-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathunifi-cert-update.sh
More file actions
74 lines (62 loc) · 2.25 KB
/
unifi-cert-update.sh
File metadata and controls
74 lines (62 loc) · 2.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/bash
# Copyright (c) 2018-2020 Allen Wild
# SPDX-License-Identifier: MIT
#
# based on https://github.com/stevejenkins/unifi-linux-utils/blob/master/unifi_ssl_import.sh
# and https://source.sosdg.org/brielle/lets-encrypt-scripts
set -e
UNIFI_DIR=/usr/lib/unifi
KEYSTORE=$UNIFI_DIR/data/keystore
ROOT_CA=/etc/ssl/certs/ISRG_Root_X1.pem
#ROOT_CA=/etc/ssl/certs/DST_Root_CA_X3.pem
PASSWORD=aircontrolenterprise
if [[ -t 1 ]]; then
BLD=$'\033[1;37m'
NC=$'\033[0m'
else
BLD=
NC=
fi
msg() {
echo -e "${BLD}${*}${NC}"
}
vrun() {
echo "+ $*"
"$@"
}
pkcstmp=$(mktemp)
trap "rm -f $pkcstmp" EXIT
msg "Creating temporary PKCS12 cert"
vrun openssl pkcs12 -export -passout pass:$PASSWORD \
-in cert.pem -inkey privkey.pem \
-out $pkcstmp -name unifi \
-CAfile $ROOT_CA -caname root
msg "Backing up existing keystore"
vrun cp $KEYSTORE ${KEYSTORE}.bak.$(date "+%Y%m%d%H%M%S")
msg "Removing existing cert from Unifi keystore"
vrun keytool -delete -alias unifi -keystore $KEYSTORE \
-deststorepass $PASSWORD || true
msg "Importing new cert into Unifi keystore"
vrun keytool -trustcacerts -importkeystore \
-deststorepass $PASSWORD -destkeypass $PASSWORD \
-destkeystore $KEYSTORE -srckeystore $pkcstmp \
-srcstoretype PKCS12 -srcstorepass $PASSWORD \
-alias unifi
# not sure what this step does because without it Firefox is happy
# but curl and wget are unhappy. Probably links back to the root
# certs properly and FF already has those or something.
msg "Re-importing the key using ace.jar"
certdir=$PWD
pushd $UNIFI_DIR
# HACK! The unifi controller v5.9.29 chokes on the totally valid
# certs 'java.lang.IllegalArgumentException: Illegal base64 character a'
# As a workaround, remove newlines and it works. Fortunately it can read
# from pipes.
# See https://community.ubnt.com/t5/UniFi-Routing-Switching/SSL-error-when-importing-SSL-certificates/td-p/2491355
echo "+ /usr/lib/unifi/bin/ace.sh import_cert" \
"$certdir/cert.pem $certdir/chain.pem $ROOT_CA"
vrun /usr/lib/unifi/bin/ace.sh import_cert \
<(tr -d '\n' <$certdir/cert.pem) \
<(tr -d '\n' <$certdir/chain.pem) \
<(tr -d '\n' <$ROOT_CA)
msg "\nDone! You should restart the UniFi controller now"