Split out import process for root certs
parent
a49684b35f
commit
cad3656236
|
|
@ -0,0 +1,20 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
|
||||||
|
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
||||||
|
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
|
||||||
|
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
|
||||||
|
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
|
||||||
|
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
|
||||||
|
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
|
||||||
|
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
|
||||||
|
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
|
||||||
|
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
|
||||||
|
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
|
||||||
|
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
|
||||||
|
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
|
||||||
|
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
|
||||||
|
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
|
||||||
|
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
|
||||||
|
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
|
||||||
|
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
@ -13,18 +13,23 @@
|
||||||
# 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
|
# 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
|
||||||
# 09/26/2018: Change from TLS to HTTP authenticator
|
# 09/26/2018: Change from TLS to HTTP authenticator
|
||||||
# 09/22/2021: Update root certs
|
# 09/22/2021: Update root certs
|
||||||
|
# 10/10/2021: Split out import process for root certs
|
||||||
|
|
||||||
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
|
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
|
||||||
#LEBINARY="/usr/src/letsencrypt/certbot-auto"
|
#LEBINARY="/usr/src/letsencrypt/certbot-auto"
|
||||||
|
|
||||||
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
|
||||||
|
KEYSTORE=/usr/lib/unifi/data/keystore
|
||||||
|
|
||||||
|
|
||||||
function usage() {
|
function usage() {
|
||||||
echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
|
echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
|
||||||
echo " -d <domain>: The domain name to use."
|
echo " -d <domain>: The domain name to use."
|
||||||
echo " -e <email>: Email address to use for certificate."
|
echo " -e <email>: Email address to use for certificate."
|
||||||
echo " -r: Renew domain."
|
echo " -r: Renew domain."
|
||||||
echo " -i: Insert only, use to force insertion of certificate."
|
echo " -i: Insert only, use to force insertion of certificate."
|
||||||
|
echo " -a: use ace.jar for insert instead of keytool."
|
||||||
}
|
}
|
||||||
|
|
||||||
while getopts "hird:e:" opt; do
|
while getopts "hird:e:" opt; do
|
||||||
|
|
@ -117,8 +122,9 @@ else
|
||||||
echo "Cert has changed or -i option was used, updating controller..."
|
echo "Cert has changed or -i option was used, updating controller..."
|
||||||
TEMPFILE=$(mktemp)
|
TEMPFILE=$(mktemp)
|
||||||
CATEMPFILE=$(mktemp)
|
CATEMPFILE=$(mktemp)
|
||||||
|
INTERMEDTEMPFILE=$(mktemp)
|
||||||
|
|
||||||
# ISRG Root X1 and LE R3 certs to inject as well
|
# ISRG Root X1
|
||||||
cat > "${CATEMPFILE}" <<'_EOF'
|
cat > "${CATEMPFILE}" <<'_EOF'
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
|
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
|
||||||
|
|
@ -151,33 +157,74 @@ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
|
||||||
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
|
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
|
||||||
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
|
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
# LE R3 Intermediary
|
||||||
|
cat > "${INTERMEDTEMPFILE}" <<'_EOF'
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
|
||||||
|
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
||||||
|
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
|
||||||
|
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
|
||||||
|
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
|
||||||
|
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
|
||||||
|
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
|
||||||
|
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
|
||||||
|
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
|
||||||
|
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
|
||||||
|
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
|
||||||
|
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
|
||||||
|
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
|
||||||
|
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
|
||||||
|
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
|
||||||
|
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
|
||||||
|
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
|
||||||
|
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
|
||||||
|
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
|
||||||
|
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
|
||||||
|
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
|
||||||
|
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
|
||||||
|
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
|
||||||
|
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
|
||||||
|
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
|
||||||
|
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
|
||||||
|
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
|
||||||
|
nLRbwHOoq7hHwg==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
_EOF
|
_EOF
|
||||||
|
|
||||||
md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
|
md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
|
||||||
echo "Using openssl to prepare certificate..."
|
#echo "Using openssl to prepare certificate..."
|
||||||
cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
|
#cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
|
||||||
openssl pkcs12 -export -passout pass:aircontrolenterprise \
|
openssl pkcs12 -export -passout pass:aircontrolenterprise \
|
||||||
-in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
|
-in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
|
||||||
-inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
|
-inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
|
||||||
-out "${TEMPFILE}" -name unifi \
|
-out "${TEMPFILE}" -name unifi
|
||||||
-CAfile "${CATEMPFILE}" -caname root
|
|
||||||
|
|
||||||
echo "Stopping Unifi controller..."
|
echo "Stopping Unifi controller..."
|
||||||
service unifi stop
|
service unifi stop
|
||||||
|
|
||||||
|
echo "Importing root LE CA cert and intermediaries..."
|
||||||
|
keytool -import -trustcacerts -alias root -file "${CATEMPFILE}" \
|
||||||
|
-storepass aircontrolenterprise -keystore "${KEYSTORE}"
|
||||||
|
|
||||||
|
keytool -import -trustcacerts -alias intermediate1 -file "${INTERMEDTEMPFILE}" \
|
||||||
|
-storepass aircontrolenterprise -keystore "${KEYSTORE}"
|
||||||
|
|
||||||
|
|
||||||
echo "Removing existing certificate from Unifi protected keystore..."
|
echo "Removing existing certificate from Unifi protected keystore..."
|
||||||
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
|
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
|
||||||
-deststorepass aircontrolenterprise
|
-deststorepass aircontrolenterprise
|
||||||
|
|
||||||
echo "Inserting certificate into Unifi keystore..."
|
echo "Importing certificate into Unifi keystore..."
|
||||||
keytool -trustcacerts -importkeystore \
|
keytool -importkeystore \
|
||||||
-deststorepass aircontrolenterprise \
|
-deststorepass aircontrolenterprise \
|
||||||
-destkeypass aircontrolenterprise \
|
-destkeypass aircontrolenterprise \
|
||||||
-destkeystore /usr/lib/unifi/data/keystore \
|
-destkeystore /usr/lib/unifi/data/keystore \
|
||||||
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
|
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
|
||||||
-srcstorepass aircontrolenterprise \
|
-srcstorepass aircontrolenterprise \
|
||||||
-alias unifi
|
-alias unifi
|
||||||
rm -f "${TEMPFILE}" "${CATEMPFILE}"
|
rm -f "${TEMPFILE}" "${CATEMPFILE}" "${INTERMEDTEMPFILE}"
|
||||||
|
|
||||||
echo "Starting Unifi controller..."
|
echo "Starting Unifi controller..."
|
||||||
service unifi start
|
service unifi start
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue