Browse Source

Initial import

master
Brielle Bruns 4 years ago
commit
3ee49ef3f3
6 changed files with 150 additions and 0 deletions
  1. +20
    -0
      DSTROOTCAX3.txt
  2. +0
    -0
      README.md
  3. +11
    -0
      apache-le-alias.conf
  4. +12
    -0
      apache-le-proxy.conf
  5. +68
    -0
      gen-cert.sh
  6. +39
    -0
      gen-unifi-cert.sh

+ 20
- 0
DSTROOTCAX3.txt View File

@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

+ 0
- 0
README.md View File


+ 11
- 0
apache-le-alias.conf View File

@@ -0,0 +1,11 @@
<IfModule alias_module>
Alias /.well-known/acme-challenge "/var/www/letsencrypt-root/.well-known/acme-challenge"

<Directory "/var/www/letsencrypt-root/.well-known/acme-challenge">
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
#Require all granted
</Directory>
</IfModule>

+ 12
- 0
apache-le-proxy.conf View File

@@ -0,0 +1,12 @@
# Proxy method of letsencrypt auth
# a2enmod proxy proxy_http
<IfModule mod_proxy.c>
ProxyPass "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" retry=1
ProxyPassReverse "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/"
ProxyPreserveHost On
<Location "/.well-known/acme-challenge/">
Order allow,deny
Allow from all
#Require all granted
</Location>
</IfModule>

+ 68
- 0
gen-cert.sh View File

@@ -0,0 +1,68 @@
#!/bin/bash
# Easy letsencrypt certs using a bash script.
# v1.2 - 12/13/2015
# By Brielle Bruns <bruns@2mbit.com>
# http://www.sosdg.org


# Use like: gen-cert.sh -d domain1.com -d domain2.com
#
# There are three options for authentication:
#
# 1) Webroot (normal)
# Specify -r flag with -d and -e flags.
# gen-cert.sh -d domain1.com -r /var/www/domain1.com
#
# 2) Webroot (alias)
# Same as #1, but also include an alias directive in apache like in:
# http://users.sosdg.org/~bruns/lets-encrypt/apache-le-alias.conf
# And:
# mkdir -p /var/www/letsencrypt-root/.well-known/acme-challenge
# gen-cert.sh -d domain1.com -d domain2.com -r /var/www/letsencrypt-root/.well-known/acme-challenge
#
# 3) Proxy auth
# This auth method uses the standalone authenticator with a mod_proxy
# http://users.sosdg.org/~bruns/lets-encrypt/apache-le-proxy.conf
# Original proxy idea from:
# http://evolvedigital.co.uk/how-to-get-letsencrypt-working-with-ispconfig-3/

PROXYAUTH="--standalone --standalone-supported-challenges http-01 --http-01-port 9999"

while getopts "d:r:e:" opt; do
case $opt in
d) domains+=("$OPTARG");;
r) webroot=("$OPTARG");;
e) email=("$OPTARG");;
esac
done

if [[ ! -z ${email} ]]; then
email="--email ${email}"
else
email=""
fi

# Webroot auth method, activated with -r
WEBAUTH="-a webroot --webroot-path ${webroot}"

if [[ -z ${webroot} ]]; then
AUTH=${PROXYAUTH}
else
AUTH=${WEBAUTH}
fi

shift $((OPTIND -1))
for val in "${domains[@]}"; do
DOMAINS="${DOMAINS} -d ${val} "
done



cd /usr/src/letsencrypt
./letsencrypt-auto ${email} \
--server https://acme-v01.api.letsencrypt.org/directory \
--agree-tos \
--renew-by-default \
${AUTH} \
${DOMAINS} \
certonly

+ 39
- 0
gen-unifi-cert.sh View File

@@ -0,0 +1,39 @@
#!/usr/bin/env bash
# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
# Modified by: Brielle Bruns <bruns@2mbit.com>
# Last Changed: 2/2/2016
# Changed: Fixed some errors with key export/import, removed lame
# docker requirements
DOMAIN="unifi.xxxx.xxxxx"
EMAIL="email@here"
EXTRACERT="/root/DSTROOTCAX3.txt"
TEMPFILE=$(mktemp)
service unifi stop
/usr/src/letsencrypt/letsencrypt-auto \
--email ${EMAIL} \
--server https://acme-v01.api.letsencrypt.org/directory \
--agree-tos \
--renew-by-default \
-d ${DOMAIN} \
--standalone --standalone-supported-challenges tls-sni-01 \
certonly
openssl pkcs12 -export -passout pass:aircontrolenterprise \
-in /etc/letsencrypt/live/${DOMAIN}/cert.pem \
-inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem \
-out ${TEMPFILE} -name unifi \
-CAfile /etc/letsencrypt/live/${DOMAIN}/chain.pem -caname root
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
-deststorepass aircontrolenterprise
keytool -trustcacerts -importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore /usr/lib/unifi/data/keystore \
-srckeystore ${TEMPFILE} -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
-alias unifi
rm -f ${TEMPFILE}
java -jar /usr/lib/unifi/lib/ace.jar import_cert \
/etc/letsencrypt/live/${DOMAIN}/cert.pem \
/etc/letsencrypt/live/${DOMAIN}/chain.pem \
${EXTRACERT}
service unifi start

Loading…
Cancel
Save