No Description

gen-unifi-cert.sh 6.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174
  1. #!/usr/bin/env bash
  2. # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
  3. # Modified by: Brielle Bruns <bruns@2mbit.com>
  4. # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
  5. # Version: 1.6
  6. # Last Changed: 05/29/2018
  7. # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
  8. # 02/27/2016: More verbose progress report
  9. # 03/08/2016: Add renew option, reformat code, command line options
  10. # 03/24/2016: More sanity checking, embedding cert
  11. # 10/23/2017: Apparently don't need the ace.jar parts, so disable them
  12. # 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth
  13. # 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
  14. # Location of LetsEncrypt binary we use. Leave unset if you want to let it find automatically
  15. #LEBINARY="/usr/src/letsencrypt/certbot-auto"
  16. PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  17. function usage() {
  18. echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
  19. echo " -d <domain>: The domain name to use."
  20. echo " -e <email>: Email address to use for certificate."
  21. echo " -r: Renew domain."
  22. echo " -i: Insert only, use to force insertion of certificate."
  23. }
  24. while getopts "hird:e:" opt; do
  25. case $opt in
  26. i) onlyinsert="yes";;
  27. r) renew="yes";;
  28. d) domains+=("$OPTARG");;
  29. e) email="$OPTARG";;
  30. h) usage
  31. exit;;
  32. esac
  33. done
  34. DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
  35. /usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
  36. /usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
  37. /usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
  38. /usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
  39. /usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
  40. if [[ ! -v LEBINARY ]]; then
  41. for i in ${DEFAULTLEBINARY}; do
  42. if [[ -x ${i} ]]; then
  43. LEBINARY=${i}
  44. echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
  45. break
  46. fi
  47. done
  48. fi
  49. # Command line options depending on New or Renew.
  50. NEWCERT="--renew-by-default certonly"
  51. RENEWCERT="-n renew"
  52. # Check for required binaries
  53. if [[ ! -x ${LEBINARY} ]]; then
  54. echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
  55. echo "You'll need to do one of the following:"
  56. echo "1) Change LEBINARY variable in this script"
  57. echo "2) Install LE manually or via your package manager and do #1"
  58. echo "3) Use the included get-letsencrypt.sh script to install it"
  59. exit 1
  60. fi
  61. if [[ ! -x $( which keytool ) ]]; then
  62. echo "Error: Java keytool binary not found."
  63. exit 1
  64. fi
  65. if [[ ! -x $( which openssl ) ]]; then
  66. echo "Error: OpenSSL binary not found."
  67. exit 1
  68. fi
  69. if [[ ! -z ${email} ]]; then
  70. email="--email ${email}"
  71. else
  72. email=""
  73. fi
  74. shift $((OPTIND -1))
  75. for val in "${domains[@]}"; do
  76. DOMAINS="${DOMAINS} -d ${val} "
  77. done
  78. MAINDOMAIN=${domains[0]}
  79. if [[ -z ${MAINDOMAIN} ]]; then
  80. echo "Error: At least one -d argument is required"
  81. usage
  82. exit 1
  83. fi
  84. if [[ ${renew} == "yes" ]]; then
  85. LEOPTIONS="${RENEWCERT}"
  86. else
  87. LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
  88. fi
  89. if [[ ${onlyinsert} != "yes" ]]; then
  90. echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
  91. ${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \
  92. --agree-tos --standalone --preferred-challenges tls-sni ${LEOPTIONS}
  93. fi
  94. if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then
  95. echo "Cert has not changed, not updating controller."
  96. exit 0
  97. else
  98. echo "Cert has changed or -i option was used, updating controller..."
  99. TEMPFILE=$(mktemp)
  100. CATEMPFILE=$(mktemp)
  101. # Identrust cross-signed CA cert needed by the java keystore for import.
  102. # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
  103. cat > "${CATEMPFILE}" <<'_EOF'
  104. -----BEGIN CERTIFICATE-----
  105. MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
  106. MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
  107. DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
  108. PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
  109. Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
  110. AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
  111. rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
  112. OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
  113. xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
  114. 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
  115. aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
  116. HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
  117. SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
  118. ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
  119. AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
  120. R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
  121. JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
  122. Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
  123. -----END CERTIFICATE-----
  124. _EOF
  125. md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
  126. echo "Using openssl to prepare certificate..."
  127. cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
  128. openssl pkcs12 -export -passout pass:aircontrolenterprise \
  129. -in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
  130. -inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
  131. -out "${TEMPFILE}" -name unifi \
  132. -CAfile "${CATEMPFILE}" -caname root
  133. echo "Stopping Unifi controller..."
  134. service unifi stop
  135. echo "Removing existing certificate from Unifi protected keystore..."
  136. keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
  137. -deststorepass aircontrolenterprise
  138. echo "Inserting certificate into Unifi keystore..."
  139. keytool -trustcacerts -importkeystore \
  140. -deststorepass aircontrolenterprise \
  141. -destkeypass aircontrolenterprise \
  142. -destkeystore /usr/lib/unifi/data/keystore \
  143. -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
  144. -srcstorepass aircontrolenterprise \
  145. -alias unifi
  146. rm -f "${TEMPFILE}" "${CATEMPFILE}"
  147. echo "Starting Unifi controller..."
  148. service unifi start
  149. echo "Done!"
  150. fi