gintsmurans/debian_unifi_nvr_letsencrypt.bash

## debian_unifi_nvr_letsencrypt.bash
#!/bin/bash

## Unifi NVR + letsencrypt certificate
# Remember to use fullchain.pem
# Thanks: https://www.john.geek.nz/2018/05/using-letsencrypt-with-ubiquiti-unifi-video-server/
#
# Also remember adding `ufv.custom.certs.enable=true` to the `/usr/lib/unifi-video/data/system.properties` file
#

HOSTNAME=XXX.gm.lv
SCRIPTS_PATH=/srv/scripts

/etc/init.d/unifi-video stop

# Gen cert and key file supported by java
openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$HOSTNAME/privkey.pem -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der
openssl x509 -outform der -in /etc/letsencrypt/live/$HOSTNAME/fullchain.pem -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der

# Remove unifi-video certs
rm /var/lib/unifi-video/ufv-truststore
rm /var/lib/unifi-video/keystore
rm /usr/lib/unifi-video/conf/evostream/server.*

# List
# keytool -list -keystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti

/etc/init.d/unifi-video start

# Add custom cron job that would check each hour if there were any new certificates
printf '# Check if certificates was not renewd\n0 0 * * * root $SCRIPTS_PATH/renew_certs.bash > /dev/null\n' | tee -a /etc/cron.d/custom

# Add post hook to the certbot cron file. This will create a test file "/tmp/has_newcert" for which our cron job will test
nano /etc/cron.d/certbot
# ADD --post-hook "touch /tmp/has_newcert"

## renew_certs.bash
#!/bin/bash

certFQDN=XXX.gm.lv

if [ -f "/tmp/has_newcert" ]
then
    # Cert was renewed, so process it

    service nginx restart # I am also reloading nginx, disable this, if you don't use nginx
    service unifi-video stop

    openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$certFQDN/privkey.pem -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der
    openssl x509 -outform der -in /etc/letsencrypt/live/$certFQDN/fullchain.pem -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der
    chown -R unifi-video:unifi-video /var/lib/unifi-video/certificates

    rm /var/lib/unifi-video/ufv-truststore
    rm /var/lib/unifi-video/keystore
    rm /usr/lib/unifi-video/conf/evostream/server.*

    service unifi-video start

    rm /tmp/has_newcert
fi
	#!/bin/bash

	## Unifi NVR + letsencrypt certificate
	# Remember to use fullchain.pem
	# Thanks: https://www.john.geek.nz/2018/05/using-letsencrypt-with-ubiquiti-unifi-video-server/
	#
	# Also remember adding `ufv.custom.certs.enable=true` to the `/usr/lib/unifi-video/data/system.properties` file
	#

	HOSTNAME=XXX.gm.lv
	SCRIPTS_PATH=/srv/scripts

	/etc/init.d/unifi-video stop

	# Gen cert and key file supported by java
	openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$HOSTNAME/privkey.pem -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der
	openssl x509 -outform der -in /etc/letsencrypt/live/$HOSTNAME/fullchain.pem -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der

	# Remove unifi-video certs
	rm /var/lib/unifi-video/ufv-truststore
	rm /var/lib/unifi-video/keystore
	rm /usr/lib/unifi-video/conf/evostream/server.*

	# List
	# keytool -list -keystore /usr/lib/unifi-video/data/keystore -storepass ubiquiti

	/etc/init.d/unifi-video start

	# Add custom cron job that would check each hour if there were any new certificates
	printf '# Check if certificates was not renewd\n0 0 * * * root $SCRIPTS_PATH/renew_certs.bash > /dev/null\n' \| tee -a /etc/cron.d/custom

	# Add post hook to the certbot cron file. This will create a test file "/tmp/has_newcert" for which our cron job will test
	nano /etc/cron.d/certbot
	# ADD --post-hook "touch /tmp/has_newcert"
	#!/bin/bash

	certFQDN=XXX.gm.lv

	if [ -f "/tmp/has_newcert" ]
	then
	# Cert was renewed, so process it

	service nginx restart # I am also reloading nginx, disable this, if you don't use nginx
	service unifi-video stop

	openssl pkcs8 -topk8 -nocrypt -in /etc/letsencrypt/live/$certFQDN/privkey.pem -outform DER -out /usr/lib/unifi-video/data/certificates/ufv-server.key.der
	openssl x509 -outform der -in /etc/letsencrypt/live/$certFQDN/fullchain.pem -out /usr/lib/unifi-video/data/certificates/ufv-server.cert.der
	chown -R unifi-video:unifi-video /var/lib/unifi-video/certificates

	rm /var/lib/unifi-video/ufv-truststore
	rm /var/lib/unifi-video/keystore
	rm /usr/lib/unifi-video/conf/evostream/server.*

	service unifi-video start

	rm /tmp/has_newcert
	fi