gen-cert.sh -d domain1.com -d domain2.com -r /var/www/letsencrypt-root/.well-known/acme-challenge
+#
+# 3) Proxy auth
+#	This auth method uses the standalone authenticator with a mod_proxy
+# 	http://users.sosdg.org/~bruns/lets-encrypt/apache-le-proxy.conf
+#	Original proxy idea from:
+#	http://evolvedigital.co.uk/how-to-get-letsencrypt-working-with-ispconfig-3/
+
+PROXYAUTH="--standalone --standalone-supported-challenges http-01 --http-01-port 9999"
+
+while getopts "d:r:e:" opt; do
+    case $opt in
+        d) domains+=("$OPTARG");;
+	r) webroot=("$OPTARG");;
+	e) email=("$OPTARG");;
+    esac
+done
+
+if [[ ! -z ${email} ]]; then
+	email="--email ${email}"
+else
+	email=""
+fi
+
+# Webroot auth method, activated with -r
+WEBAUTH="-a webroot --webroot-path ${webroot}"
+
+if [[ -z ${webroot} ]]; then
+	AUTH=${PROXYAUTH}
+else
+	AUTH=${WEBAUTH}
+fi
+
+shift $((OPTIND -1))
+for val in "${domains[@]}"; do
+        DOMAINS="${DOMAINS} -d ${val} "
+done
+
+
+
+cd /usr/src/letsencrypt
+./letsencrypt-auto ${email} \
+        --server https://acme-v01.api.letsencrypt.org/directory \
+        --agree-tos \
+        --renew-by-default \
+        ${AUTH} \
+        ${DOMAINS} \
+         certonly

gen-unifi-cert.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
+# Modified by: Brielle Bruns <bruns@2mbit.com>
+# Last Changed: 2/2/2016
+# Changed: Fixed some errors with key export/import, removed lame
+# docker requirements
+DOMAIN="unifi.xxxx.xxxxx"
+EMAIL="email@here"
+EXTRACERT="/root/DSTROOTCAX3.txt"
+TEMPFILE=$(mktemp)
+service unifi stop
+/usr/src/letsencrypt/letsencrypt-auto \
+	--email ${EMAIL} \
+	--server https://acme-v01.api.letsencrypt.org/directory \
+        --agree-tos \
+        --renew-by-default \
+        -d ${DOMAIN} \
+	--standalone --standalone-supported-challenges tls-sni-01 \
+         certonly
+openssl pkcs12 -export  -passout pass:aircontrolenterprise \
+    -in /etc/letsencrypt/live/${DOMAIN}/cert.pem \
+    -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem \
+    -out ${TEMPFILE} -name unifi \
+    -CAfile /etc/letsencrypt/live/${DOMAIN}/chain.pem -caname root
+keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
+	-deststorepass aircontrolenterprise
+keytool -trustcacerts -importkeystore \
+    -deststorepass aircontrolenterprise \
+    -destkeypass aircontrolenterprise \
+    -destkeystore /usr/lib/unifi/data/keystore \
+    -srckeystore ${TEMPFILE} -srcstoretype PKCS12 \
+    -srcstorepass aircontrolenterprise \
+    -alias unifi
+rm -f ${TEMPFILE}
+java -jar /usr/lib/unifi/lib/ace.jar import_cert \
+    /etc/letsencrypt/live/${DOMAIN}/cert.pem \
+    /etc/letsencrypt/live/${DOMAIN}/chain.pem \
+    ${EXTRACERT}
+service unifi start