Browse Source

Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests

master
Brielle Bruns 10 months ago
parent
commit
e315444de9
1 changed files with 100 additions and 79 deletions
  1. 100
    79
      gen-unifi-cert.sh

+ 100
- 79
gen-unifi-cert.sh View File

@@ -2,67 +2,85 @@
2 2
 # Modified script from here: https://github.com/FarsetLabs/letsencrypt-helper-scripts/blob/master/letsencrypt-unifi.sh
3 3
 # Modified by: Brielle Bruns <bruns@2mbit.com>
4 4
 # Download URL: https://source.sosdg.org/brielle/lets-encrypt-scripts
5
-# Version: 1.5
6
-# Last Changed: 02/04/2018
5
+# Version: 1.6
6
+# Last Changed: 05/29/2018
7 7
 # 02/02/2016: Fixed some errors with key export/import, removed lame docker requirements
8 8
 # 02/27/2016: More verbose progress report
9 9
 # 03/08/2016: Add renew option, reformat code, command line options
10 10
 # 03/24/2016: More sanity checking, embedding cert
11 11
 # 10/23/2017: Apparently don't need the ace.jar parts, so disable them
12 12
 # 02/04/2018: LE disabled tls-sni-01, so switch to just tls-sni, as certbot 0.22 and later automatically fall back to http/80 for auth
13
+# 05/29/2018: Integrate patch from Donald Webster <fryfrog[at]gmail.com> to cleanup and improve tests
14
+
15
+# Location of LetsEncrypt binary we use.  Leave unset if you want to let it find automatically
16
+#LEBINARY="/usr/src/letsencrypt/certbot-auto"
13 17
 
14 18
 PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
15 19
 
16
-while getopts "ird:e:" opt; do
17
-    case $opt in
20
+function usage() {
21
+  echo "Usage: $0 -d <domain> [-e <email>] [-r] [-i]"
22
+  echo "  -d <domain>: The domain name to use."
23
+  echo "  -e <email>: Email address to use for certificate."
24
+  echo "  -r: Renew domain."
25
+  echo "  -i: Insert only, use to force insertion of certificate."
26
+}
27
+
28
+while getopts "hird:e:" opt; do
29
+  case $opt in
18 30
     i) onlyinsert="yes";;
19 31
     r) renew="yes";;
20 32
     d) domains+=("$OPTARG");;
21
-    e) email=("$OPTARG");;
22
-    esac
33
+    e) email="$OPTARG";;
34
+    h) usage
35
+       exit;;
36
+  esac
23 37
 done
24 38
 
25
-
26
-
27
-# Location of LetsEncrypt binary we use.  Leave unset if you want to let it find automatically
28
-#LEBINARY="/usr/src/letsencrypt/certbot-auto"
29
-
30 39
 DEFAULTLEBINARY="/usr/bin/certbot /usr/bin/letsencrypt /usr/sbin/certbot
31
-	/usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
32
-	/usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
33
-	/usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
34
-	/usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
35
-	/usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
40
+  /usr/sbin/letsencrypt /usr/local/bin/certbot /usr/local/sbin/certbot
41
+  /usr/local/bin/letsencrypt /usr/local/sbin/letsencrypt
42
+  /usr/src/letsencrypt/certbot-auto /usr/src/letsencrypt/letsencrypt-auto
43
+  /usr/src/certbot/certbot-auto /usr/src/certbot/letsencrypt-auto
44
+  /usr/src/certbot-master/certbot-auto /usr/src/certbot-master/letsencrypt-auto"
36 45
 
37 46
 if [[ ! -v LEBINARY ]]; then
38
-	for i in ${DEFAULTLEBINARY}; do
39
-		if [[ -x ${i} ]]; then
40
-			LEBINARY=${i}
41
-			echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
42
-			break
43
-		fi
44
-	done
47
+  for i in ${DEFAULTLEBINARY}; do
48
+    if [[ -x ${i} ]]; then
49
+      LEBINARY=${i}
50
+      echo "Found LetsEncrypt/Certbot binary at ${LEBINARY}"
51
+      break
52
+    fi
53
+  done
45 54
 fi
46
-		
47 55
 
48 56
 # Command line options depending on New or Renew.
49 57
 NEWCERT="--renew-by-default certonly"
50 58
 RENEWCERT="-n renew"
51 59
 
60
+# Check for required binaries
52 61
 if [[ ! -x ${LEBINARY} ]]; then
53
-	echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
54
-	echo "You'll need to do one of the following:"
55
-	echo "1) Change LEBINARY variable in this script"
56
-	echo "2) Install LE manually or via your package manager and do #1"
57
-	echo "3) Use the included get-letsencrypt.sh script to install it"
58
-	exit 1
62
+  echo "Error: LetsEncrypt binary not found in ${LEBINARY} !"
63
+  echo "You'll need to do one of the following:"
64
+  echo "1) Change LEBINARY variable in this script"
65
+  echo "2) Install LE manually or via your package manager and do #1"
66
+  echo "3) Use the included get-letsencrypt.sh script to install it"
67
+  exit 1
68
+fi
69
+
70
+if [[ ! -x $( which keytool ) ]]; then
71
+  echo "Error: Java keytool binary not found."
72
+  exit 1
59 73
 fi
60 74
 
75
+if [[ ! -x $( which openssl ) ]]; then
76
+  echo "Error: OpenSSL binary not found."
77
+  exit 1
78
+fi
61 79
 
