brielle
/
lets-encrypt-scripts
1
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests

master
Brie Bruns 2018-05-29 14:35:37 -06:00
parent 4628f033ae
commit e315444de9
1 changed files with 103 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
gen-unifi-cert.sh
View File

@ -2,31 +2,40 @@
# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
# Modified by: Brielle Bruns <bruns@2mbit.com> # Modified by: Brielle Bruns <bruns@2mbit.com>
# Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
# Version: 1.5 # Version: 1.6
# Last Changed: 02/04/2018 # Last Changed: 05/29/2018
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
# 02/27/2016: More verbose progress report # 02/27/2016: More verbose progress report
# 03/08/2016: Add renew option, reformat code, command line options # 03/08/2016: Add renew option, reformat code, command line options
# 03/24/2016: More sanity checking, embedding cert # 03/24/2016: More sanity checking, embedding cert
# 10/23/2017: Apparently don't need the ace.jar parts, so disable them # 10/23/2017: Apparently don't need the ace.jar parts, so disable them
# 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth # 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth
# 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
#LEBINARY="/usr/src/letsencrypt/certbot-auto"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
while getopts "ird:e:" opt; do function usage() {
echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
echo " -d <domain>: The domain name to use."
echo " -e <email>: Email address to use for certificate."
echo " -r: Renew domain."
echo " -i: Insert only, use to force insertion of certificate."
}
while getopts "hird:e:" opt; do
case $opt in case $opt in
i) onlyinsert="yes";; i) onlyinsert="yes";;
r) renew="yes";; r) renew="yes";;
d) domains+=("$OPTARG");; d) domains+=("$OPTARG");;
e) email=("$OPTARG");; e) email="$OPTARG";;
h) usage
exit;;
esac esac
done done
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
#LEBINARY="/usr/src/letsencrypt/certbot-auto"
DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
/usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot /usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
/usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt /usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
@ -44,11 +53,11 @@ if [[ ! -v LEBINARY ]]; then
done done
fi fi
# Command line options depending on New or Renew. # Command line options depending on New or Renew.
NEWCERT="--renew-by-default certonly" NEWCERT="--renew-by-default certonly"
RENEWCERT="-n renew" RENEWCERT="-n renew"
# Check for required binaries
if [[ ! -x ${LEBINARY} ]]; then if [[ ! -x ${LEBINARY} ]]; then
echo "Error: LetsEncrypt binary not found in ${LEBINARY} !" echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
echo "You'll need to do one of the following:" echo "You'll need to do one of the following:"
@ -58,6 +67,15 @@ if [[ ! -x ${LEBINARY} ]]; then
exit 1 exit 1
fi fi
if [[ ! -x $( which keytool ) ]]; then
echo "Error: Java keytool binary not found."
exit 1
fi
if [[ ! -x $( which openssl ) ]]; then
echo "Error: OpenSSL binary not found."
exit 1
fi
if [[ ! -z ${email} ]]; then if [[ ! -z ${email} ]]; then
email="--email ${email}" email="--email ${email}"
@ -74,28 +92,27 @@ MAINDOMAIN=${domains[0]}
if [[ -z ${MAINDOMAIN} ]]; then if [[ -z ${MAINDOMAIN} ]]; then
echo "Error: At least one -d argument is required" echo "Error: At least one -d argument is required"
usage
exit 1 exit 1
fi fi
if [[ ${renew} == "yes" ]]; then if [[ ${renew} == "yes" ]]; then
LEOPTIONS=${RENEWCERT} LEOPTIONS="${RENEWCERT}"
else else
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}" LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
fi fi
if [[ ${onlyinsert} != "yes" ]]; then if [[ ${onlyinsert} != "yes" ]]; then
echo "Firing up standalone authenticator on TCP port 443 and requesting cert..." echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
${LEBINARY} \ ${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \
--server https://acme-v01.api.letsencrypt.org/directory \ --agree-tos --standalone --preferred-challenges tls-sni ${LEOPTIONS}
--agree-tos \
--standalone --preferred-challenges tls-sni \
${LEOPTIONS}
fi fi
if `md5sum -c /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 &>/dev/null`; then if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then
echo "Cert has not changed, not updating controller." echo "Cert has not changed, not updating controller."
exit 0 exit 0
else else
echo "Cert has changed or -i option was used, updating controller..."
TEMPFILE=$(mktemp) TEMPFILE=$(mktemp)
CATEMPFILE=$(mktemp) CATEMPFILE=$(mktemp)
@ -124,20 +141,22 @@ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE----- -----END CERTIFICATE-----
_EOF _EOF
echo "Cert has changed, updating controller..." md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5
echo "Using openssl to prepare certificate..." echo "Using openssl to prepare certificate..."
cat /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem >> "${CATEMPFILE}" cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
openssl pkcs12 -export -passout pass:aircontrolenterprise \ openssl pkcs12 -export -passout pass:aircontrolenterprise \
-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \ -in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \ -inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
-out "${TEMPFILE}" -name unifi \ -out "${TEMPFILE}" -name unifi \
-CAfile "${CATEMPFILE}" -caname root -CAfile "${CATEMPFILE}" -caname root
echo "Stopping Unifi controller..." echo "Stopping Unifi controller..."
service unifi stop service unifi stop
echo "Removing existing certificate from Unifi protected keystore..." echo "Removing existing certificate from Unifi protected keystore..."
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \ keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
-deststorepass aircontrolenterprise -deststorepass aircontrolenterprise
echo "Inserting certificate into Unifi keystore..." echo "Inserting certificate into Unifi keystore..."
keytool -trustcacerts -importkeystore \ keytool -trustcacerts -importkeystore \
-deststorepass aircontrolenterprise \ -deststorepass aircontrolenterprise \
@ -147,7 +166,9 @@ _EOF
-srcstorepass aircontrolenterprise \ -srcstorepass aircontrolenterprise \
-alias unifi -alias unifi
rm -f "${TEMPFILE}" "${CATEMPFILE}" rm -f "${TEMPFILE}" "${CATEMPFILE}"
echo "Starting Unifi controller..." echo "Starting Unifi controller..."
service unifi start service unifi start
echo "Done!" echo "Done!"
fi fi