potto007/add_ssl_to_cloudkey.txt

## add_ssl_to_cloudkey.txt
1) Login to Cloud Key
2) Cloud Key ssh: `curl https://get.acme.sh | sh`
3) Cloud Key ssh: `acme.sh --upgrade --auto-upgrade --accountemail "myemail@example.com"`
4) Cloud Key ssh: Add `cloudkey-renew-hook.sh` file to `/root/.acme.sh`
5) Create free CloudFlare account (if not already member)
6) Login to CloudFlare
7) On CloudFlare: Create a zone for a domain you own (can add a cheap domain with namecheap.com or any number of alternatives)
8) On CloudFlare: Create an A record for your Cloud Key; ie: unifi.CHANGE.ME, 192.168.1.10
9) On UniFi Controller: Go to Settings; Click "Controller"; Change "Controller Hostname/IP" to the name entered in step 8.
10) On CloudFlare: go to Overview for your zone; click "Get your API key"
11) On CloudFlare: Click "View" next to "Global API Key"; copy your API key
12) Cloud Key ssh: `export CF_Key="API-KEY" && export CF_Email="YOUR-CLOUDFLARE-EMAIL"`
13) Cloud Key ssh: `acme.sh --force --issue --dns dns_cf -d unifi.CHANGE.ME --pre-hook "touch /etc/ssl/private/cert.tar; tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /etc/ssl/private/*" --fullchainpath /etc/ssl/private/cloudkey.crt --keypath /etc/ssl/private/cloudkey.key --reloadcmd "sh /root/.acme.sh/cloudkey-renew-hook.sh"`
14) Cloud Key ssh: Add `expirycheck.sh` file to `/root/.acme.sh`
15) Cloud Key ssh: `crontab -e`
16) Cloud Key ssh: Change entry's command from: `"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh/" >> /var/log/letsencrypt.log` to `"/root/.acme.sh"/expirycheck.sh`
17) Cloud Key ssh: Change time if desired (first two numbers - <minutes> <hours>)

## cloudkey-renew-hook.sh
#!/bin/bash
# Renew-hook for ACME / Let's encrypt
echo "** Configuring new Let's Encrypt certs"
cd /etc/ssl/private
rm -f /etc/ssl/private/cert.tar /etc/ssl/private/unifi.keystore.jks /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/fullchain.pem

openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -password pass:aircontrolenterprise

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

rm -f /etc/ssl/private/cloudkey.p12
tar -cvf cert.tar *
chown root:ssl-cert /etc/ssl/private/*
chmod 640 /etc/ssl/private/*

echo "** Testing Nginx and restarting"
/usr/sbin/nginx -t
/etc/init.d/nginx restart ; /etc/init.d/unifi restart

## expirycheck.sh
#!/bin/bash
# Only attempt to renew Let's Encrypt cert if cert expiry date 20 days away or less.

domainname=unifi.CHANGE.ME  # *** NOTE: Change to match the host.domain you are using
expiry=$(date -d "$(stat -c %y $domainname | awk '{ printf $1 "\n"}')+90 days" +%s)
current=$(date +%s)
days_left=$((($expiry - $current)/86400))
if [ $days_left -gt 20 ]; then
    exit 1
fi
( "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh/" >> /var/log/letsencrypt.log )
exit 0
	1) Login to Cloud Key
	2) Cloud Key ssh: `curl https://get.acme.sh \| sh`
	3) Cloud Key ssh: `acme.sh --upgrade --auto-upgrade --accountemail "myemail@example.com"`
	4) Cloud Key ssh: Add `cloudkey-renew-hook.sh` file to `/root/.acme.sh`
	5) Create free CloudFlare account (if not already member)
	6) Login to CloudFlare
	7) On CloudFlare: Create a zone for a domain you own (can add a cheap domain with namecheap.com or any number of alternatives)
	8) On CloudFlare: Create an A record for your Cloud Key; ie: unifi.CHANGE.ME, 192.168.1.10
	9) On UniFi Controller: Go to Settings; Click "Controller"; Change "Controller Hostname/IP" to the name entered in step 8.
	10) On CloudFlare: go to Overview for your zone; click "Get your API key"
	11) On CloudFlare: Click "View" next to "Global API Key"; copy your API key
	12) Cloud Key ssh: `export CF_Key="API-KEY" && export CF_Email="YOUR-CLOUDFLARE-EMAIL"`
	13) Cloud Key ssh: `acme.sh --force --issue --dns dns_cf -d unifi.CHANGE.ME --pre-hook "touch /etc/ssl/private/cert.tar; tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /etc/ssl/private/*" --fullchainpath /etc/ssl/private/cloudkey.crt --keypath /etc/ssl/private/cloudkey.key --reloadcmd "sh /root/.acme.sh/cloudkey-renew-hook.sh"`
	14) Cloud Key ssh: Add `expirycheck.sh` file to `/root/.acme.sh`
	15) Cloud Key ssh: `crontab -e`
	16) Cloud Key ssh: Change entry's command from: `"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh/" >> /var/log/letsencrypt.log` to `"/root/.acme.sh"/expirycheck.sh`
	17) Cloud Key ssh: Change time if desired (first two numbers - <minutes> <hours>)
	#!/bin/bash
	# Renew-hook for ACME / Let's encrypt
	echo "** Configuring new Let's Encrypt certs"
	cd /etc/ssl/private
	rm -f /etc/ssl/private/cert.tar /etc/ssl/private/unifi.keystore.jks /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/fullchain.pem

	openssl pkcs12 -export -in /etc/ssl/private/cloudkey.crt -inkey /etc/ssl/private/cloudkey.key -out /etc/ssl/private/cloudkey.p12 -name unifi -password pass:aircontrolenterprise

	keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -srckeystore /etc/ssl/private/cloudkey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -alias unifi

	rm -f /etc/ssl/private/cloudkey.p12
	tar -cvf cert.tar *
	chown root:ssl-cert /etc/ssl/private/*
	chmod 640 /etc/ssl/private/*

	echo "** Testing Nginx and restarting"
	/usr/sbin/nginx -t
	/etc/init.d/nginx restart ; /etc/init.d/unifi restart
	#!/bin/bash
	# Only attempt to renew Let's Encrypt cert if cert expiry date 20 days away or less.

	domainname=unifi.CHANGE.ME # *** NOTE: Change to match the host.domain you are using
	expiry=$(date -d "$(stat -c %y $domainname \| awk '{ printf $1 "\n"}')+90 days" +%s)
	current=$(date +%s)
	days_left=$((($expiry - $current)/86400))
	if [ $days_left -gt 20 ]; then
	exit 1
	fi
	( "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh/" >> /var/log/letsencrypt.log )
	exit 0