From 54a91de530437db1a46c896711187f4fb26e660c Mon Sep 17 00:00:00 2001 From: Brielle Date: Thu, 24 Mar 2016 18:55:56 -0600 Subject: [PATCH] Updating gen-unifi-cert.sh --- README.md | 16 +++++----- gen-unifi-cert.sh | 74 ++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 68 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index ffe0fd2..aac2a2f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -Lets Encrypt Scripts +# Lets Encrypt Scripts Public Git URL: https://source.sosdg.org/brielle/lets-encrypt-scripts @@ -6,24 +6,24 @@ By: Brielle Bruns These are various scripts to make LetsEncrypt easier to use. -Main Scripts -============================================================= +# Files +## Main Scripts + gen-cert.sh - Main script to make it easy to generate LE certs for domain(s) gen-unifi-cert.sh - Script to add LE cert to a Unifi controller -Support Files -============================================================= +##Support Files + DSTROOTCAX3.txt - Root CA cert needed for use with the gen-unifi-cert.sh script apache-le-alias.conf - Use with apache for LE well-known alias config apache-le-proxy.conf - Use with apache for LE well-known proxy config -How To Use -============================================================= +# How To Use -gen-unifi-cert.sh +## gen-unifi-cert.sh 1. Do initial cert generation: diff --git a/gen-unifi-cert.sh b/gen-unifi-cert.sh index cea01c0..0bbe04e 100755 --- a/gen-unifi-cert.sh +++ b/gen-unifi-cert.sh @@ -2,28 +2,40 @@ # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh # Modified by: Brielle Bruns # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts -# Last Changed: 2/27/2016 +# Last Changed: 03/24/2016 # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements # 02/27/2016: More verbose progress report # 03/08/2016: Add renew option, reformat code, command line options +# 03/24/2016: More sanity checking, embedding cert PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -while getopts "rd:e:" opt; do +while getopts "ird:e:" opt; do case $opt in + i) onlyinsert="yes";; r) renew="yes";; d) domains+=("$OPTARG");; e) email=("$OPTARG");; esac done -# Identrust cross-signed CA cert needed by the java keystore for import. -# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html -EXTRACERT="/root/DSTROOTCAX3.txt" +# Location of LetsEncrypt binary we use +LEBINARY="/usr/src/letsencrypt/letsencrypt-auto" +# Command line options depending on New or Renew. NEWCERT="--renew-by-default certonly" RENEWCERT="-n renew" +if [[ ! -x ${LEBINARY} ]]; then + echo "Error: LetsEncrypt binary not found in ${LEBINARY} !" + echo "You'll need to do one of the following:" + echo "1) Change LEBINARY variable in this script" + echo "2) Install LE manually or via your package manager and do #1" + echo "3) Use the included get-letsencrypt.sh script to install it" + exit 1 +fi + + if [[ ! -z ${email} ]]; then email="--email ${email}" else @@ -37,25 +49,58 @@ done MAINDOMAIN=${domains[0]} -if [[ $renew == "yes" ]]; then +if [[ ! -z ${MAINDOMAIN} ]]; then + echo "Error: At least one -d argument is required" + exit 1 +fi + +if [[ ${renew} == "yes" ]]; then LEOPTIONS=${RENEWCERT} else LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}" fi -echo "Firing up standalone authenticator on TCP port 443 and requesting cert..." -/usr/src/letsencrypt/letsencrypt-auto \ - --server https://acme-v01.api.letsencrypt.org/directory \ - --agree-tos \ - --standalone --standalone-supported-challenges tls-sni-01 \ - ${LEOPTIONS} - +if [[ ${onlyinsert} != "yes" ]]; then + echo "Firing up standalone authenticator on TCP port 443 and requesting cert..." + ${LEBINARY} \ + --server https://acme-v01.api.letsencrypt.org/directory \ + --agree-tos \ + --standalone --standalone-supported-challenges tls-sni-01 \ + ${LEOPTIONS} +fi if `md5sum -c /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 &>/dev/null`; then echo "Cert has not changed, not updating controller." exit 0 else TEMPFILE=$(mktemp) + CERTTEMPFILE=$(mktemp) + + # Identrust cross-signed CA cert needed by the java keystore for import. + # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html + cat > ${CERTTEMPFILE} <<'_EOF' +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow +PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O +rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq +OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b +xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw +7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD +aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG +SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 +ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr +AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz +R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 +JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo +Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE----- +_EOF + echo "Cert has changed, updating controller..." md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 echo "Using openssl to prepare certificate..." @@ -82,7 +127,8 @@ else java -jar /usr/lib/unifi/lib/ace.jar import_cert \ /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \ /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem \ - ${EXTRACERT} + ${CERTTEMPFILE} + rm -f ${CERTTEMPFILE} echo "Starting Unifi controller..." service unifi start echo "Done!"