brielle/lets-encrypt-scripts
1
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests

Browse Source
This commit is contained in:
Brie Bruns 2018-05-29 14:35:37 -06:00
parent 4628f033ae
commit e315444de9
1 changed files with 103 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

181
gen-unifi-cert.sh
View File

@ -2,67 +2,85 @@
# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
# Modified by: Brielle Bruns <bruns@2mbit.com> # Modified by: Brielle Bruns <bruns@2mbit.com>
# Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
# Version: 1.5 # Version: 1.6
# Last Changed: 02/04/2018 # Last Changed: 05/29/2018
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
# 02/27/2016: More verbose progress report # 02/27/2016: More verbose progress report
# 03/08/2016: Add renew option, reformat code, command line options # 03/08/2016: Add renew option, reformat code, command line options
# 03/24/2016: More sanity checking, embedding cert # 03/24/2016: More sanity checking, embedding cert
# 10/23/2017: Apparently don't need the ace.jar parts, so disable them # 10/23/2017: Apparently don't need the ace.jar parts, so disable them
# 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth # 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth
# 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
while getopts "ird:e:" opt; do
case $opt in
i) onlyinsert="yes";;
r) renew="yes";;
d) domains+=("$OPTARG");;
e) email=("$OPTARG");;
esac
done
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically # Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
#LEBINARY="/usr/src/letsencrypt/certbot-auto" #LEBINARY="/usr/src/letsencrypt/certbot-auto"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
function usage() {
echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
echo " -d <domain>: The domain name to use."
echo " -e <email>: Email address to use for certificate."
echo " -r: Renew domain."
echo " -i: Insert only, use to force insertion of certificate."
}
while getopts "hird:e:" opt; do
case $opt in
i) onlyinsert="yes";;
r) renew="yes";;
d) domains+=("$OPTARG");;
e) email="$OPTARG";;
h) usage
exit;;
esac
done
DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
/usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot /usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
/usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt /usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
/usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto /usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
/usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto /usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
/usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto" /usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
if [[ ! -v LEBINARY ]]; then if [[ ! -v LEBINARY ]]; then
for i in ${DEFAULTLEBINARY}; do for i in ${DEFAULTLEBINARY}; do
if [[ -x ${i} ]]; then if [[ -x ${i} ]]; then
LEBINARY=${i} LEBINARY=${i}
echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}" echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
break break
fi fi
done done
fi fi
# Command line options depending on New or Renew. # Command line options depending on New or Renew.
NEWCERT="--renew-by-default certonly" NEWCERT="--renew-by-default certonly"
RENEWCERT="-n renew" RENEWCERT="-n renew"
# Check for required binaries
if [[ ! -x ${LEBINARY} ]]; then if [[ ! -x ${LEBINARY} ]]; then
echo "Error: LetsEncrypt binary not found in ${LEBINARY} !" echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
echo "You'll need to do one of the following:" echo "You'll need to do one of the following:"
echo "1) Change LEBINARY variable in this script" echo "1) Change LEBINARY variable in this script"
echo "2) Install LE manually or via your package manager and do #1" echo "2) Install LE manually or via your package manager and do #1"
echo "3) Use the included get-letsencrypt.sh script to install it" echo "3) Use the included get-letsencrypt.sh script to install it"
exit 1 exit 1
fi fi
if [[ ! -x $( which keytool ) ]]; then
echo "Error: Java keytool binary not found."
exit 1
fi
if [[ ! -x $( which openssl ) ]]; then
echo "Error: OpenSSL binary not found."
exit 1
fi
if [[ ! -z ${email} ]]; then if [[ ! -z ${email} ]]; then
email="--email ${email}" email="--email ${email}"
else else
email="" email=""
fi fi
shift $((OPTIND -1)) shift $((OPTIND -1))
@ -73,35 +91,34 @@ done
MAINDOMAIN=${domains[0]} MAINDOMAIN=${domains[0]}
if [[ -z ${MAINDOMAIN} ]]; then if [[ -z ${MAINDOMAIN} ]]; then
echo "Error: At least one -d argument is required" echo "Error: At least one -d argument is required"
exit 1 usage
exit 1
fi fi
if [[ ${renew} == "yes" ]]; then if [[ ${renew} == "yes" ]]; then
LEOPTIONS=${RENEWCERT} LEOPTIONS="${RENEWCERT}"
else else
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}" LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
fi fi
if [[ ${onlyinsert} != "yes" ]]; then if [[ ${onlyinsert} != "yes" ]]; then
echo "Firing up standalone authenticator on TCP port 443 and requesting cert..." echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
${LEBINARY} \ ${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \
--server https://acme-v01.api.letsencrypt.org/directory \ --agree-tos --standalone --preferred-challenges tls-sni ${LEOPTIONS}
--agree-tos \
--standalone --preferred-challenges tls-sni \
${LEOPTIONS}
fi fi
if `md5sum -c /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 &>/dev/null`; then if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then
echo "Cert has not changed, not updating controller." echo "Cert has not changed, not updating controller."
exit 0 exit 0
else else
TEMPFILE=$(mktemp) echo "Cert has changed or -i option was used, updating controller..."
CATEMPFILE=$(mktemp) TEMPFILE=$(mktemp)
CATEMPFILE=$(mktemp)
# Identrust cross-signed CA cert needed by the java keystore for import. # Identrust cross-signed CA cert needed by the java keystore for import.
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
cat > "${CATEMPFILE}" <<'_EOF' cat > "${CATEMPFILE}" <<'_EOF'
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
@ -124,30 +141,34 @@ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE----- -----END CERTIFICATE-----
_EOF _EOF
echo "Cert has changed, updating controller..." md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 echo "Using openssl to prepare certificate..."
echo "Using openssl to prepare certificate..." cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
cat /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem >> "${CATEMPFILE}" openssl pkcs12 -export -passout pass:aircontrolenterprise \
openssl pkcs12 -export -passout pass:aircontrolenterprise \ -in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \ -inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \ -out "${TEMPFILE}" -name unifi \
-out "${TEMPFILE}" -name unifi \ -CAfile "${CATEMPFILE}" -caname root
-CAfile "${CATEMPFILE}" -caname root
echo "Stopping Unifi controller..." echo "Stopping Unifi controller..."
service unifi stop service unifi stop
echo "Removing existing certificate from Unifi protected keystore..."
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \ echo "Removing existing certificate from Unifi protected keystore..."
-deststorepass aircontrolenterprise keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
echo "Inserting certificate into Unifi keystore..." -deststorepass aircontrolenterprise
keytool -trustcacerts -importkeystore \
-deststorepass aircontrolenterprise \ echo "Inserting certificate into Unifi keystore..."
-destkeypass aircontrolenterprise \ keytool -trustcacerts -importkeystore \
-destkeystore /usr/lib/unifi/data/keystore \ -deststorepass aircontrolenterprise \
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \ -destkeypass aircontrolenterprise \
-srcstorepass aircontrolenterprise \ -destkeystore /usr/lib/unifi/data/keystore \
-alias unifi -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
rm -f "${TEMPFILE}" "${CATEMPFILE}" -srcstorepass aircontrolenterprise \
echo "Starting Unifi controller..." -alias unifi
service unifi start rm -f "${TEMPFILE}" "${CATEMPFILE}"
echo "Done!"
echo "Starting Unifi controller..."
service unifi start
echo "Done!"
fi fi