brielle
/
lets-encrypt-scripts
1
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Heavily change how unifi script works

master
Brie Bruns 2016-03-08 12:04:03 -07:00
parent c5923ff322
commit 452ecb27b3
1 changed files with 68 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
gen-unifi-cert.sh
View File

@ -5,55 +5,84 @@
# Last Changed: 2/27/2016 # Last Changed: 2/27/2016
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
# 02/27/2016: More verbose progress report # 02/27/2016: More verbose progress report
# 03/08/2016: Add renew option, reformat code, command line options
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# The main domain name of your controller while getopts "rd:e:" opt; do
DOMAIN="unifi.xxxx.xxxxx" case $opt in
r) renew="yes";;
# Your e-mail address for notifications of certificate issues d) domains+=("$OPTARG");;
EMAIL="email@here" e) email=("$OPTARG");;
esac
done
# Identrust cross-signed CA cert needed by the java keystore for import. # Identrust cross-signed CA cert needed by the java keystore for import.
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
EXTRACERT="/root/DSTROOTCAX3.txt" EXTRACERT="/root/DSTROOTCAX3.txt"
TEMPFILE=$(mktemp) NEWCERT="--renew-by-default certonly"
RENEWCERT="-n renew"
if [[ ! -z ${email} ]]; then
email="--email ${email}"
else
email=""
fi
shift $((OPTIND -1))
for val in "${domains[@]}"; do
DOMAINS="${DOMAINS} -d ${val} "
done
if ( $renew == "yes" ) {
LEOPTIONS=${RENEWCERT}
else
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
fi
echo "Stopping Unifi controller..."
service unifi stop
echo "Firing up standalone authenticator on TCP port 443 and requesting cert..." echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
/usr/src/letsencrypt/letsencrypt-auto \ /usr/src/letsencrypt/letsencrypt-auto \
--email ${EMAIL} \
--server https://acme-v01.api.letsencrypt.org/directory \ --server https://acme-v01.api.letsencrypt.org/directory \
--agree-tos \ --agree-tos \
--renew-by-default \
-d ${DOMAIN} \
--standalone --standalone-supported-challenges tls-sni-01 \ --standalone --standalone-supported-challenges tls-sni-01 \
certonly ${LEOPTIONS}
echo "Using openssl to prepare certificate..."
openssl pkcs12 -export -passout pass:aircontrolenterprise \
-in /etc/letsencrypt/live/${DOMAIN}/cert.pem \ if `md5sum -c /etc/letsencrypt/live/${DOMAIN}/cert.pem.md5 %>/dev/null`; then
-inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem \ echo "Cert has not changed, not updating controller."
-out ${TEMPFILE} -name unifi \ exit 0
-CAfile /etc/letsencrypt/live/${DOMAIN}/chain.pem -caname root else
echo "Removing existing certificate from Unifi protected keystore..." TEMPFILE=$(mktemp)
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \ echo "Cert has changed, updating controller..."
-deststorepass aircontrolenterprise md5sum /etc/letsencrypt/live/${DOMAIN}/cert.pem > /etc/letsencrypt/live/${DOMAIN}/cert.pem.md5
echo "Inserting certificate into Unifi keystore..." echo "Using openssl to prepare certificate..."
keytool -trustcacerts -importkeystore \ openssl pkcs12 -export -passout pass:aircontrolenterprise \
-deststorepass aircontrolenterprise \ -in /etc/letsencrypt/live/${DOMAIN}/cert.pem \
-destkeypass aircontrolenterprise \ -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem \
-destkeystore /usr/lib/unifi/data/keystore \ -out ${TEMPFILE} -name unifi \
-srckeystore ${TEMPFILE} -srcstoretype PKCS12 \ -CAfile /etc/letsencrypt/live/${DOMAIN}/chain.pem -caname root
-srcstorepass aircontrolenterprise \ echo "Stopping Unifi controller..."
-alias unifi service unifi stop
rm -f ${TEMPFILE} echo "Removing existing certificate from Unifi protected keystore..."
echo "Importing cert into Unifi database..." keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
java -jar /usr/lib/unifi/lib/ace.jar import_cert \ -deststorepass aircontrolenterprise
/etc/letsencrypt/live/${DOMAIN}/cert.pem \ echo "Inserting certificate into Unifi keystore..."
/etc/letsencrypt/live/${DOMAIN}/chain.pem \ keytool -trustcacerts -importkeystore \
${EXTRACERT} -deststorepass aircontrolenterprise \
echo "Starting Unifi controller..." -destkeypass aircontrolenterprise \
service unifi start -destkeystore /usr/lib/unifi/data/keystore \
echo "Done!" -srckeystore ${TEMPFILE} -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
-alias unifi
rm -f ${TEMPFILE}
echo "Importing cert into Unifi database..."
java -jar /usr/lib/unifi/lib/ace.jar import_cert \
/etc/letsencrypt/live/${DOMAIN}/cert.pem \
/etc/letsencrypt/live/${DOMAIN}/chain.pem \
${EXTRACERT}
echo "Starting Unifi controller..."
service unifi start
echo "Done!"
fi