Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Import letsecrypt certificates to UniFi Controller
#!/usr/bin/env bash
# Modified from:
# https://github.com/jacobalberty/unifi-docker/blob/master/import_cert
echo "Loading constants"
DATADIR="/usr/lib/unifi/data"
CERTDIR="/ssl"
CERTNAME="fullchain.pem"
CERT_PRIVATE_NAME="privkey.pem"
CERT_IS_CHAIN=true
TEMP_SSL_PATH="${CERTDIR}/tmp"
TEMP_KEYSTORE_FILE="${TEMP_SSL_PATH}/tmp_keystore"
TEMP_CERT_FILE="${TEMP_SSL_PATH}/tmp_cert"
TEMP_CHAIN_FILE="${TEMP_SSL_PATH}/tmp_chain"
echo "Checking existing keystore"
if [ ! -e "${DATADIR}/keystore" ]; then
echo "Creating new keystore"
keytool -genkey -keyalg RSA -alias unifi -keystore "${DATADIR}/keystore" \
-storepass aircontrolenterprise -keypass aircontrolenterprise -validity 1825 \
-keysize 4096 -dname "cn=UniFi"
fi
echo "Creating temporary files"
mkdir -p ${TEMP_SSL_PATH}
touch ${TEMP_KEYSTORE_FILE}
touch ${TEMP_CERT_FILE}
touch ${TEMP_CHAIN_FILE}
echo "Generating cross-signed certificate"
CERTURI=$(openssl x509 -noout -ocsp_uri -in "${CERTDIR}/${CERTNAME}")
# Identrust cross-signed CA cert needed by the java keystore for import.
# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
cat > "${TEMP_CERT_FILE}" <<'_EOF'
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
_EOF
echo "Copying certificate data to temp certificate"
# Letsencrypt fullchain.pem
awk 1 "${TEMP_CERT_FILE}" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"
# Letsencrypt cert.pem
# awk 1 "${TEMP_CERT_FILE}" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"
# Default
# awk 1 "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"
echo "Exporting certificate as keystore"
openssl pkcs12 -export -passout pass:aircontrolenterprise \
-in "${TEMP_CHAIN_FILE}" \
-inkey "${CERTDIR}/${CERT_PRIVATE_NAME}" \
-out "${TEMP_KEYSTORE_FILE}" -name unifi
echo "Deleting existing keystore alias"
keytool -delete -alias unifi -keystore "${DATADIR}/keystore" \
-deststorepass aircontrolenterprise
echo "Importing certificates to keystore"
keytool -trustcacerts -importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore "${DATADIR}/keystore" \
-srckeystore "${TEMP_KEYSTORE_FILE}" -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
-alias unifi
echo "Remove temporary files."
rm -R ${TEMP_SSL_PATH}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment