No Description

gen-unifi-cert.sh 6.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175
  1. #!/usr/bin/env bash
  2. # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
  3. # Modified by: Brielle Bruns <bruns@2mbit.com>
  4. # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
  5. # Version: 1.7
  6. # Last Changed: 09/26/2018
  7. # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
  8. # 02/27/2016: More verbose progress report
  9. # 03/08/2016: Add renew option, reformat code, command line options
  10. # 03/24/2016: More sanity checking, embedding cert
  11. # 10/23/2017: Apparently don't need the ace.jar parts, so disable them
  12. # 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth
  13. # 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
  14. # 09/26/2018: Change from TLS to HTTP authenticator
  15. # Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
  16. #LEBINARY="/usr/src/letsencrypt/certbot-auto"
  17. PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  18. function usage() {
  19. echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
  20. echo " -d <domain>: The domain name to use."
  21. echo " -e <email>: Email address to use for certificate."
  22. echo " -r: Renew domain."
  23. echo " -i: Insert only, use to force insertion of certificate."
  24. }
  25. while getopts "hird:e:" opt; do
  26. case $opt in
  27. i) onlyinsert="yes";;
  28. r) renew="yes";;
  29. d) domains+=("$OPTARG");;
  30. e) email="$OPTARG";;
  31. h) usage
  32. exit;;
  33. esac
  34. done
  35. DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
  36. /usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
  37. /usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
  38. /usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
  39. /usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
  40. /usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
  41. if [[ ! -v LEBINARY ]]; then
  42. for i in ${DEFAULTLEBINARY}; do
  43. if [[ -x ${i} ]]; then
  44. LEBINARY=${i}
  45. echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
  46. break
  47. fi
  48. done
  49. fi
  50. # Command line options depending on New or Renew.
  51. NEWCERT="--renew-by-default certonly"
  52. RENEWCERT="-n renew"
  53. # Check for required binaries
  54. if [[ ! -x ${LEBINARY} ]]; then
  55. echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
  56. echo "You'll need to do one of the following:"
  57. echo "1) Change LEBINARY variable in this script"
  58. echo "2) Install LE manually or via your package manager and do #1"
  59. echo "3) Use the included get-letsencrypt.sh script to install it"
  60. exit 1
  61. fi
  62. if [[ ! -x $( which keytool ) ]]; then
  63. echo "Error: Java keytool binary not found."
  64. exit 1
  65. fi
  66. if [[ ! -x $( which openssl ) ]]; then
  67. echo "Error: OpenSSL binary not found."
  68. exit 1
  69. fi
  70. if [[ ! -z ${email} ]]; then
  71. email="--email ${email}"
  72. else
  73. email=""
  74. fi
  75. shift $((OPTIND -1))
  76. for val in "${domains[@]}"; do
  77. DOMAINS="${DOMAINS} -d ${val} "
  78. done
  79. MAINDOMAIN=${domains[0]}
  80. if [[ -z ${MAINDOMAIN} ]]; then
  81. echo "Error: At least one -d argument is required"
  82. usage
  83. exit 1
  84. fi
  85. if [[ ${renew} == "yes" ]]; then
  86. LEOPTIONS="${RENEWCERT}"
  87. else
  88. LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
  89. fi
  90. if [[ ${onlyinsert} != "yes" ]]; then
  91. echo "Firing up standalone authenticator on TCP port 80 and requesting cert..."
  92. ${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \
  93. --agree-tos --standalone --preferred-challenges http ${LEOPTIONS}
  94. fi
  95. if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then
  96. echo "Cert has not changed, not updating controller."
  97. exit 0
  98. else
  99. echo "Cert has changed or -i option was used, updating controller..."
  100. TEMPFILE=$(mktemp)
  101. CATEMPFILE=$(mktemp)
  102. # Identrust cross-signed CA cert needed by the java keystore for import.
  103. # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
  104. cat > "${CATEMPFILE}" <<'_EOF'
  105. -----BEGIN CERTIFICATE-----
  106. MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
  107. MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
  108. DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
  109. PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
  110. Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
  111. AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
  112. rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
  113. OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
  114. xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
  115. 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
  116. aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
  117. HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
  118. SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
  119. ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
  120. AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
  121. R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
  122. JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
  123. Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
  124. -----END CERTIFICATE-----
  125. _EOF
  126. md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
  127. echo "Using openssl to prepare certificate..."
  128. cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
  129. openssl pkcs12 -export -passout pass:aircontrolenterprise \
  130. -in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
  131. -inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
  132. -out "${TEMPFILE}" -name unifi \
  133. -CAfile "${CATEMPFILE}" -caname root
  134. echo "Stopping Unifi controller..."
  135. service unifi stop
  136. echo "Removing existing certificate from Unifi protected keystore..."
  137. keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
  138. -deststorepass aircontrolenterprise
  139. echo "Inserting certificate into Unifi keystore..."
  140. keytool -trustcacerts -importkeystore \
  141. -deststorepass aircontrolenterprise \
  142. -destkeypass aircontrolenterprise \
  143. -destkeystore /usr/lib/unifi/data/keystore \
  144. -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
  145. -srcstorepass aircontrolenterprise \
  146. -alias unifi
  147. rm -f "${TEMPFILE}" "${CATEMPFILE}"
  148. echo "Starting Unifi controller..."
  149. service unifi start
  150. echo "Done!"
  151. fi