fryfrog
/
lets-encrypt-scripts
forked from brielle/lets-encrypt-scripts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Heavily change how unifi script works

master
Brie Bruns 2016-03-08 12:04:03 -07:00
parent c5923ff322
commit 452ecb27b3
1 changed files with 68 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
gen-unifi-cert.sh
View File

@ -5,38 +5,66 @@
# Last Changed: 2/27/2016 # Last Changed: 2/27/2016
# 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
# 02/27/2016: More verbose progress report # 02/27/2016: More verbose progress report
# 03/08/2016: Add renew option, reformat code, command line options
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# The main domain name of your controller while getopts "rd:e:" opt; do
DOMAIN="unifi.xxxx.xxxxx" case $opt in
r) renew="yes";;
# Your e-mail address for notifications of certificate issues d) domains+=("$OPTARG");;
EMAIL="email@here" e) email=("$OPTARG");;
esac
done
# Identrust cross-signed CA cert needed by the java keystore for import. # Identrust cross-signed CA cert needed by the java keystore for import.
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
EXTRACERT="/root/DSTROOTCAX3.txt" EXTRACERT="/root/DSTROOTCAX3.txt"
TEMPFILE=$(mktemp) NEWCERT="--renew-by-default certonly"
RENEWCERT="-n renew"
if [[ ! -z ${email} ]]; then
email="--email ${email}"
else
email=""
fi
shift $((OPTIND -1))
for val in "${domains[@]}"; do
DOMAINS="${DOMAINS} -d ${val} "
done
if ( $renew == "yes" ) {
LEOPTIONS=${RENEWCERT}
else
LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
fi
echo "Stopping Unifi controller..."
service unifi stop
echo "Firing up standalone authenticator on TCP port 443 and requesting cert..." echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
/usr/src/letsencrypt/letsencrypt-auto \ /usr/src/letsencrypt/letsencrypt-auto \
--email ${EMAIL} \
--server https://acme-v01.api.letsencrypt.org/directory \ --server https://acme-v01.api.letsencrypt.org/directory \
--agree-tos \ --agree-tos \
--renew-by-default \
-d ${DOMAIN} \
--standalone --standalone-supported-challenges tls-sni-01 \ --standalone --standalone-supported-challenges tls-sni-01 \
certonly ${LEOPTIONS}
if `md5sum -c /etc/letsencrypt/live/${DOMAIN}/cert.pem.md5 %>/dev/null`; then
echo "Cert has not changed, not updating controller."
exit 0
else
TEMPFILE=$(mktemp)
echo "Cert has changed, updating controller..."
md5sum /etc/letsencrypt/live/${DOMAIN}/cert.pem > /etc/letsencrypt/live/${DOMAIN}/cert.pem.md5
echo "Using openssl to prepare certificate..." echo "Using openssl to prepare certificate..."
openssl pkcs12 -export -passout pass:aircontrolenterprise \ openssl pkcs12 -export -passout pass:aircontrolenterprise \
-in /etc/letsencrypt/live/${DOMAIN}/cert.pem \ -in /etc/letsencrypt/live/${DOMAIN}/cert.pem \
-inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem \ -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem \
-out ${TEMPFILE} -name unifi \ -out ${TEMPFILE} -name unifi \
-CAfile /etc/letsencrypt/live/${DOMAIN}/chain.pem -caname root -CAfile /etc/letsencrypt/live/${DOMAIN}/chain.pem -caname root
echo "Stopping Unifi controller..."
service unifi stop
echo "Removing existing certificate from Unifi protected keystore..." echo "Removing existing certificate from Unifi protected keystore..."
keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \ keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
-deststorepass aircontrolenterprise -deststorepass aircontrolenterprise
@ -57,3 +85,4 @@ java -jar /usr/lib/unifi/lib/ace.jar import_cert \
echo "Starting Unifi controller..." echo "Starting Unifi controller..."
service unifi start service unifi start
echo "Done!" echo "Done!"
fi