Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
parent
4628f033ae
commit
e315444de9
|
@ -2,67 +2,85 @@
|
||||||
# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
|
# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
|
||||||
# Modified by: Brielle Bruns <bruns@2mbit.com>
|
# Modified by: Brielle Bruns <bruns@2mbit.com>
|
||||||
# Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
|
# Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
|
||||||
# Version: 1.5
|
# Version: 1.6
|
||||||
# Last Changed: 02/04/2018
|
# Last Changed: 05/29/2018
|
||||||
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
|
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
|
||||||
# 02/27/2016: More verbose progress report
|
# 02/27/2016: More verbose progress report
|
||||||
# 03/08/2016: Add renew option, reformat code, command line options
|
# 03/08/2016: Add renew option, reformat code, command line options
|
||||||
# 03/24/2016: More sanity checking, embedding cert
|
# 03/24/2016: More sanity checking, embedding cert
|
||||||
# 10/23/2017: Apparently don't need the ace.jar parts, so disable them
|
# 10/23/2017: Apparently don't need the ace.jar parts, so disable them
|
||||||
# 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth
|
# 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth
|
||||||
|
# 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
|
||||||
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
||||||
|
|
||||||
while getopts "ird:e:" opt; do
|
|
||||||
case $opt in
|
|
||||||
i) onlyinsert="yes";;
|
|
||||||
r) renew="yes";;
|
|
||||||
d) domains+=("$OPTARG");;
|
|
||||||
e) email=("$OPTARG");;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
|
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
|
||||||
#LEBINARY="/usr/src/letsencrypt/certbot-auto"
|
#LEBINARY="/usr/src/letsencrypt/certbot-auto"
|
||||||
|
|
||||||
|
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
|
||||||
|
function usage() {
|
||||||
|
echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
|
||||||
|
echo " -d <domain>: The domain name to use."
|
||||||
|
echo " -e <email>: Email address to use for certificate."
|
||||||
|
echo " -r: Renew domain."
|
||||||
|
echo " -i: Insert only, use to force insertion of certificate."
|
||||||
|
}
|
||||||
|
|
||||||
|
while getopts "hird:e:" opt; do
|
||||||
|
case $opt in
|
||||||
|
i) onlyinsert="yes";;
|
||||||
|
r) renew="yes";;
|
||||||
|
d) domains+=("$OPTARG");;
|
||||||
|
e) email="$OPTARG";;
|
||||||
|
h) usage
|
||||||
|
exit;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
|
DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
|
||||||
/usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
|
/usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
|
||||||
/usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
|
/usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
|
||||||
/usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
|
/usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
|
||||||
/usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
|
/usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
|
||||||
/usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
|
/usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
|
||||||
|
|
||||||
if [[ ! -v LEBINARY ]]; then
|
if [[ ! -v LEBINARY ]]; then
|
||||||
for i in ${DEFAULTLEBINARY}; do
|
for i in ${DEFAULTLEBINARY}; do
|
||||||
if [[ -x ${i} ]]; then
|
if [[ -x ${i} ]]; then
|
||||||
LEBINARY=${i}
|
LEBINARY=${i}
|
||||||
echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
|
echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Command line options depending on New or Renew.
|
# Command line options depending on New or Renew.
|
||||||
NEWCERT="--renew-by-default certonly"
|
NEWCERT="--renew-by-default certonly"
|
||||||
RENEWCERT="-n renew"
|
RENEWCERT="-n renew"
|
||||||
|
|
||||||
|
# Check for required binaries
|
||||||
if [[ ! -x ${LEBINARY} ]]; then
|
if [[ ! -x ${LEBINARY} ]]; then
|
||||||
echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
|
echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
|
||||||
echo "You'll need to do one of the following:"
|
echo "You'll need to do one of the following:"
|
||||||
echo "1) Change LEBINARY variable in this script"
|
echo "1) Change LEBINARY variable in this script"
|
||||||
echo "2) Install LE manually or via your package manager and do #1"
|
echo "2) Install LE manually or via your package manager and do #1"
|
||||||
echo "3) Use the included get-letsencrypt.sh script to install it"
|
echo "3) Use the included get-letsencrypt.sh script to install it"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ ! -x $( which keytool ) ]]; then
|
||||||
|
echo "Error: Java keytool binary not found."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ! -x $( which openssl ) ]]; then
|
||||||
|
echo "Error: OpenSSL binary not found."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ ! -z ${email} ]]; then
|
if [[ ! -z ${email} ]]; then
|
||||||
email="--email ${email}"
|
email="--email ${email}"
|
||||||
else
|
else
|
||||||
email=""
|
email=""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
shift $((OPTIND -1))
|
shift $((OPTIND -1))
|
||||||
|
@ -73,35 +91,34 @@ done
|
||||||
MAINDOMAIN=${domains[0]}
|
MAINDOMAIN=${domains[0]}
|
||||||
|
|
||||||
if [[ -z ${MAINDOMAIN} ]]; then
|
if [[ -z ${MAINDOMAIN} ]]; then
|
||||||
echo "Error: At least one -d argument is required"
|
echo "Error: At least one -d argument is required"
|
||||||
exit 1
|
usage
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${renew} == "yes" ]]; then
|
if [[ ${renew} == "yes" ]]; then
|
||||||
LEOPTIONS=${RENEWCERT}
|
LEOPTIONS="${RENEWCERT}"
|
||||||
else
|
else
|
||||||
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
|
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${onlyinsert} != "yes" ]]; then
|
if [[ ${onlyinsert} != "yes" ]]; then
|
||||||
echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
|
echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
|
||||||
${LEBINARY} \
|
${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \
|
||||||
--server https://acme-v01.api.letsencrypt.org/directory \
|
--agree-tos --standalone --preferred-challenges tls-sni ${LEOPTIONS}
|
||||||
--agree-tos \
|
|
||||||
--standalone --preferred-challenges tls-sni \
|
|
||||||
${LEOPTIONS}
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if `md5sum -c /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 &>/dev/null`; then
|
if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then
|
||||||
echo "Cert has not changed, not updating controller."
|
echo "Cert has not changed, not updating controller."
|
||||||
exit 0
|
exit 0
|
||||||
else
|
else
|
||||||
TEMPFILE=$(mktemp)
|
echo "Cert has changed or -i option was used, updating controller..."
|
||||||
CATEMPFILE=$(mktemp)
|
TEMPFILE=$(mktemp)
|
||||||
|
CATEMPFILE=$(mktemp)
|
||||||
|
|
||||||
# Identrust cross-signed CA cert needed by the java keystore for import.
|
# Identrust cross-signed CA cert needed by the java keystore for import.
|
||||||
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
|
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
|
||||||
cat > "${CATEMPFILE}" <<'_EOF'
|
cat > "${CATEMPFILE}" <<'_EOF'
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
|
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
|
||||||
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
||||||
|
@ -124,30 +141,34 @@ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
_EOF
|
_EOF
|
||||||
|
|
||||||
echo "Cert has changed, updating controller..."
|
md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
|
||||||
md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5
|
echo "Using openssl to prepare certificate..."
|
||||||
echo "Using openssl to prepare certificate..."
|
cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
|
||||||
cat /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem >> "${CATEMPFILE}"
|
openssl pkcs12 -export -passout pass:aircontrolenterprise \
|
||||||
openssl pkcs12 -export -passout pass:aircontrolenterprise \
|
-in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
|
||||||
-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
|
-inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
|
||||||
-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \
|
-out "${TEMPFILE}" -name unifi \
|
||||||
-out "${TEMPFILE}" -name unifi \
|
-CAfile "${CATEMPFILE}" -caname root
|
||||||
-CAfile "${CATEMPFILE}" -caname root
|
|
||||||
echo "Stopping Unifi controller..."
|
echo "Stopping Unifi controller..."
|
||||||
service unifi stop
|
service unifi stop
|
||||||
echo "Removing existing certificate from Unifi protected keystore..."
|
|
||||||
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
|
echo "Removing existing certificate from Unifi protected keystore..."
|
||||||
-deststorepass aircontrolenterprise
|
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
|
||||||
echo "Inserting certificate into Unifi keystore..."
|
-deststorepass aircontrolenterprise
|
||||||
keytool -trustcacerts -importkeystore \
|
|
||||||
-deststorepass aircontrolenterprise \
|
echo "Inserting certificate into Unifi keystore..."
|
||||||
-destkeypass aircontrolenterprise \
|
keytool -trustcacerts -importkeystore \
|
||||||
-destkeystore /usr/lib/unifi/data/keystore \
|
-deststorepass aircontrolenterprise \
|
||||||
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
|
-destkeypass aircontrolenterprise \
|
||||||
-srcstorepass aircontrolenterprise \
|
-destkeystore /usr/lib/unifi/data/keystore \
|
||||||
-alias unifi
|
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
|
||||||
rm -f "${TEMPFILE}" "${CATEMPFILE}"
|
-srcstorepass aircontrolenterprise \
|
||||||
echo "Starting Unifi controller..."
|
-alias unifi
|
||||||
service unifi start
|
rm -f "${TEMPFILE}" "${CATEMPFILE}"
|
||||||
echo "Done!"
|
|
||||||
|
echo "Starting Unifi controller..."
|
||||||
|
service unifi start
|
||||||
|
|
||||||
|
echo "Done!"
|
||||||
fi
|
fi
|
Loading…
Reference in New Issue