fix: unifi deploy hook also update Cloud Key nginx certs

When running on a Unifi Cloud Key device, also deploy to /etc/ssl/private/cloudkey.{crt,key} and reload nginx. This makes the new cert available for the Cloud Key management app running via nginx on port 443 (as well as the port 8443 Unifi Controller app the deploy hook already supported). Fixes #3326
5 years ago · cbc3acd33a
1 changed files with 65 additions and 17 deletions
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@ -4,10 +4,16 @@
 #returns 0 means success, otherwise error.
 # Settings for Unifi Controller:
 #DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
 #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
 #DEPLOY_UNIFI_RELOAD="service unifi restart"
 # Additional settings for Unifi Cloud Key:
 #DEPLOY_UNIFI_CLOUDKEY=yes
 #DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
 #DEPLOY_UNIFI_RELOAD="service unifi restart && service nginx restart"
 ########  Public functions #####################
 #domain keyfile certfile cafile fullchain
@ -29,11 +35,22 @@ unifi_deploy() {
    return 1
  fi
  DEFAULT_DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
  _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-$DEFAULT_DEPLOY_UNIFI_CLOUDKEY_CERTDIR}"
  DEFAULT_DEPLOY_UNIFI_CLOUDKEY="no"
  if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
    DEFAULT_DEPLOY_UNIFI_CLOUDKEY="yes"
  fi
  _cloudkey_deploy="${DEPLOY_UNIFI_CLOUDKEY:-$DEFAULT_DEPLOY_UNIFI_CLOUDKEY}"
  DEFAULT_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
  _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-$DEFAULT_UNIFI_KEYSTORE}"
  DEFAULT_UNIFI_KEYPASS="aircontrolenterprise"
  _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-$DEFAULT_UNIFI_KEYPASS}"
  DEFAULT_UNIFI_RELOAD="service unifi restart"
  if [ "$_cloudkey_deploy" = "yes" ]; then
    DEFAULT_UNIFI_RELOAD="service nginx restart && ${DEFAULT_UNIFI_RELOAD}"
  fi
  _reload="${DEPLOY_UNIFI_RELOAD:-$DEFAULT_UNIFI_RELOAD}"
  _debug _unifi_keystore "$_unifi_keystore"
@ -51,6 +68,19 @@ unifi_deploy() {
    return 1
  fi
  _debug _cloudkey_deploy "$_cloudkey_deploy"
  _debug _cloudkey_certdir "$_cloudkey_certdir"
  if [ "$_cloudkey_deploy" = "yes" ]; then
    if [ ! -d "$_cloudkey_certdir" ]; then
      _err "The directory $_cloudkey_certdir is missing or invalid; please define DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
      return 1
    fi
    if [ ! -w "$_cloudkey_certdir" ]; then
      _err "The directory $_cloudkey_certdir is not writable; please check permissions"
      return 1
    fi
  fi
  _info "Generate import pkcs12"
  _import_pkcs12="$(_mktemp)"
  _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
@ -72,9 +102,22 @@ unifi_deploy() {
    return 1
  fi
  if [ "$_cloudkey_deploy" = "yes" ]; then
    _info "Install Cloud Key certificate: $_cloudkey_certdir"
    cp "$_cfullchain" "${_cloudkey_certdir}/cloudkey.crt"
    cp "$_ckey" "${_cloudkey_certdir}/cloudkey.key"
    (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
    _info "Install Cloud Key certificate success!"
  fi
  _info "Run reload: $_reload"
  if eval "$_reload"; then
    _info "Reload success!"
  else
    _err "Reload error"
    return 1
  fi
  if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
    _savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
  else
@ -90,11 +133,16 @@ unifi_deploy() {
  else
    _cleardomainconf DEPLOY_UNIFI_RELOAD
  fi
    return 0
  if [ "$DEPLOY_UNIFI_CLOUDKEY" ]; then
    _savedomainconf DEPLOY_UNIFI_CLOUDKEY "$DEPLOY_UNIFI_CLOUDKEY"
  else
    _err "Reload error"
    return 1
    _cleardomainconf DEPLOY_UNIFI_CLOUDKEY
  fi
  if [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
    _savedomainconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  else
    _cleardomainconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
  fi
  return 0
  return 0
 }