From 03e9c612b9138a8174aaf8a3a9c81b7866fdbccf Mon Sep 17 00:00:00 2001 From: Alex Date: Fri, 20 Dec 2024 10:34:51 +0100 Subject: [PATCH 1/2] Correct file ownership according to keystore directory --- deploy/unifi.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/deploy/unifi.sh b/deploy/unifi.sh index 4d8c058e..9ee7114c 100644 --- a/deploy/unifi.sh +++ b/deploy/unifi.sh @@ -135,6 +135,15 @@ unifi_deploy() { cp -f "$_import_pkcs12" "$_unifi_keystore" fi + # correct file ownership according to the directory, the keystore is placed in + _unifi_keystore_dir=$(dirname "${_unifi_keystore}") + _unifi_keystore_dir_owner=$(ls -ld "${_unifi_keystore_dir}" | awk '{print $3}') + _unifi_keystore_owner=$(ls -l "${_unifi_keystore}" | awk '{print $3}') + if ! [ "${_unifi_keystore_owner}" = "${_unifi_keystore_dir_owner}" ] ; then + _debug "Changing keystore owner to ${_unifi_keystore_dir_owner}" + chown $_unifi_keystore_dir_owner "${_unifi_keystore}" >/dev/null 2>&1 # fail quietly if we're not running as root + fi + # Update unifi service for certificate cipher compatibility if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \ -in "$_import_pkcs12" \ From 0e1d90dd0c6eb8ce2c57a9e71ba79b41283b4b07 Mon Sep 17 00:00:00 2001 From: Alex Date: Fri, 20 Dec 2024 10:36:45 +0100 Subject: [PATCH 2/2] Properly guess system.properties location --- deploy/unifi.sh | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/deploy/unifi.sh b/deploy/unifi.sh index 9ee7114c..9ae54f2b 100644 --- a/deploy/unifi.sh +++ b/deploy/unifi.sh @@ -150,14 +150,21 @@ unifi_deploy() { -password pass:aircontrolenterprise \ -nokeys | ${ACME_OPENSSL_BIN:-openssl} x509 -text \ -noout | grep -i "signature" | grep -iq ecdsa >/dev/null 2>&1; then - cp -f /usr/lib/unifi/data/system.properties /usr/lib/unifi/data/system.properties_original - _info "Updating system configuration for cipher compatibility." - _info "Saved original system config to /usr/lib/unifi/data/system.properties_original" - sed -i '/unifi\.https\.ciphers/d' /usr/lib/unifi/data/system.properties - echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" >>/usr/lib/unifi/data/system.properties - sed -i '/unifi\.https\.sslEnabledProtocols/d' /usr/lib/unifi/data/system.properties - echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" >>/usr/lib/unifi/data/system.properties - _info "System configuration updated." + if [ -f "$(dirname ${DEPLOY_UNIFI_KEYSTORE})/system.properties" ] ; then + _unifi_system_properties="$(dirname ${DEPLOY_UNIFI_KEYSTORE})/system.properties" + else + _unifi_system_properties="/usr/lib/unifi/data/system.properties" + fi + if [ -f "${_unifi_system_properties}" ] ; then + cp -f "${_unifi_system_properties}" "${_unifi_system_properties}"_original + _info "Updating system configuration for cipher compatibility." + _info "Saved original system config to ${_unifi_system_properties}_original" + sed -i '/unifi\.https\.ciphers/d' "${_unifi_system_properties}" + echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" >>"${_unifi_system_properties}" + sed -i '/unifi\.https\.sslEnabledProtocols/d' "${_unifi_system_properties}" + echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" >>"${_unifi_system_properties}" + _info "System configuration updated." + fi fi rm "$_import_pkcs12"