You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

156 lines
5.5KB

  1. #!/usr/bin/env bash
  2. # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
  3. # Modified by: Brielle Bruns <bruns@2mbit.com>
  4. # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
  5. # Version: 1.3
  6. # Last Changed: 03/21/2017
  7. # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
  8. # 02/27/2016: More verbose progress report
  9. # 03/08/2016: Add renew option, reformat code, command line options
  10. # 03/24/2016: More sanity checking, embedding cert
  11. PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  12. while getopts "ird:e:" opt; do
  13. case $opt in
  14. i) onlyinsert="yes";;
  15. r) renew="yes";;
  16. d) domains+=("$OPTARG");;
  17. e) email=("$OPTARG");;
  18. esac
  19. done
  20. # Location of LetsEncrypt binary we use or let autodetect figure it out
  21. #LEBINARY="/usr/src/letsencrypt/certbot-auto"
  22. DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
  23. /usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
  24. /usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
  25. /usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
  26. /usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
  27. /usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
  28. if [[ ! -v LEBINARY ]]; then
  29. for i in ${DEFAULTLEBINARY}; do
  30. if [[ -x ${i} ]]; then
  31. LEBINARY=${i}
  32. echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
  33. break
  34. fi
  35. done
  36. fi
  37. # Command line options depending on New or Renew.
  38. NEWCERT="--renew-by-default certonly"
  39. RENEWCERT="-n renew"
  40. if [[ ! -x ${LEBINARY} ]]; then
  41. echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
  42. echo "You'll need to do one of the following:"
  43. echo "1) Change LEBINARY variable in this script"
  44. echo "2) Install LE manually or via your package manager and do #1"
  45. echo "3) Use the included get-letsencrypt.sh script to install it"
  46. exit 1
  47. fi
  48. if [[ ! -z ${email} ]]; then
  49. email="--email ${email}"
  50. else
  51. email=""
  52. fi
  53. shift $((OPTIND -1))
  54. for val in "${domains[@]}"; do
  55. DOMAINS="${DOMAINS} -d ${val} "
  56. done
  57. MAINDOMAIN=${domains[0]}
  58. if [[ -z ${MAINDOMAIN} ]]; then
  59. echo "Error: At least one -d argument is required"
  60. exit 1
  61. fi
  62. if [[ ${renew} == "yes" ]]; then
  63. LEOPTIONS=${RENEWCERT}
  64. else
  65. LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
  66. fi
  67. if [[ ${onlyinsert} != "yes" ]]; then
  68. echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
  69. ${LEBINARY} \
  70. --server https://acme-v01.api.letsencrypt.org/directory \
  71. --agree-tos \
  72. --standalone --standalone-supported-challenges tls-sni-01 \
  73. ${LEOPTIONS}
  74. fi
  75. if `md5sum -c /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 &>/dev/null`; then
  76. echo "Cert has not changed, not updating controller."
  77. exit 0
  78. else
  79. TEMPFILE=$(mktemp)
  80. CERTTEMPFILE=$(mktemp)
  81. # Identrust cross-signed CA cert needed by the java keystore for import.
  82. # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
  83. cat > ${CERTTEMPFILE} <<'_EOF'
  84. -----BEGIN CERTIFICATE-----
  85. MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
  86. MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
  87. DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
  88. PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
  89. Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
  90. AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
  91. rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
  92. OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
  93. xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
  94. 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
  95. aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
  96. HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
  97. SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
  98. ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
  99. AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
  100. R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
  101. JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
  102. Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
  103. -----END CERTIFICATE-----
  104. _EOF
  105. echo "Cert has changed, updating controller..."
  106. md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5
  107. echo "Using openssl to prepare certificate..."
  108. openssl pkcs12 -export -passout pass:aircontrolenterprise \
  109. -in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
  110. -inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \
  111. -out ${TEMPFILE} -name unifi \
  112. -CAfile /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem -caname root
  113. echo "Stopping Unifi controller..."
  114. service unifi stop
  115. echo "Removing existing certificate from Unifi protected keystore..."
  116. keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
  117. -deststorepass aircontrolenterprise
  118. echo "Inserting certificate into Unifi keystore..."
  119. keytool -trustcacerts -importkeystore \
  120. -deststorepass aircontrolenterprise \
  121. -destkeypass aircontrolenterprise \
  122. -destkeystore /usr/lib/unifi/data/keystore \
  123. -srckeystore ${TEMPFILE} -srcstoretype PKCS12 \
  124. -srcstorepass aircontrolenterprise \
  125. -alias unifi
  126. rm -f ${TEMPFILE}
  127. echo "Importing cert into Unifi database..."
  128. java -jar /usr/lib/unifi/lib/ace.jar import_cert \
  129. /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
  130. /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem \
  131. ${CERTTEMPFILE}
  132. rm -f ${CERTTEMPFILE}
  133. echo "Starting Unifi controller..."
  134. service unifi start
  135. echo "Done!"
  136. fi