62 80
 if [[ ! -z ${email} ]]; then
63
-	email="--email ${email}"
81
+  email="--email ${email}"
64 82
 else
65
-	email=""
83
+  email=""
66 84
 fi
67 85
 
68 86
 shift $((OPTIND -1))
@@ -73,35 +91,34 @@ done
73 91
 MAINDOMAIN=${domains[0]}
74 92
 
75 93
 if [[ -z ${MAINDOMAIN} ]]; then
76
-	echo "Error: At least one -d argument is required"
77
-	exit 1
94
+  echo "Error: At least one -d argument is required"
95
+  usage
96
+  exit 1
78 97
 fi
79 98
 
80 99
 if [[ ${renew} == "yes" ]]; then
81
-	LEOPTIONS=${RENEWCERT}
100
+  LEOPTIONS="${RENEWCERT}"
82 101
 else
83
-	LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
102
+  LEOPTIONS="${email} ${DOMAINS} ${NEWCERT}"
84 103
 fi
85 104
 
86 105
 if [[ ${onlyinsert} != "yes" ]]; then
87
-	echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
88
-	${LEBINARY} \
89
-		--server https://acme-v01.api.letsencrypt.org/directory \
90
-    	--agree-tos \
91
-		--standalone --preferred-challenges tls-sni \
92
-    	${LEOPTIONS}
93
-fi    
94
-
95
-if `md5sum -c /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 &>/dev/null`; then
96
-	echo "Cert has not changed, not updating controller."
97
-	exit 0
106
+  echo "Firing up standalone authenticator on TCP port 443 and requesting cert..."
107
+  ${LEBINARY} --server https://acme-v01.api.letsencrypt.org/directory \
108
+              --agree-tos --standalone --preferred-challenges tls-sni ${LEOPTIONS}
109
+fi
110
+
111
+if [[ ${onlyinsert} != "yes" ]] && md5sum -c "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5" &>/dev/null; then
112
+  echo "Cert has not changed, not updating controller."
113
+  exit 0
98 114
 else
99
-	TEMPFILE=$(mktemp)
100
-	CATEMPFILE=$(mktemp)
115
+  echo "Cert has changed or -i option was used, updating controller..."
116
+  TEMPFILE=$(mktemp)
117
+  CATEMPFILE=$(mktemp)
101 118
 
102
-	# Identrust cross-signed CA cert needed by the java keystore for import.
103
-	# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
104
-	cat > "${CATEMPFILE}" <<'_EOF'
119
+  # Identrust cross-signed CA cert needed by the java keystore for import.
120
+  # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
121
+  cat > "${CATEMPFILE}" <<'_EOF'
105 122
 -----BEGIN CERTIFICATE-----
106 123
 MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
107 124
 MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
@@ -124,30 +141,34 @@ Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
124 141
 -----END CERTIFICATE-----
125 142
 _EOF
126 143
 
127
-	echo "Cert has changed, updating controller..."
128
-	md5sum /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem > /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5 
129
-	echo "Using openssl to prepare certificate..."
130
-	cat /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem >> "${CATEMPFILE}"
131
-	openssl pkcs12 -export  -passout pass:aircontrolenterprise \
132
-    	-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
133
-    	-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \
134
-    	-out "${TEMPFILE}" -name unifi \
135
-    	-CAfile "${CATEMPFILE}" -caname root
136
-	echo "Stopping Unifi controller..."
137
-	service unifi stop
138
-	echo "Removing existing certificate from Unifi protected keystore..."
139
-	keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
140
-		-deststorepass aircontrolenterprise
141
-	echo "Inserting certificate into Unifi keystore..."
142
-	keytool -trustcacerts -importkeystore \
143
-		-deststorepass aircontrolenterprise \
144
-		-destkeypass aircontrolenterprise \
145
-    	-destkeystore /usr/lib/unifi/data/keystore \
146
-    	-srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
147
-    	-srcstorepass aircontrolenterprise \
148
-    	-alias unifi
149
-	rm -f "${TEMPFILE}" "${CATEMPFILE}"
150
-	echo "Starting Unifi controller..."
151
-	service unifi start
152
-	echo "Done!"
153
-fi
144
+  md5sum "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" > "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem.md5"
145
+  echo "Using openssl to prepare certificate..."
146
+  cat "/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem" >> "${CATEMPFILE}"
147
+  openssl pkcs12 -export  -passout pass:aircontrolenterprise \
148
+          -in "/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem" \
149
+          -inkey "/etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem" \
150
+          -out "${TEMPFILE}" -name unifi \
151
+          -CAfile "${CATEMPFILE}" -caname root
152
+
153
+  echo "Stopping Unifi controller..."
154
+  service unifi stop
155
+
156
+  echo "Removing existing certificate from Unifi protected keystore..."
157
+  keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore \
158
+          -deststorepass aircontrolenterprise
159
+
160
+  echo "Inserting certificate into Unifi keystore..."
161
+  keytool -trustcacerts -importkeystore \
162
+          -deststorepass aircontrolenterprise \
163
+          -destkeypass aircontrolenterprise \
164
+          -destkeystore /usr/lib/unifi/data/keystore \
165
+          -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
166
+          -srcstorepass aircontrolenterprise \
167
+          -alias unifi
168
+  rm -f "${TEMPFILE}" "${CATEMPFILE}"
169
+
170
+  echo "Starting Unifi controller..."
171
+  service unifi start
172
+
173
+  echo "Done!"
174
+fi

Loading…
Cancel
Save