Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Unifi Cloudkey Let's Encrypt Script
#!/bin/bash
# Place in /root/scripts/
# Get acme script and install
wget -O - https://get.acme.sh | sh
# Get domain
echo "Type the Fully Qualified Domain Name for your Unifi Controller followed by [ENTER]:"
read DOMAIN
# Get CloudFlare API Key
echo "Type the CloudFlare API Key to use, followed by [ENTER]:"
read CLOUDFLARE_KEY
# Get CloudFlare Email Address
echo "Type the email address for the previously entered CloudFlare API Key, followed by [ENTER]:"
read CLOUDFLARE_EMAIL
# Export the credentials to the shell
export CF_Key="$CLOUDFLARE_KEY"
export CF_Email="$CLOUDFLARE_EMAIL"
# Generate cert (this depends on using a Dynamic DNS-compatible provider
# and a way to add the credentials for the ACME script to use-which I don't go into here
# I'm using CloudFlare in this example
./.acme.sh/acme.sh --issue --dns dns_cf -d $DOMAIN
# Generate pkcs12 cert from acme output
openssl pkcs12 -export -in ~/.acme.sh/$DOMAIN/fullchain.cer -inkey \
~/.acme.sh/$DOMAIN/$DOMAIN.key \
-out ~/.acme.sh/$DOMAIN/unifi.p12 -name unifi -password pass:aircontrolenterprise
# Generate Java Keystore
keytool -importkeystore -srckeystore ~/.acme.sh/$DOMAIN/unifi.p12 \
-srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore \
~/.acme.sh/$DOMAIN/unifi.keystore.jks -storepass aircontrolenterprise
# Verify Java Keystore
keytool -list -v -keystore ~/.acme.sh/$DOMAIN/unifi.keystore.jks
# Create cloudkey.crt
cat ~/.acme.sh/$DOMAIN/fullchain.cer >> ~/.acme.sh/$DOMAIN/cloudkey.crt
# Create cloudkey.cer
cat ~/.acme.sh/$DOMAIN/fullchain.cer >> ~/.acme.sh/$DOMAIN/cloudkey.cer
# Create cloudkey.key
cp ~/.acme.sh/$DOMAIN/$DOMAIN.key ~/.acme.sh/$DOMAIN/cloudkey.key
# Create TAR file - it is critical to copy this entire block from cd to cd for this to work properly!
cd ~/.acme.sh/$DOMAIN
tar cf Cert.tar -C ~/.acme.sh/$DOMAIN cloudkey.crt cloudkey.cer \
cloudkey.key unifi.keystore.jks
cd
# Fix permissions
chown root:ssl-cert ~/.acme.sh/$DOMAIN/{cloudkey.crt,cloudkey.cer,cloudkey.key,unifi.keystore.jks,Cert.tar}
# Additional sleep for good measure
sleep 2
chmod 640 ~/.acme.sh/$DOMAIN/{cloudkey.crt,cloudkey.cer,cloudkey.key,unifi.keystore.jks,Cert.tar}
sleep 2
# Copy the new certificates to the location
cp -p ~/.acme.sh/$DOMAIN/{Cert.tar,cloudkey.crt,cloudkey.cer,cloudkey.key,unifi.keystore.jks} \
/etc/ssl/private/
# Restart nginx and unifi
/etc/init.d/nginx restart; /etc/init.d/unifi restart
# Install the crontab
./.acme.sh/acme.sh installcronjob
#!/bin/bash
# Update crontab in case the system has been updated
# Add functionality to do this only if the system has been upgraded so that Acme can still work without being re-installed
(crontab -l ; echo -e '31 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null\n1 0 * * * "/root/scripts/update_cert.sh" > /dev/null')| crontab -
# Substitute your domain here
DOMAIN=myhost.mydomain.com
# ACME.sh should automatically renew the certificates every 60 days-so all you should need to do is schedule this script
# via cron to run roughly just after that occurs
# Remove existing files we're replacing
rm ~/.acme.sh/$DOMAIN/{Cert.tar,unifi.p12,unifi.keystore.jks,cloudkey.cer,cloudkey.key}
# Generate pkcs12 cert from acme output
openssl pkcs12 -export -in ~/.acme.sh/$DOMAIN/fullchain.cer -inkey \
~/.acme.sh/$DOMAIN/$DOMAIN.key \
-out ~/.acme.sh/$DOMAIN/unifi.p12 -name unifi -password pass:aircontrolenterprise
# Generate Java Keystore
keytool -importkeystore -srckeystore ~/.acme.sh/$DOMAIN/unifi.p12 \
-srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore \
~/.acme.sh/$DOMAIN/unifi.keystore.jks -deststorepass aircontrolenterprise
# Create cloudkey.crt
cat ~/.acme.sh/$DOMAIN/fullchain.cer >> ~/.acme.sh/$DOMAIN/cloudkey.crt
# Create cloudkey.cer
cat ~/.acme.sh/$DOMAIN/fullchain.cer >> ~/.acme.sh/$DOMAIN/cloudkey.cer
# Create cloudkey.key
cp ~/.acme.sh/$DOMAIN/$DOMAIN.key ~/.acme.sh/$DOMAIN/cloudkey.key
# Create TAR file - it is critical to copy this entire block from cd to cd for this to work properly!
cd ~/.acme.sh/$DOMAIN
tar cf Cert.tar -C ~/.acme.sh/$DOMAIN cloudkey.crt cloudkey.cer \
cloudkey.key unifi.keystore.jks
cd
# Wait for tar to complete
sleep 2
# Fix permissions
chown root:ssl-cert ~/.acme.sh/$DOMAIN/{cloudkey.crt,cloudkey.cer,cloudkey.key,unifi.keystore.jks,Cert.tar}
# Additional sleep for good measure
sleep 2
chmod 640 ~/.acme.sh/$DOMAIN/{cloudkey.crt,cloudkey.cer,cloudkey.key,unifi.keystore.jks,Cert.tar}
sleep 2
# Copy the new certificates to the location
cp -p ~/.acme.sh/$DOMAIN/{Cert.tar,cloudkey.crt,cloudkey.cer,cloudkey.key,unifi.keystore.jks} \
/etc/ssl/private/
# Restart nginx and unifi
/etc/init.d/nginx restart; /etc/init.d/unifi restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment