stefan-matic/unifi_cert_replacement.sh

## unifi_cert_replacement.sh
#!/bin/bash
#
# This script copies our domain cert over to the gateway. We use a wildcard cert so we can have
# different names for the guest portal and main admin page if we want.
#
# Our pub ssh key is in /root/.ssh/authorized_keys on the gateway so we
# don't need a password to run it.
#
# Call this from cron once in a while to make sure your cert stays updated.
# Not too often though as it restarts the whole network container which isn't very desireable.
#
# Be sure to change the names/locations of the cert files and the IP address of the UDM-PRO as needed for your situation.
#
# Original source: https://github.com/gcarey3/copy_certs_to_udmpro/blob/main/copy_certs_to_udmpro.sh
# Updated version: https://github.com/stefan-matic/

CERT_LOCATION="/etc/letsencrypt/live/yourdomain.com/fullchain.pem"
KEY_LOCATION="/etc/letsencrypt/live/yourdomain.com/privkey.pem"
UDM_USER="root"
UDM_IP="192.168.0.1"
UDM_CERT_LOCATION="/data/unifi-core/config"
UDM_KEYSTORE_LOCATION="/data/unifi/data"

# First copy the full chain (*.yourdomain.com and the intermediate)
/bin/scp ${CERT_LOCATION} ${UDM_USER}@${UDM_IP}:${UDM_CERT_LOCATION}/unifi-core.crt

# Next copy the private key for *.yourdomain.com
/bin/scp ${KEY_LOCATION} ${UDM_USER}@${UDM_IP}:${UDM_CERT_LOCATION}/unifi-core.key

# Build a pkcs12 version of the cert that contains the cert, intermediate cert, and the key
# Alias must be set to 'unifi' for this to work
/bin/openssl pkcs12 -export -in ${CERT_LOCATION} -inkey ${KEY_LOCATION} -out /tmp/keystore.p12 -passout pass:aircontrolenterprise -name 'unifi'

# Put the pkcs12 into keystore file needed by guest portal
# 'aircontrolenterprise' is the default password expected for the keystore
/bin/keytool -importkeystore -destkeystore /tmp/keystore -srckeystore /tmp/keystore.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststorepass aircontrolenterprise -alias unifi

# Copy the keystore to proper dir on UDM-PRO
/bin/scp /tmp/keystore ${UDM_USER}@${UDM_IP}:${UDM_KEYSTORE_LOCATION}/keystore

# Cleanup temp files
/bin/rm /tmp/keystore.p12
/bin/rm /tmp/keystore

# Change the ownership of the file to what it should be
/bin/ssh ${UDM_USER}@${UDM_IP} "/bin/chown unifi:unifi /${UDM_KEYSTORE_LOCATION}/keystore"

echo "Certificate replacement completed. You can restart the Unifi console"
	#!/bin/bash
	#
	# This script copies our domain cert over to the gateway. We use a wildcard cert so we can have
	# different names for the guest portal and main admin page if we want.
	#
	# Our pub ssh key is in /root/.ssh/authorized_keys on the gateway so we
	# don't need a password to run it.
	#
	# Call this from cron once in a while to make sure your cert stays updated.
	# Not too often though as it restarts the whole network container which isn't very desireable.
	#
	# Be sure to change the names/locations of the cert files and the IP address of the UDM-PRO as needed for your situation.
	#
	# Original source: https://github.com/gcarey3/copy_certs_to_udmpro/blob/main/copy_certs_to_udmpro.sh
	# Updated version: https://github.com/stefan-matic/

	CERT_LOCATION="/etc/letsencrypt/live/yourdomain.com/fullchain.pem"
	KEY_LOCATION="/etc/letsencrypt/live/yourdomain.com/privkey.pem"
	UDM_USER="root"
	UDM_IP="192.168.0.1"
	UDM_CERT_LOCATION="/data/unifi-core/config"
	UDM_KEYSTORE_LOCATION="/data/unifi/data"

	# First copy the full chain (*.yourdomain.com and the intermediate)
	/bin/scp ${CERT_LOCATION} ${UDM_USER}@${UDM_IP}:${UDM_CERT_LOCATION}/unifi-core.crt

	# Next copy the private key for *.yourdomain.com
	/bin/scp ${KEY_LOCATION} ${UDM_USER}@${UDM_IP}:${UDM_CERT_LOCATION}/unifi-core.key

	# Build a pkcs12 version of the cert that contains the cert, intermediate cert, and the key
	# Alias must be set to 'unifi' for this to work
	/bin/openssl pkcs12 -export -in ${CERT_LOCATION} -inkey ${KEY_LOCATION} -out /tmp/keystore.p12 -passout pass:aircontrolenterprise -name 'unifi'

	# Put the pkcs12 into keystore file needed by guest portal
	# 'aircontrolenterprise' is the default password expected for the keystore
	/bin/keytool -importkeystore -destkeystore /tmp/keystore -srckeystore /tmp/keystore.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststorepass aircontrolenterprise -alias unifi

	# Copy the keystore to proper dir on UDM-PRO
	/bin/scp /tmp/keystore ${UDM_USER}@${UDM_IP}:${UDM_KEYSTORE_LOCATION}/keystore

	# Cleanup temp files
	/bin/rm /tmp/keystore.p12
	/bin/rm /tmp/keystore

	# Change the ownership of the file to what it should be
	/bin/ssh ${UDM_USER}@${UDM_IP} "/bin/chown unifi:unifi /${UDM_KEYSTORE_LOCATION}/keystore"

	echo "Certificate replacement completed. You can restart the Unifi console"