-
Notifications
You must be signed in to change notification settings - Fork 2
/
unifi_cert.sh
executable file
·98 lines (70 loc) · 3.39 KB
/
unifi_cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/bin/bash
# Adjust these variables to what you require
DOMAIN="example.com"
EMAIL="example@example.com"
# These shouldn't need to be changed
LEP="/etc/letsencrypt/live"
UEP="/usr/lib/unifi/data"
JKSP="aircontrolenterprise"
# Spit out messages to console
function bagthis {
for e in "${@}"; do
echo "${e}"
done
}
# Create a new header line in the unifi-certbot.log log file
echo -e "\n------- `date` ------" >> /var/log/unifi-certbot.log
# Determine if certbot exists
certbot --version 2>&1 /dev/null
if [[ ${?} -gt 0 ]]; then
echo "Certbot Not Found... Installing certbot from eff.org" >> /var/log/unifi-certbot.log
wget -O certbot https://dl.eff.org/certbot-auto >> /var/log/unifi-certbot.log 2>&1
if [[ ${?} -gt 0 ]]; then
echo "Unable to wget certbot-auto from eff.org" >> /var/log/unifi-certbot.log >> /var/log/unifi-certbot.log
bagthis "Unable to wget certbot-auto from eff.org" "Please check /var/log/unifi-certbot.log for more information"
exit 1
mv certbot-auto /usr/bin/certbot >> /var/log/unifi-certbot.log 2>&1
chmod +x /usr/bin/certbot >> /var/log/unifi-certbot.log 2>&1
# Verify certbot is now working
fi
certbot --version 2>&1 /dev/null
if [[ ${?} -gt 0 ]]; then
echo "Unable to run the certbot command. Exiting..." >> /var/log/unifi-certbot.log 2>&1
bagthis "Unable to run the certbot command." "Exiting..."
exit 1
fi
fi
# Determine if a Let's Encrypt certificate already exists or not. If not, create. If so, renew
if [[ ! -d ${LEP}/${DOMAIN} ]]; then
certbot certonly -m ${EMAIL} -d ${DOMAIN} --agree-tos --standalone >> /var/log/unifi-certbot.log 2>&1
else
certbot renew >> /var/log/unifi-certbot.log 2>&1
fi
# If certbot process fails, print error alert to console
if [[ ${?} -gt 0 ]]; then
bagthis "Error running certbot" "Please check /var/log/unifi-certbot.log for details"
exit 1
fi
# Now we mash the Let's Encrypt x509, key, and CA into a PKCS12
openssl pkcs12 -export -in ${LEP}/${DOMAIN}/cert.pem -inkey ${LEP}/${DOMAIN}/privkey.pem -out ${LEP}/${DOMAIN}/unifi.p12 \
-name unifi -CAfile ${LEP}/${DOMAIN}/chain.pem -caname root -passout pass:${JKSP} >> /var/log/unifi-certbot.log 2>&1
# If the openssl process fails, print error alert to console
if [[ ${?} -gt 0 ]]; then
bagthis "Error generating PKCS12" "Please check /var/log/unifi-chatbot.log for details"
exit 1
fi
# Let's backup the existing Java Keystore just in case the new one is broken
if [[ -f ${UEP}/keystore ]]; then
mv ${UEP}/keystore ${UEP}/keystore.`date +%m%d%y`
fi
# Time to create the new JKS!
#keytool -importkeystore -deststorepass ${JKSP} -destkeypass ${JKSP} -destkeystore ${UEP}/keystore -srckeystore ${LEP}/${DOMAIN}/unifi.p12 -srcstoretype PKCS12 -srcstorepass ${JKSP} -alias unifi >> /var/log/unifi-certbot.log 2&>1
keytool -importkeystore -deststorepass ${JKSP} -destkeypass ${JKSP} -destkeystore ${UEP}/keystore -srckeystore ${LEP}/${DOMAIN}/unifi.p12 -srcstoretype PKCS12 -srcstorepass ${JKSP} -alias unifi
# If the Keytool app process fails, print error alert to console
if [[ ${?} -gt 0 ]]; then
bagthis "Error creating Java Key Store" "Please check /var/log/unifi-chatbot.log for details"
exit 1
fi
# We got this far, so all of the above must have gone swell! Let's restart the unifi service to get the new cert in place
service unifi restart >> /var/log/unifi-certbot.log 2>&1
echo "Let's Encrypt certificate is in place and the UniFi service has been restarted"