From cad3656236778c4cacd071bf47441d5d5705b35e Mon Sep 17 00:00:00 2001 From: Brie Bruns Date: Sun, 10 Oct 2021 21:24:10 -0600 Subject: [PATCH] Split out import process for root certs --- isrgrootx1.pem => certs/isrgrootx1.pem | 0 .../lets-encrypt-r3.pem | 0 certs/trustid-x3-root.pem.txt | 20 ++++++ gen-unifi-cert.sh | 65 ++++++++++++++++--- 4 files changed, 76 insertions(+), 9 deletions(-) rename isrgrootx1.pem => certs/isrgrootx1.pem (100%) rename lets-encrypt-r3.pem => certs/lets-encrypt-r3.pem (100%) create mode 100644 certs/trustid-x3-root.pem.txt diff --git a/isrgrootx1.pem b/certs/isrgrootx1.pem similarity index 100% rename from isrgrootx1.pem rename to certs/isrgrootx1.pem diff --git a/lets-encrypt-r3.pem b/certs/lets-encrypt-r3.pem similarity index 100% rename from lets-encrypt-r3.pem rename to certs/lets-encrypt-r3.pem diff --git a/certs/trustid-x3-root.pem.txt b/certs/trustid-x3-root.pem.txt new file mode 100644 index 0000000..b2e43c9 --- /dev/null +++ b/certs/trustid-x3-root.pem.txt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE----- diff --git a/gen-unifi-cert.sh b/gen-unifi-cert.sh index 2c36442..847f6c3 100755 --- a/gen-unifi-cert.sh +++ b/gen-unifi-cert.sh @@ -13,18 +13,23 @@ # 05/29/2018: Integrate patch from Donald Webster to cleanup and improve tests # 09/26/2018: Change from TLS to HTTP authenticator # 09/22/2021: Update root certs +# 10/10/2021: Split out import process for root certs # Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically #LEBINARY="/usr/src/letsencrypt/certbot-auto" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +KEYSTORE=/usr/lib/unifi/data/keystore + + function usage() { echo "Usage: $0 -d [-e ] [-r] [-i]" echo " -d : The domain name to use." echo " -e : Email address to use for certificate." echo " -r: Renew domain." echo " -i: Insert only, use to force insertion of certificate." + echo " -a: use ace.jar for insert instead of keytool." } while getopts "hird:e:" opt; do @@ -117,8 +122,9 @@ else echo "Cert has changed or -i option was used, updating controller..." TEMPFILE=$(mktemp) CATEMPFILE=$(mktemp) + INTERMEDTEMPFILE=$(mktemp) - # ISRG Root X1 and LE R3 certs to inject as well + # ISRG Root X1 cat > "${CATEMPFILE}" <<'_EOF' -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw @@ -151,33 +157,74 @@ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- +_EOF + + # LE R3 Intermediary + cat > "${INTERMEDTEMPFILE}" <<'_EOF' +-----BEGIN CERTIFICATE----- +MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP +R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx +sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm +NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg +Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG +/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W +PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl +ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz +CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm +lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 +avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 +yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O +yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids +hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ +HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv +MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX +nLRbwHOoq7hHwg== +-----END CERTIFICATE----- _EOF md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" - echo "Using openssl to prepare certificate..." - cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}" + #echo "Using openssl to prepare certificate..." + #cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}" openssl pkcs12 -export -passout pass:aircontrolenterprise \ -in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \ -inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \ - -out "${TEMPFILE}" -name unifi \ - -CAfile "${CATEMPFILE}" -caname root - + -out "${TEMPFILE}" -name unifi + echo "Stopping Unifi controller..." service unifi stop + + echo "Importing root LE CA cert and intermediaries..." + keytool -import -trustcacerts -alias root -file "${CATEMPFILE}" \ + -storepass aircontrolenterprise -keystore "${KEYSTORE}" + + keytool -import -trustcacerts -alias intermediate1 -file "${INTERMEDTEMPFILE}" \ + -storepass aircontrolenterprise -keystore "${KEYSTORE}" + echo "Removing existing certificate from Unifi protected keystore..." keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \ -deststorepass aircontrolenterprise - echo "Inserting certificate into Unifi keystore..." - keytool -trustcacerts -importkeystore \ + echo "Importing certificate into Unifi keystore..." + keytool -importkeystore \ -deststorepass aircontrolenterprise \ -destkeypass aircontrolenterprise \ -destkeystore /usr/lib/unifi/data/keystore \ -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \ -srcstorepass aircontrolenterprise \ -alias unifi - rm -f "${TEMPFILE}" "${CATEMPFILE}" + rm -f "${TEMPFILE}" "${CATEMPFILE}" "${INTERMEDTEMPFILE}" echo "Starting Unifi controller..." service unifi start