bklang/refresh-unifi-certs.sh

## refresh-unifi-certs.sh
#!/usr/bin/env bash
# LetsEncrypt certbot refresh hook for Unifi and Unifi Video
# Place this into /etc/letsencrypt/renewal-hooks/post/ and make it executable
# Inspired by script from here: https://source.sosdg.org/brielle/lets-encrypt-scripts
# Author: Ben Klang <bklang@wirehack.net>
MAINDOMAIN="REPLACE.ME.WITH.YOUR.DOMAIN.com"

set -e

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

function update_service {
	label=$1
	svc_name=$2
	keystore_path=$3
	keystore_alias=$4
	keystore_password=$5

	TEMPFILE=$(mktemp)
	CERTTEMPFILE=$(mktemp)

	echo "Using openssl to prepare certificate..."
	openssl pkcs12 -export  -passout pass:$keystore_password \
		-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
		-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \
		-out ${TEMPFILE} -name $keystore_alias \
		-CAfile /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem -caname root

	# Identrust cross-signed CA cert needed by the java keystore for import.
	# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
	cat > ${CERTTEMPFILE} <<'_EOF'
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
_EOF

	echo "Stopping ${label}..."
	service $svc_name stop
	echo "Removing existing certificate from ${label} protected keystore..."
	keytool -delete -alias $keystore_alias -keystore $keystore_path \
		-deststorepass $keystore_password
	echo "Inserting certificate into ${label} keystore..."
	keytool -importkeystore \
		-deststorepass $keystore_password \
		-destkeypass $keystore_password \
		-destkeystore $keystore_path \
		-srckeystore ${TEMPFILE} -srcstoretype PKCS12 \
		-srcstorepass $keystore_password \
		-alias $keystore_alias
	keytool -delete -alias mykey -keystore $keystore_path -storepass $keystore_password || true
	keytool -noprompt -importcert -trustcacerts -keystore $keystore_path -storepass $keystore_password -file /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem
	if [ "$svc_name" = "unifi" ]; then
		echo "Importing cert into ${label} database..."
		java -jar /usr/lib/${svc_name}/lib/ace.jar import_cert \
			/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
			/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem \
			${CERTTEMPFILE}
	fi
	if [ "$svc_name" = "unifi-video" ]; then
		echo "Importing CA certs into ${label} database..."
		keytool -delete -alias mykey -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti || true
		keytool -delete -alias letsencrypt -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti || true
		keytool -importcert -trustcacerts -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti -file /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem -alias letsencrypt
	fi
	rm -f ${CERTTEMPFILE}
	rm -f ${TEMPFILE}
	echo "Starting ${label}..."
	service $svc_name start
	echo "Done!"
}


update_service "Unifi controller" "unifi" "/usr/lib/unifi/data/keystore" "unifi" "aircontrolenterprise"
update_service "Unifi NVR" "unifi-video" "/usr/lib/unifi-video/data/keystore" "airvision" "ubiquiti"
	#!/usr/bin/env bash
	# LetsEncrypt certbot refresh hook for Unifi and Unifi Video
	# Place this into /etc/letsencrypt/renewal-hooks/post/ and make it executable
	# Inspired by script from here: https://source.sosdg.org/brielle/lets-encrypt-scripts
	# Author: Ben Klang <bklang@wirehack.net>
	MAINDOMAIN="REPLACE.ME.WITH.YOUR.DOMAIN.com"

	set -e

	PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

	function update_service {
	label=$1
	svc_name=$2
	keystore_path=$3
	keystore_alias=$4
	keystore_password=$5

	TEMPFILE=$(mktemp)
	CERTTEMPFILE=$(mktemp)

	echo "Using openssl to prepare certificate..."
	openssl pkcs12 -export -passout pass:$keystore_password \
	-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
	-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \
	-out ${TEMPFILE} -name $keystore_alias \
	-CAfile /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem -caname root

	# Identrust cross-signed CA cert needed by the java keystore for import.
	# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
	cat > ${CERTTEMPFILE} <<'_EOF'
	-----BEGIN CERTIFICATE-----
	MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
	MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
	DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
	PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
	Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
	AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
	rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
	OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
	xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
	7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
	aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
	HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
	SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
	ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
	AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
	R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
	JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
	Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
	-----END CERTIFICATE-----
	_EOF

	echo "Stopping ${label}..."
	service $svc_name stop
	echo "Removing existing certificate from ${label} protected keystore..."
	keytool -delete -alias $keystore_alias -keystore $keystore_path \
	-deststorepass $keystore_password
	echo "Inserting certificate into ${label} keystore..."
	keytool -importkeystore \
	-deststorepass $keystore_password \
	-destkeypass $keystore_password \
	-destkeystore $keystore_path \
	-srckeystore ${TEMPFILE} -srcstoretype PKCS12 \
	-srcstorepass $keystore_password \
	-alias $keystore_alias
	keytool -delete -alias mykey -keystore $keystore_path -storepass $keystore_password \|\| true
	keytool -noprompt -importcert -trustcacerts -keystore $keystore_path -storepass $keystore_password -file /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem
	if [ "$svc_name" = "unifi" ]; then
	echo "Importing cert into ${label} database..."
	java -jar /usr/lib/${svc_name}/lib/ace.jar import_cert \
	/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \
	/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem \
	${CERTTEMPFILE}
	fi
	if [ "$svc_name" = "unifi-video" ]; then
	echo "Importing CA certs into ${label} database..."
	keytool -delete -alias mykey -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti \|\| true
	keytool -delete -alias letsencrypt -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti \|\| true
	keytool -importcert -trustcacerts -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti -file /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem -alias letsencrypt
	fi
	rm -f ${CERTTEMPFILE}
	rm -f ${TEMPFILE}
	echo "Starting ${label}..."
	service $svc_name start
	echo "Done!"
	}


	update_service "Unifi controller" "unifi" "/usr/lib/unifi/data/keystore" "unifi" "aircontrolenterprise"
	update_service "Unifi NVR" "unifi-video" "/usr/lib/unifi-video/data/keystore" "airvision" "ubiquiti"