Last active
August 28, 2021 19:46
-
-
Save bklang/d762c5959c7eca117f1c7be1a6ba20dd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# LetsEncrypt certbot refresh hook for Unifi and Unifi Video | |
# Place this into /etc/letsencrypt/renewal-hooks/post/ and make it executable | |
# Inspired by script from here: https://source.sosdg.org/brielle/lets-encrypt-scripts | |
# Author: Ben Klang <bklang@wirehack.net> | |
MAINDOMAIN="REPLACE.ME.WITH.YOUR.DOMAIN.com" | |
set -e | |
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | |
function update_service { | |
label=$1 | |
svc_name=$2 | |
keystore_path=$3 | |
keystore_alias=$4 | |
keystore_password=$5 | |
TEMPFILE=$(mktemp) | |
CERTTEMPFILE=$(mktemp) | |
echo "Using openssl to prepare certificate..." | |
openssl pkcs12 -export -passout pass:$keystore_password \ | |
-in /etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \ | |
-inkey /etc/letsencrypt/live/${MAINDOMAIN}/privkey.pem \ | |
-out ${TEMPFILE} -name $keystore_alias \ | |
-CAfile /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem -caname root | |
# Identrust cross-signed CA cert needed by the java keystore for import. | |
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html | |
cat > ${CERTTEMPFILE} <<'_EOF' | |
-----BEGIN CERTIFICATE----- | |
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ | |
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT | |
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow | |
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD | |
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB | |
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O | |
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq | |
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b | |
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw | |
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD | |
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV | |
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG | |
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 | |
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr | |
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz | |
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 | |
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo | |
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ | |
-----END CERTIFICATE----- | |
_EOF | |
echo "Stopping ${label}..." | |
service $svc_name stop | |
echo "Removing existing certificate from ${label} protected keystore..." | |
keytool -delete -alias $keystore_alias -keystore $keystore_path \ | |
-deststorepass $keystore_password | |
echo "Inserting certificate into ${label} keystore..." | |
keytool -importkeystore \ | |
-deststorepass $keystore_password \ | |
-destkeypass $keystore_password \ | |
-destkeystore $keystore_path \ | |
-srckeystore ${TEMPFILE} -srcstoretype PKCS12 \ | |
-srcstorepass $keystore_password \ | |
-alias $keystore_alias | |
keytool -delete -alias mykey -keystore $keystore_path -storepass $keystore_password || true | |
keytool -noprompt -importcert -trustcacerts -keystore $keystore_path -storepass $keystore_password -file /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem | |
if [ "$svc_name" = "unifi" ]; then | |
echo "Importing cert into ${label} database..." | |
java -jar /usr/lib/${svc_name}/lib/ace.jar import_cert \ | |
/etc/letsencrypt/live/${MAINDOMAIN}/cert.pem \ | |
/etc/letsencrypt/live/${MAINDOMAIN}/chain.pem \ | |
${CERTTEMPFILE} | |
fi | |
if [ "$svc_name" = "unifi-video" ]; then | |
echo "Importing CA certs into ${label} database..." | |
keytool -delete -alias mykey -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti || true | |
keytool -delete -alias letsencrypt -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti || true | |
keytool -importcert -trustcacerts -keystore /usr/lib/${svc_name}/data/ufv-truststore -storepass ubiquiti -file /etc/letsencrypt/live/${MAINDOMAIN}/chain.pem -alias letsencrypt | |
fi | |
rm -f ${CERTTEMPFILE} | |
rm -f ${TEMPFILE} | |
echo "Starting ${label}..." | |
service $svc_name start | |
echo "Done!" | |
} | |
update_service "Unifi controller" "unifi" "/usr/lib/unifi/data/keystore" "unifi" "aircontrolenterprise" | |
update_service "Unifi NVR" "unifi-video" "/usr/lib/unifi-video/data/keystore" "airvision" "ubiquiti" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment