|
|
|
@ -2,67 +2,85 @@ |
|
|
|
# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh |
|
|
|
# Modified by: Brielle Bruns <bruns@2mbit.com> |
|
|
|
# Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts |
|
|
|
# Version: 1.5 |
|
|
|
# Last Changed: 02/04/2018 |
|
|
|
# Version: 1.6 |
|
|
|
# Last Changed: 05/29/2018 |
|
|
|
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements |
|
|
|
# 02/27/2016: More verbose progress report |
|
|
|
# 03/08/2016: Add renew option, reformat code, command line options |
|
|
|
# 03/24/2016: More sanity checking, embedding cert |
|
|
|
# 10/23/2017: Apparently don't need the ace.jar parts, so disable them |
|
|
|
# 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth |
|
|
|
# 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests |
|
|
|
|
|
|
|
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically |
|
|
|
#LEBINARY="/usr/src/letsencrypt/certbot-auto" |
|
|
|
|
|
|
|
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" |
|
|
|
|
|
|
|
while getopts "ird:e:" opt; do |
|
|
|
case $opt in |
|
|
|
function usage() { |
|
|
|
echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]" |
|
|
|
echo " -d <domain>: The domain name to use." |
|
|
|
echo " -e <email>: Email address to use for certificate." |
|
|
|
echo " -r: Renew domain." |
|
|
|
echo " -i: Insert only, use to force insertion of certificate." |
|
|
|
} |
|
|
|
|
|
|
|
while getopts "hird:e:" opt; do |
|
|
|
case $opt in |
|
|
|
i) onlyinsert="yes";; |
|
|
|
r) renew="yes";; |
|
|
|
d) domains+=("$OPTARG");; |
|
|
|
e) email=("$OPTARG");; |
|
|
|
esac |
|
|
|
e) email="$OPTARG";; |
|
|
|
h) usage |
|
|
|
exit;; |
|
|
|
esac |
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically |
|
|
|
#LEBINARY="/usr/src/letsencrypt/certbot-auto" |
|
|
|
|
|
|
|
DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot |
|
|
|
/usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot |
|
|
|
/usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt |
|
|
|
/usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto |
|
|
|
/usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto |
|
|
|
/usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto" |
|
|
|
/usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot |
|
|
|
/usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt |
|
|
|
/usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto |
|
|
|
/usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto |
|
|
|
/usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto" |
|
|
|
|
|
|
|
if [[ ! -v LEBINARY ]]; then |
|
|
|
for i in ${DEFAULTLEBINARY}; do |
|
|
|
if [[ -x ${i} ]]; then |
|
|
|
LEBINARY=${i} |
|
|
|
echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}" |
|
|
|
break |
|
|
|
fi |
|
|
|
done |
|
|
|
for i in ${DEFAULTLEBINARY}; do |
|
|
|
if [[ -x ${i} ]]; then |
|
|
|
LEBINARY=${i} |
|
|
|
echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}" |
|
|
|
break |
|
|
|
fi |
|
|
|
done |
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
# Command line options depending on New or Renew. |
|
|
|
NEWCERT="--renew-by-default certonly" |
|
|
|
RENEWCERT="-n renew" |
|
|
|
|
|
|
|
# Check for required binaries |
|
|
|
if [[ ! -x ${LEBINARY} ]]; then |
|
|
|
echo "Error: LetsEncrypt binary not found in ${LEBINARY} !" |
|
|
|
echo "You'll need to do one of the following:" |
|
|
|
echo "1) Change LEBINARY variable in this script" |
|
|
|
echo "2) Install LE manually or via your package manager and do #1" |
|
|
|
echo "3) Use the included get-letsencrypt.sh script to install it" |
|
|
|
exit 1 |
|
|
|
echo "Error: LetsEncrypt binary not found in ${LEBINARY} !" |
|
|
|
echo "You'll need to do one of the following:" |
|
|
|
echo "1) Change LEBINARY variable in this script" |
|
|
|
echo "2) Install LE manually or via your package manager and do #1" |
|
|
|
echo "3) Use the included get-letsencrypt.sh script to install it" |
|
|
|
exit 1 |
|
|
|
fi |
|
|
|
|
|
|
|
if [[ ! -x $( which keytool ) ]]; then |
|
|
|
echo "Error: Java keytool binary not found." |
|
|
|
exit 1 |
|
|
|
fi |
|
|
|
|
|
|
|
if [[ ! -x $( which openssl ) ]]; then |
|
|
|
echo "Error: OpenSSL binary not found." |
|
|
|
exit 1 |
|
|
|
fi |
|
|
|
|
|
|
|
if [[ ! -z ${email} ]]; then |
|
|
|
email="--email ${email}" |
|
|
|
email="--email ${email}" |
|
|
|
else |
|
|
|
email="" |
|
|
|
email="" |
|
|
|
fi |
|
|
|
|
|
|
|
shift $((OPTIND -1)) |
|
|
|
@ -73,35 +91,34 @@ done |
|
|
|
MAINDOMAIN=${domains[0]} |
|
|
|
|
|
|
|
if [[ -z ${MAINDOMAIN} ]]; then |
|
|
|
echo "Error: At least one -d argument is required" |
|
|
|
exit 1 |
|
|
|
echo "Error: At least one -d argument is required" |
|
|
|
usage |
|
|
|
exit 1 |
|
|
|
fi |
