Doesn't look like we need ace.jar anymore to import certs, so lets make the chain and import it directly using keystore

master
Brie Bruns 2017-10-23 12:16:43 -06:00
parent c439a4793c
commit e64b10fa12
1 changed files with 10 additions and 14 deletions

View File

@ -2,12 +2,13 @@
# Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
# Modified by: Brielle Bruns <bruns@2mbit.com> # Modified by: Brielle Bruns <bruns@2mbit.com>
# Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
# Version: 1.3 # Version: 1.4
# Last Changed: 03/21/2017 # Last Changed: 10/23/2017
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
# 02/27/2016: More verbose progress report # 02/27/2016: More verbose progress report
# 03/08/2016: Add renew option, reformat code, command line options # 03/08/2016: Add renew option, reformat code, command line options
# 03/24/2016: More sanity checking, embedding cert # 03/24/2016: More sanity checking, embedding cert
# 10/23/2017: Apparently don't need the ace.jar parts, so disable them
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@ -95,11 +96,11 @@ if `md5sum -c /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 &>/dev/null`; the
exit 0 exit 0
else else
TEMPFILE=$(mktemp) TEMPFILE=$(mktemp)
CERTTEMPFILE=$(mktemp) CATEMPFILE=$(mktemp)
# Identrust cross-signed CA cert needed by the java keystore for import. # Identrust cross-signed CA cert needed by the java keystore for import.
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
cat > ${CERTTEMPFILE} <<'_EOF' cat > "${CATEMPFILE}" <<'_EOF'
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
@ -125,11 +126,12 @@ _EOF
echo "Cert has changed, updating controller..." echo "Cert has changed, updating controller..."
md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5
echo "Using openssl to prepare certificate..." echo "Using openssl to prepare certificate..."
cat /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem >> "${CATEMPFILE}"
openssl pkcs12 -export -passout pass:aircontrolenterprise \ openssl pkcs12 -export -passout pass:aircontrolenterprise \
-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \ -in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \ -inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \
-out ${TEMPFILE} -name unifi \ -out "${TEMPFILE}" -name unifi \
-CAfile /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem -caname root -CAfile "${CATEMPFILE}" -caname root
echo "Stopping Unifi controller..." echo "Stopping Unifi controller..."
service unifi stop service unifi stop
echo "Removing existing certificate from Unifi protected keystore..." echo "Removing existing certificate from Unifi protected keystore..."
@ -140,16 +142,10 @@ _EOF
-deststorepass aircontrolenterprise \ -deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \ -destkeypass aircontrolenterprise \
-destkeystore /usr/lib/unifi/data/keystore \ -destkeystore /usr/lib/unifi/data/keystore \
-srckeystore ${TEMPFILE} -srcstoretype PKCS12 \ -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \ -srcstorepass aircontrolenterprise \
-alias unifi -alias unifi
rm -f ${TEMPFILE} rm -f "${TEMPFILE}" "${CATEMPFILE}"
echo "Importing cert into Unifi database..."
java -jar /usr/lib/unifi/lib/ace.jar import_cert \
/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem \
${CERTTEMPFILE}
rm -f ${CERTTEMPFILE}
echo "Starting Unifi controller..." echo "Starting Unifi controller..."
service unifi start service unifi start
echo "Done!" echo "Done!"