214 lines
8.6 KiB

  1. #!/usr/bin/env sh
  2. # Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
  3. # It supports:
  4. # - self-hosted Unifi Controller
  5. # - Unifi Cloud Key (Gen1/2/2+)
  6. # - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
  7. # Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
  8. #returns 0 means success, otherwise error.
  9. # The deploy-hook automatically detects standard Unifi installations
  10. # for each of the supported environments. Most users should not need
  11. # to set any of these variables, but if you are running a self-hosted
  12. # Controller with custom locations, set these as necessary before running
  13. # the deploy hook. (Defaults shown below.)
  14. #
  15. # Settings for Unifi Controller:
  16. # Location of Java keystore or unifi.keystore.jks file:
  17. #DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
  18. # Keystore password (built into Unifi Controller, not a user-set password):
  19. #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
  20. # Command to restart Unifi Controller:
  21. #DEPLOY_UNIFI_RELOAD="service unifi restart"
  22. #
  23. # Settings for Unifi Cloud Key Gen1 (nginx admin pages):
  24. # Directory where cloudkey.crt and cloudkey.key live:
  25. #DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
  26. # Command to restart maintenance pages and Controller
  27. # (same setting as above, default is updated when running on Cloud Key Gen1):
  28. #DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
  29. #
  30. # Settings for UnifiOS (Cloud Key Gen2):
  31. # Directory where unifi-core.crt and unifi-core.key live:
  32. #DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
  33. # Command to restart unifi-core:
  34. #DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
  35. #
  36. # At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
  37. # or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
  38. ######## Public functions #####################
  39. #domain keyfile certfile cafile fullchain
  40. unifi_deploy() {
  41. _cdomain="$1"
  42. _ckey="$2"
  43. _ccert="$3"
  44. _cca="$4"
  45. _cfullchain="$5"
  46. _debug _cdomain "$_cdomain"
  47. _debug _ckey "$_ckey"
  48. _debug _ccert "$_ccert"
  49. _debug _cca "$_cca"
  50. _debug _cfullchain "$_cfullchain"
  51. _getdeployconf DEPLOY_UNIFI_KEYSTORE
  52. _getdeployconf DEPLOY_UNIFI_KEYPASS
  53. _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
  54. _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
  55. _getdeployconf DEPLOY_UNIFI_RELOAD
  56. _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
  57. _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
  58. _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  59. _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
  60. _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
  61. # Space-separated list of environments detected and installed:
  62. _services_updated=""
  63. # Default reload commands accumulated as we auto-detect environments:
  64. _reload_cmd=""
  65. # Unifi Controller environment (self hosted or any Cloud Key) --
  66. # auto-detect by file /usr/lib/unifi/data/keystore:
  67. _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
  68. if [ -f "$_unifi_keystore" ]; then
  69. _info "Installing certificate for Unifi Controller (Java keystore)"
  70. _debug _unifi_keystore "$_unifi_keystore"
  71. if ! _exists keytool; then
  72. _err "keytool not found"
  73. return 1
  74. fi
  75. if [ ! -w "$_unifi_keystore" ]; then
  76. _err "The file $_unifi_keystore is not writable, please change the permission."
  77. return 1
  78. fi
  79. _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
  80. _debug "Generate import pkcs12"
  81. _import_pkcs12="$(_mktemp)"
  82. _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
  83. # shellcheck disable=SC2181
  84. if [ "$?" != "0" ]; then
  85. _err "Error generating pkcs12. Please re-run with --debug and report a bug."
  86. return 1
  87. fi
  88. _debug "Import into keystore: $_unifi_keystore"
  89. if keytool -importkeystore \
  90. -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
  91. -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
  92. -alias unifi -noprompt; then
  93. _debug "Import keystore success!"
  94. rm "$_import_pkcs12"
  95. else
  96. _err "Error importing into Unifi Java keystore."
  97. _err "Please re-run with --debug and report a bug."
  98. rm "$_import_pkcs12"
  99. return 1
  100. fi
  101. if systemctl -q is-active unifi; then
  102. _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
  103. fi
  104. _services_updated="${_services_updated} unifi"
  105. _info "Install Unifi Controller certificate success!"
  106. elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
  107. _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
  108. return 1
  109. fi
  110. # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
  111. # auto-detect by file /etc/ssl/private/cloudkey.key:
  112. _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
  113. if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
  114. _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
  115. _debug _cloudkey_certdir "$_cloudkey_certdir"
  116. if [ ! -w "$_cloudkey_certdir" ]; then
  117. _err "The directory $_cloudkey_certdir is not writable; please check permissions."
  118. return 1
  119. fi
  120. # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
  121. # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
  122. # updated above), but if not, we don't know how to handle this installation:
  123. if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
  124. _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
  125. return 1
  126. fi
  127. cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
  128. cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
  129. (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
  130. if systemctl -q is-active nginx; then
  131. _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
  132. fi
  133. _info "Install Cloud Key Gen1 certificate success!"
  134. _services_updated="${_services_updated} nginx"
  135. elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
  136. _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
  137. return 1
  138. fi
  139. # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
  140. _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
  141. if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
  142. _info "Installing certificate for UnifiOS"
  143. _debug _unifi_core_config "$_unifi_core_config"
  144. if [ ! -w "$_unifi_core_config" ]; then
  145. _err "The directory $_unifi_core_config is not writable; please check permissions."
  146. return 1
  147. fi
  148. cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
  149. cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
  150. if systemctl -q is-active unifi-core; then
  151. _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
  152. fi
  153. _info "Install UnifiOS certificate success!"
  154. _services_updated="${_services_updated} unifi-core"
  155. elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
  156. _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
  157. return 1
  158. fi
  159. if [ -z "$_services_updated" ]; then
  160. # None of the Unifi environments were auto-detected, so no deployment has occurred
  161. # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
  162. _err "Unable to detect Unifi environment in standard location."
  163. _err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
  164. _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
  165. _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
  166. return 1
  167. fi
  168. _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
  169. if [ -z "$_reload_cmd" ]; then
  170. _err "Certificates were installed for services:${_services_updated},"
  171. _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
  172. _err "to a command that will restart the necessary services."
  173. return 1
  174. fi
  175. _info "Reload services (this may take some time): $_reload_cmd"
  176. if eval "$_reload_cmd"; then
  177. _info "Reload success!"
  178. else
  179. _err "Reload error"
  180. return 1
  181. fi
  182. # Successful, so save all (non-default) config:
  183. _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
  184. _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
  185. _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  186. _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
  187. _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
  188. return 0
  189. }