catchdave/replace_certs_protect.sh

## replace_certs_protect.sh
#!/bin/bash
# This file renews SSL certificates on a "Unifi Protect Cloud Key+ Gen 2" that have already been copied over
# from my "create_ssl_certs.sh" script.
#
# Caveat: You will need to run this again if you upgrade software. I have noticed changes to
#         file structures when Unifi updates minor versions, so no guarantee this will work above
#         OS 3.1.x.
# Prep: Add sudo perms to run this script for the user that executes this script, via visudo:
#       your_user_name ALL=NOPASSWD:/root/replace_certs_protect.sh

# Constants
TARGET=/etc/ssl/private
CORE_CONFIG=/usr/share/unifi-core/app/config/default.yaml  # Pre-3.1, this was config.yaml
PROTECT_CONFIG=/usr/share/unifi-protect/app/config/config.json
BACKUP_DIR=/root/ssl_backups
DATE=$(date '+%Y-%m-%d')

# Functions
# ============================
info() { echo "$0: [INFO] $1"; }
error() { echo "$0: [ERROR] $1"; }
error_exit() { echo "$0: [ERROR] $1"; exit 1; }
backup_config() {
    backup_file="$BACKUP_DIR/$(basename $1).$DATE"
    if [ ! -f "$backup_file" ]; then
        cp "$1" "$backup_file" || error_exit "Could not backup $1"
    else
        echo "$0: [WARN] Not saving copy of '$1' since a file already exists: $backup_file"
    fi
}
# ============================

# Verify root
if [ "$EUID" -ne 0 ]; then
  error_exit "$0: [ERROR] This script needs to run as root"
fi

# Verify new certificates were copied over before running.
if [[ ! -f /tmp/fullchain.pem || ! -f /tmp/privkey.pem ]]; then
    error_exit "No certificate files found in /tmp. Aborting."
fi

# Backup
info "Backing up old certs and config"
mkdir -p "$BACKUP_DIR"
backup_config "$TARGET/unifi-core.crt"
backup_config "$TARGET/unifi-core.key"
backup_config $CORE_CONFIG
backup_config $PROTECT_CONFIG

# Update
info "Replacing certificates"
mv /tmp/fullchain.pem "$TARGET/unifi-core.crt" || error_exit "Error replacing fullchain/unifi-core.crt"
mv /tmp/privkey.pem "$TARGET/unifi-core.key" || error_exit "Error replacing privkey/unifi-core.key"
chown root:root "$TARGET/unifi-core.crt" "$TARGET/unifi-core.key"
chmod o+r "$TARGET/unifi-core.crt" "$TARGET/unifi-core.key"  # unifi-protect user needs to access

# Modifying config to point to new certs
sed -i "s#crt: '/data/unifi-core/config/unifi-core.crt'#crt: '/etc/ssl/private/unifi-core.crt'#" $CORE_CONFIG
sed -i "s#key: '/data/unifi-core/config/unifi-core.key'#key: '/etc/ssl/private/unifi-core.key'#" $CORE_CONFIG
sed -i 's#"./data/unifi-protect.crt"#"/etc/ssl/private/unifi-core.crt"#' $PROTECT_CONFIG
sed -i 's#"./data/unifi-protect.key"#"/etc/ssl/private/unifi-core.key"#' $PROTECT_CONFIG
sed -i 's#"./data/devices.crt"#"/etc/ssl/private/unifi-core.crt"#' $PROTECT_CONFIG
sed -i 's#"./data/devices.key"#"/etc/ssl/private/unifi-core.key"#' $PROTECT_CONFIG

# Restart
info "Restarting services..."
systemctl restart unifi-core || error "Error trying to restart unifi-core"
systemctl restart unifi-protect || error "Error trying to restart unifi-protect"

info "Completed."
	#!/bin/bash
	# This file renews SSL certificates on a "Unifi Protect Cloud Key+ Gen 2" that have already been copied over
	# from my "create_ssl_certs.sh" script.
	#
	# Caveat: You will need to run this again if you upgrade software. I have noticed changes to
	# file structures when Unifi updates minor versions, so no guarantee this will work above
	# OS 3.1.x.
	# Prep: Add sudo perms to run this script for the user that executes this script, via visudo:
	# your_user_name ALL=NOPASSWD:/root/replace_certs_protect.sh

	# Constants
	TARGET=/etc/ssl/private
	CORE_CONFIG=/usr/share/unifi-core/app/config/default.yaml # Pre-3.1, this was config.yaml
	PROTECT_CONFIG=/usr/share/unifi-protect/app/config/config.json
	BACKUP_DIR=/root/ssl_backups
	DATE=$(date '+%Y-%m-%d')

	# Functions
	# ============================
	info() { echo "$0: [INFO] $1"; }
	error() { echo "$0: [ERROR] $1"; }
	error_exit() { echo "$0: [ERROR] $1"; exit 1; }
	backup_config() {
	backup_file="$BACKUP_DIR/$(basename $1).$DATE"
	if [ ! -f "$backup_file" ]; then
	cp "$1" "$backup_file" \|\| error_exit "Could not backup $1"
	else
	echo "$0: [WARN] Not saving copy of '$1' since a file already exists: $backup_file"
	fi
	}
	# ============================

	# Verify root
	if [ "$EUID" -ne 0 ]; then
	error_exit "$0: [ERROR] This script needs to run as root"
	fi

	# Verify new certificates were copied over before running.
	if [[ ! -f /tmp/fullchain.pem \|\| ! -f /tmp/privkey.pem ]]; then
	error_exit "No certificate files found in /tmp. Aborting."
	fi

	# Backup
	info "Backing up old certs and config"
	mkdir -p "$BACKUP_DIR"
	backup_config "$TARGET/unifi-core.crt"
	backup_config "$TARGET/unifi-core.key"
	backup_config $CORE_CONFIG
	backup_config $PROTECT_CONFIG

	# Update
	info "Replacing certificates"
	mv /tmp/fullchain.pem "$TARGET/unifi-core.crt" \|\| error_exit "Error replacing fullchain/unifi-core.crt"
	mv /tmp/privkey.pem "$TARGET/unifi-core.key" \|\| error_exit "Error replacing privkey/unifi-core.key"
	chown root:root "$TARGET/unifi-core.crt" "$TARGET/unifi-core.key"
	chmod o+r "$TARGET/unifi-core.crt" "$TARGET/unifi-core.key" # unifi-protect user needs to access

	# Modifying config to point to new certs
	sed -i "s#crt: '/data/unifi-core/config/unifi-core.crt'#crt: '/etc/ssl/private/unifi-core.crt'#" $CORE_CONFIG
	sed -i "s#key: '/data/unifi-core/config/unifi-core.key'#key: '/etc/ssl/private/unifi-core.key'#" $CORE_CONFIG
	sed -i 's#"./data/unifi-protect.crt"#"/etc/ssl/private/unifi-core.crt"#' $PROTECT_CONFIG
	sed -i 's#"./data/unifi-protect.key"#"/etc/ssl/private/unifi-core.key"#' $PROTECT_CONFIG
	sed -i 's#"./data/devices.crt"#"/etc/ssl/private/unifi-core.crt"#' $PROTECT_CONFIG
	sed -i 's#"./data/devices.key"#"/etc/ssl/private/unifi-core.key"#' $PROTECT_CONFIG

	# Restart
	info "Restarting services..."
	systemctl restart unifi-core \|\| error "Error trying to restart unifi-core"
	systemctl restart unifi-protect \|\| error "Error trying to restart unifi-protect"

	info "Completed."