|
|
|
|
|
|
|
if [[ ${renew} == "yes" ]]; then |
|
|
|
LEOPTIONS=${RENEWCERT} |
|
|
|
LEOPTIONS="${RENEWCERT}" |
|
|
|
else |
|
|
|
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}" |
|
|
|
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}" |
|
|
|
fi |
|
|
|
|
|
|
|
if [[ ${onlyinsert} != "yes" ]]; then |
|
|
|
echo "Firing up standalone authenticator on TCP port 443 and requesting cert..." |
|
|
|
${LEBINARY} \ |
|
|
|
--server https://acme-v01.api.letsencrypt.org/directory \ |
|
|
|
--agree-tos \ |
|
|
|
--standalone --preferred-challenges tls-sni \ |
|
|
|
${LEOPTIONS} |
|
|
|
fi |
|
|
|
|
|
|
|
if `md5sum -c /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 &>/dev/null`; then |
|
|
|
echo "Cert has not changed, not updating controller." |
|
|
|
exit 0 |
|
|
|
echo "Firing up standalone authenticator on TCP port 443 and requesting cert..." |
|
|
|
${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \ |
|
|
|
--agree-tos --standalone --preferred-challenges tls-sni ${LEOPTIONS} |
|
|
|
fi |
|
|
|
|
|
|
|
if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then |
|
|
|
echo "Cert has not changed, not updating controller." |
|
|
|
exit 0 |
|
|
|
else |
|
|
|
TEMPFILE=$(mktemp) |
|
|
|
CATEMPFILE=$(mktemp) |
|
|
|
echo "Cert has changed or -i option was used, updating controller..." |
|
|
|
TEMPFILE=$(mktemp) |
|
|
|
CATEMPFILE=$(mktemp) |
|
|
|
|
|
|
|
# Identrust cross-signed CA cert needed by the java keystore for import. |
|
|
|
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html |
|
|
|
cat > "${CATEMPFILE}" <<'_EOF' |
|
|
|
# Identrust cross-signed CA cert needed by the java keystore for import. |
|
|
|
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html |
|
|
|
cat > "${CATEMPFILE}" <<'_EOF' |
|
|
|
-----BEGIN CERTIFICATE----- |
|
|
|
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ |
|
|
|
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT |
|
|
|
@ -124,30 +141,34 @@ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ |
|
|
|
-----END CERTIFICATE----- |
|
|
|
_EOF |
|
|
|
|
|
|
|
echo "Cert has changed, updating controller..." |
|
|
|
md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 |
|
|
|
echo "Using openssl to prepare certificate..." |
|
|
|
cat /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem >> "${CATEMPFILE}" |
|
|
|
openssl pkcs12 -export -passout pass:aircontrolenterprise \ |
|
|
|
-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \ |
|
|
|
-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \ |
|
|
|
-out "${TEMPFILE}" -name unifi \ |
|
|
|
-CAfile "${CATEMPFILE}" -caname root |
|
|
|
echo "Stopping Unifi controller..." |
|
|
|
service unifi stop |
|
|
|
echo "Removing existing certificate from Unifi protected keystore..." |
|
|
|
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \ |
|
|
|
-deststorepass aircontrolenterprise |
|
|
|
echo "Inserting certificate into Unifi keystore..." |
|
|
|
keytool -trustcacerts -importkeystore \ |
|
|
|
-deststorepass aircontrolenterprise \ |
|
|
|
-destkeypass aircontrolenterprise \ |
|
|
|
-destkeystore /usr/lib/unifi/data/keystore \ |
|
|
|
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \ |
|
|
|
-srcstorepass aircontrolenterprise \ |
|
|
|
-alias unifi |
|
|
|
rm -f "${TEMPFILE}" "${CATEMPFILE}" |
|
|
|
echo "Starting Unifi controller..." |
|
|
|
service unifi start |
|
|
|
echo "Done!" |
|
|
|
fi |
|
|
|
md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" |
|
|
|
echo "Using openssl to prepare certificate..." |
|
|
|
cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}" |
|
|
|
openssl pkcs12 -export -passout pass:aircontrolenterprise \ |
|
|
|
-in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \ |
|
|
|
-inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \ |
|
|
|
-out "${TEMPFILE}" -name unifi \ |
|
|
|
-CAfile "${CATEMPFILE}" -caname root |
|
|
|
|
|
|
|
echo "Stopping Unifi controller..." |
|
|
|
service unifi stop |
|
|
|
|
|
|
|
echo "Removing existing certificate from Unifi protected keystore..." |
|
|
|
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \ |
|
|
|
-deststorepass aircontrolenterprise |
|
|
|
|
|
|
|
echo "Inserting certificate into Unifi keystore..." |
|
|
|
keytool -trustcacerts -importkeystore \ |
|
|
|
-deststorepass aircontrolenterprise \ |
|
|
|
-destkeypass aircontrolenterprise \ |
|
|
|
-destkeystore /usr/lib/unifi/data/keystore \ |
|
|
|
-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \ |
|
|
|
-srcstorepass aircontrolenterprise \ |
|
|
|
-alias unifi |
|
|
|
rm -f "${TEMPFILE}" "${CATEMPFILE}" |
|
|
|
|
|
|
|
echo "Starting Unifi controller..." |
|
|
|
service unifi start |
|
|
|
|
|
|
|
echo "Done!" |
|
|
|
fi |
|
|
|
|
