CloudKey Update Certificates

certupdate.sh

#!/bin/bash
#
# certupdate.sh: renew a TLS cert and configure unifi cloudkey using Cloudflare
#                DNS verification for ACME
#
# To use this script, make sure you have lego (https://github.com/xenolf/lego)
# on the machine. You'll need to do the first run on your own so you can agree
# to TOS and such.

# CLOUDFLARE_EMAIL: Email address for your cloudflare account
export CLOUDFLARE_EMAIL=

# CLOUDFLARE_API_KEY: The API key for your account
export CLOUDFLARE_API_KEY=

# CERTNAME: The common name of the cert you want to generate
export CERTNAME=cool.house.zone

# LEGOPATH: The path to the lego binary.
export LEGOPATH=/usr/local/sbin/lego

# LEGOHOME: Directory that keys and such are stored in
export LEGOHOME=/root/.lego

##### End of configurables
# Renew cert
$LEGOPATH --email="$CLOUDFLARE_EMAIL" --domains="$CERTNAME" \
  --path=$LEGOHOME --dns="cloudflare" renew

if [[ $? == 0 ]]; then
    cp $LEGOHOME/certificates/ctrl.tls.zone.crt /etc/ssl/private/cloudkey.crt
    cp $LEGOHOME/certificates/ctrl.tls.zone.key /etc/ssl/private/cloudkey.key

    # Form into PKCS12 file for keytool
    /usr/bin/openssl pkcs12 -export \
      -in $LEGOHOME/certificates/$CERTNAME.crt \
      -inkey $LEGOHOME/certificates/$CERTNAME.key \
      -out /tmp/unifi.p12 -name unifi -password pass:aircontrolenterprise

    # Remove old TLS keystore
    /bin/rm /etc/ssl/private/unifi.keystore.jks

    # Make new keystore
    /usr/bin/keytool -importkeystore -srckeystore /tmp/unifi.p12 \
      -srcstoretype PKCS12 -srcstorepass aircontrolenterprise \
      -destkeystore /etc/ssl/private/unifi.keystore.jks \
      -storepass aircontrolenterprise

    # Clean up and restart
    /bin/rm /tmp/unifi.p12
    /bin/rm /etc/ssl/private/cert.tar

    # recreate cert.tar
    cd /etc/ssl/private
    tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks

    /bin/systemctl restart nginx
    /bin/systemctl restart unifi
fi