|
|
@ -1,12 +1,43 @@ |
|
|
|
#!/usr/bin/env sh |
|
|
|
|
|
|
|
#Here is a script to deploy cert to unifi server. |
|
|
|
# Here is a script to deploy cert on a Unifi Controller or Cloud Key device. |
|
|
|
# It supports: |
|
|
|
# - self-hosted Unifi Controller |
|
|
|
# - Unifi Cloud Key (Gen1/2/2+) |
|
|
|
# - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only) |
|
|
|
# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359 |
|
|
|
|
|
|
|
#returns 0 means success, otherwise error. |
|
|
|
|
|
|
|
# The deploy-hook automatically detects standard Unifi installations |
|
|
|
# for each of the supported environments. Most users should not need |
|
|
|
# to set any of these variables, but if you are running a self-hosted |
|
|
|
# Controller with custom locations, set these as necessary before running |
|
|
|
# the deploy hook. (Defaults shown below.) |
|
|
|
# |
|
|
|
# Settings for Unifi Controller: |
|
|
|
# Location of Java keystore or unifi.keystore.jks file: |
|
|
|
#DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore" |
|
|
|
# Keystore password (built into Unifi Controller, not a user-set password): |
|
|
|
#DEPLOY_UNIFI_KEYPASS="aircontrolenterprise" |
|
|
|
# Command to restart Unifi Controller: |
|
|
|
#DEPLOY_UNIFI_RELOAD="service unifi restart" |
|
|
|
# |
|
|
|
# Settings for Unifi Cloud Key Gen1 (nginx admin pages): |
|
|
|
# Directory where cloudkey.crt and cloudkey.key live: |
|
|
|
#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private" |
|
|
|
# Command to restart maintenance pages and Controller |
|
|
|
# (same setting as above, default is updated when running on Cloud Key Gen1): |
|
|
|
#DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart" |
|
|
|
# |
|
|
|
# Settings for UnifiOS (Cloud Key Gen2): |
|
|
|
# Directory where unifi-core.crt and unifi-core.key live: |
|
|
|
#DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/" |
|
|
|
# Command to restart unifi-core: |
|
|
|
#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core" |
|
|
|
# |
|
|
|
# At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR, |
|
|
|
# or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs. |
|
|
|
|
|
|
|
######## Public functions ##################### |
|
|
|
|
|
|
@ -24,77 +55,160 @@ unifi_deploy() { |
|
|
|
_debug _cca "$_cca" |
|
|
|
_debug _cfullchain "$_cfullchain" |
|
|
|
|
|
|
|
if ! _exists keytool; then |
|
|
|
_err "keytool not found" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
_getdeployconf DEPLOY_UNIFI_KEYSTORE |
|
|
|
_getdeployconf DEPLOY_UNIFI_KEYPASS |
|
|
|
_getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR |
|
|
|
_getdeployconf DEPLOY_UNIFI_CORE_CONFIG |
|
|
|
_getdeployconf DEPLOY_UNIFI_RELOAD |
|
|
|
|
|
|
|
_debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" |
|
|
|
_debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS" |
|
|
|
_debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" |
|
|
|
_debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG" |
|
|
|
_debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD" |
|
|
|
|
|
|
|
# Space-separated list of environments detected and installed: |
|
|
|
_services_updated="" |
|
|
|
|
|
|
|
DEFAULT_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore" |
|
|
|
_unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-$DEFAULT_UNIFI_KEYSTORE}" |
|
|
|
DEFAULT_UNIFI_KEYPASS="aircontrolenterprise" |
|
|
|
_unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-$DEFAULT_UNIFI_KEYPASS}" |
|
|
|
DEFAULT_UNIFI_RELOAD="service unifi restart" |
|
|
|
_reload="${DEPLOY_UNIFI_RELOAD:-$DEFAULT_UNIFI_RELOAD}" |
|
|
|
# Default reload commands accumulated as we auto-detect environments: |
|
|
|
_reload_cmd="" |
|
|
|
|
|
|
|
# Unifi Controller environment (self hosted or any Cloud Key) -- |
|
|
|
# auto-detect by file /usr/lib/unifi/data/keystore: |
|
|
|
_unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}" |
|
|
|
if [ -f "$_unifi_keystore" ]; then |
|
|
|
_info "Installing certificate for Unifi Controller (Java keystore)" |
|
|
|
_debug _unifi_keystore "$_unifi_keystore" |
|
|
|
if [ ! -f "$_unifi_keystore" ]; then |
|
|
|
if [ -z "$DEPLOY_UNIFI_KEYSTORE" ]; then |
|
|
|
_err "unifi keystore is not found, please define DEPLOY_UNIFI_KEYSTORE" |
|
|
|
return 1 |
|
|
|
else |
|
|
|
_err "It seems that the specified unifi keystore is not valid, please check." |
|
|
|
if ! _exists keytool; then |
|
|
|
_err "keytool not found" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
fi |
|
|
|
if [ ! -w "$_unifi_keystore" ]; then |
|
|
|
_err "The file $_unifi_keystore is not writable, please change the permission." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
_info "Generate import pkcs12" |
|
|
|
_unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}" |
|
|
|
|
|
|
|
_debug "Generate import pkcs12" |
|
|
|
_import_pkcs12="$(_mktemp)" |
|
|
|
_toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root |
|
|
|
# shellcheck disable=SC2181 |
|
|
|
if [ "$?" != "0" ]; then |
|
|
|
_err "Oops, error creating import pkcs12, please report bug to us." |
|
|
|
_err "Error generating pkcs12. Please re-run with --debug and report a bug." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
_info "Modify unifi keystore: $_unifi_keystore" |
|
|
|
_debug "Import into keystore: $_unifi_keystore" |
|
|
|
if keytool -importkeystore \ |
|
|
|
-deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \ |
|
|
|
-srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \ |
|
|
|
-alias unifi -noprompt; then |
|
|
|
_info "Import keystore success!" |
|
|
|
_debug "Import keystore success!" |
|
|
|
rm "$_import_pkcs12" |
|
|
|
else |
|
|
|
_err "Import unifi keystore error, please report bug to us." |
|
|
|
_err "Error importing into Unifi Java keystore." |
|
|
|
_err "Please re-run with --debug and report a bug." |
|
|
|
rm "$_import_pkcs12" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
_info "Run reload: $_reload" |
|
|
|
if eval "$_reload"; then |
|
|
|
_info "Reload success!" |
|
|
|
if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then |
|
|
|
_savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" |
|
|
|
else |
|
|
|
_cleardomainconf DEPLOY_UNIFI_KEYSTORE |
|
|
|
if systemctl -q is-active unifi; then |
|
|
|
_reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart" |
|
|
|
fi |
|
|
|
if [ "$DEPLOY_UNIFI_KEYPASS" ]; then |
|
|
|
_savedomainconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS" |
|
|
|
else |
|
|
|
_cleardomainconf DEPLOY_UNIFI_KEYPASS |
|
|
|
_services_updated="${_services_updated} unifi" |
|
|
|
_info "Install Unifi Controller certificate success!" |
|
|
|
elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then |
|
|
|
_err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
if [ "$DEPLOY_UNIFI_RELOAD" ]; then |
|
|
|
_savedomainconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD" |
|
|
|
else |
|
|
|
_cleardomainconf DEPLOY_UNIFI_RELOAD |
|
|
|
|
|
|
|
# Cloud Key environment (non-UnifiOS -- nginx serves admin pages) -- |
|
|
|
# auto-detect by file /etc/ssl/private/cloudkey.key: |
|
|
|
_cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}" |
|
|
|
if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then |
|
|
|
_info "Installing certificate for Cloud Key Gen1 (nginx admin pages)" |
|
|
|
_debug _cloudkey_certdir "$_cloudkey_certdir" |
|
|
|
if [ ! -w "$_cloudkey_certdir" ]; then |
|
|
|
_err "The directory $_cloudkey_certdir is not writable; please check permissions." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
return 0 |
|
|
|
# Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks. |
|
|
|
# Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was |
|
|
|
# updated above), but if not, we don't know how to handle this installation: |
|
|
|
if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then |
|
|
|
_err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt" |
|
|
|
cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key" |
|
|
|
(cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks) |
|
|
|
|
|
|
|
if systemctl -q is-active nginx; then |
|
|
|
_reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart" |
|
|
|
fi |
|
|
|
_info "Install Cloud Key Gen1 certificate success!" |
|
|
|
_services_updated="${_services_updated} nginx" |
|
|
|
elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then |
|
|
|
_err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
# UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key: |
|
|
|
_unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}" |
|
|
|
if [ -f "${_unifi_core_config}/unifi-core.key" ]; then |
|
|
|
_info "Installing certificate for UnifiOS" |
|
|
|
_debug _unifi_core_config "$_unifi_core_config" |
|
|
|
if [ ! -w "$_unifi_core_config" ]; then |
|
|
|
_err "The directory $_unifi_core_config is not writable; please check permissions." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt" |
|
|
|
cat "$_ckey" >"${_unifi_core_config}/unifi-core.key" |
|
|
|
|
|
|
|
if systemctl -q is-active unifi-core; then |
|
|
|
_reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core" |
|
|
|
fi |
|
|
|
_info "Install UnifiOS certificate success!" |
|
|
|
_services_updated="${_services_updated} unifi-core" |
|
|
|
elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then |
|
|
|
_err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
if [ -z "$_services_updated" ]; then |
|
|
|
# None of the Unifi environments were auto-detected, so no deployment has occurred |
|
|
|
# (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set). |
|
|
|
_err "Unable to detect Unifi environment in standard location." |
|
|
|
_err "(This deploy hook must be run on the Unifi device, not a remote machine.)" |
|
|
|
_err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE," |
|
|
|
_err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
_reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}" |
|
|
|
if [ -z "$_reload_cmd" ]; then |
|
|
|
_err "Certificates were installed for services:${_services_updated}," |
|
|
|
_err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD" |
|
|
|
_err "to a command that will restart the necessary services." |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
_info "Reload services (this may take some time): $_reload_cmd" |
|
|
|
if eval "$_reload_cmd"; then |
|
|
|
_info "Reload success!" |
|
|
|
else |
|
|
|
_err "Reload error" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
return 0 |
|
|
|
|
|
|
|
# Successful, so save all (non-default) config: |
|
|
|
_savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" |
|
|
|
_savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS" |
|
|
|
_savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" |
|
|
|
_savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG" |
|
|
|
_savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD" |
|
|
|
|
|
|
|
return 0 |
|
|
|
} |