init

.gitignore

@@ -0,0 +1,2 @@
+/data
+.idea

docker-compose.yml

@@ -0,0 +1,41 @@
+version: '3.7'
+
+x-common: &common
+#        restart: unless-stopped
+        env_file:
+            - env
+
+services:
+    mongodb:
+        << : *common
+        build: ./mongodb
+        container_name: unfi-controller-mongodb
+        networks:
+            unfi-controller.internal.docker:
+                aliases:
+                    - mongodb.unfi-controller.internal.docker
+        volumes:
+            - ./data/mongodb/db:/data/db
+    unifi-controller:
+        << : *common
+        build: ./unifi-controller
+        container_name: unfi-controller-unifi-controller
+        networks:
+            unfi-controller.internal.docker:
+                aliases:
+                    - unifi-controller.unfi-controller.internal.docker
+        volumes:
+            - ./data/unfi-controller/data:/unifi/data
+            - ./data/unfi-controller/log:/unifi/log
+            - ./data/unfi-controller/cert:/unifi/cert
+            - ./data/unfi-controller/init:/unifi/init.d
+        ports:
+            - "127.0.0.1:8080:8080"
+            - "127.0.0.1:8443:8443"
+            - "127.0.0.1:8880:8880"
+            - "127.0.0.1:8843:8843"
+            - "127.0.0.1:10001:10001/udp"
+            - "0.0.0.0:3478:3478/udp"
+
+networks:
+    unfi-controller.internal.docker:

env

@@ -0,0 +1,3 @@
+DB_URI=mongodb://mongodb.unfi-controller.internal.docker/unifi
+STATDB_URI=mongodb://mongodb.unfi-controller.internal.docker/unifi_stat
+DB_NAME=unifi

mongodb/Dockerfile

@@ -0,0 +1 @@
+FROM mongo:3.4

unifi-controller/Dockerfile

@@ -0,0 +1,92 @@
+FROM ubuntu:xenial
+
+LABEL maintainer="Jacob Alberty <jacob.alberty@foundigital.com>"
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+ENV PKGURL=https://dl.ubnt.com/unifi/5.10.17/unifi_sysvinit_all.deb
+
+ENV BASEDIR=/usr/lib/unifi \
+    DATADIR=/unifi/data \
+    LOGDIR=/unifi/log \
+    CERTDIR=/unifi/cert \
+    RUNDIR=/var/run/unifi \
+    ODATADIR=/var/lib/unifi \
+    OLOGDIR=/var/log/unifi \
+    CERTNAME=cert.pem \
+    CERT_PRIVATE_NAME=privkey.pem \
+    CERT_IS_CHAIN=false \
+    GOSU_VERSION=1.10 \
+    BIND_PRIV=true \
+    RUNAS_UID0=true \
+    UNIFI_GID=999 \
+    UNIFI_UID=999
+
+# Install gosu
+# https://github.com/tianon/gosu/blob/master/INSTALL.md
+# This should be integrated with the main run because it duplicates a lot of the steps there
+# but for now while shoehorning gosu in it is seperate
+RUN set -ex \
+    && fetchDeps=' \
+        ca-certificates \
+        wget \
+    ' \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends $fetchDeps \
+    && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
+    && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
+    && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \
+# verify the signature
+    && export GNUPGHOME="$(mktemp -d)" \
+    && for server in $(shuf -e ha.pool.sks-keyservers.net \
+                            hkp://p80.pool.sks-keyservers.net:80 \
+                            keyserver.ubuntu.com \
+                            hkp://keyserver.ubuntu.com:80 \
+                            pgp.mit.edu) ; do \
+        gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
+    done \
+    && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
+    && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
+    && chmod +x /usr/local/bin/gosu \
+# verify that the binary works
+    && gosu nobody true \
+    && apt-get purge -y --auto-remove $fetchDeps \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /usr/unifi \
+     /usr/local/unifi/init.d \
+     /usr/unifi/init.d
+COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-healthcheck.sh /usr/local/bin/
+COPY docker-build.sh /usr/local/bin/
+COPY functions /usr/unifi/functions
+COPY import_cert /usr/unifi/init.d/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh \
+ && chmod +x /usr/unifi/init.d/import_cert \
+ && chmod +x /usr/local/bin/docker-healthcheck.sh \
+ && chmod +x /usr/local/bin/docker-build.sh
+
+# Push installing openjdk-8-jre first, so that the unifi package doesn't pull in openjdk-7-jre as a dependency? Else uncomment and just go with openjdk-7.
+RUN set -ex \
+ && mkdir -p /usr/share/man/man1/ \
+ && groupadd -r unifi -g $UNIFI_GID \
+ && useradd --no-log-init -r -u $UNIFI_UID -g $UNIFI_GID unifi \
+ && /usr/local/bin/docker-build.sh "${PKGURL}"
+
+VOLUME ["/unifi", "${RUNDIR}"]
+
+EXPOSE 6789/tcp 8080/tcp 8443/tcp 8880/tcp 8843/tcp 3478/udp
+
+WORKDIR /unifi
+
+HEALTHCHECK CMD /usr/local/bin/docker-healthcheck.sh || exit 1
+
+# execute controller using JSVC like original debian package does
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+
+CMD ["unifi"]
+
+# execute the conroller directly without using the service
+#ENTRYPOINT ["/usr/bin/java", "-Xmx${JVM_MAX_HEAP_SIZE}", "-jar", "/usr/lib/unifi/lib/ace.jar"]
+  # See issue #12 on github: probably want to consider how JSVC handled creating multiple processes, issuing the -stop instraction, etc. Not sure if the above ace.jar class gracefully handles TERM signals.
+#CMD ["start"]

unifi-controller/docker-build.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+# fail on error
+set -e
+
+# Retry 5 times with a wait of 10 seconds between each retry
+tryfail() {
+    for i in $(seq 1 5);
+        do [ $i -gt 1 ] && sleep 10; $* && s=0 && break || s=$?; done;
+    (exit $s)
+}
+
+# Try multiple keyservers in case of failure
+addKey() {
+    for server in $(shuf -e ha.pool.sks-keyservers.net \
+        hkp://p80.pool.sks-keyservers.net:80 \
+        keyserver.ubuntu.com \
+        hkp://keyserver.ubuntu.com:80 \
+        pgp.mit.edu) ; do \
+        if apt-key adv --keyserver "$server" --recv "$1"; then
+            exit 0
+        fi
+    done
+    return 1
+}
+
+if [ "x${1}" == "x" ]; then
+    echo please pass PKGURL as an environment variable
+    exit 0
+fi
+
+apt-get update
+apt-get install -qy --no-install-recommends \
+    apt-transport-https \
+    curl \
+    openjdk-8-jre-headless \
+    procps \
+    libcap2-bin
+tryfail apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
+echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-3.4.list
+apt-get update
+echo "deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti" > /etc/apt/sources.list.d/20ubiquiti.list
+tryfail apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv C0A52C50
+curl -L -o ./unifi.deb "${1}"
+apt -qy install mongodb-org ./unifi.deb
+rm -f ./unifi.deb
+chown -R unifi:unifi /usr/lib/unifi
+rm -rf /var/lib/apt/lists/*
+
+rm -rf ${ODATADIR} ${OLOGDIR}
+mkdir -p ${DATADIR} ${LOGDIR}
+ln -s ${DATADIR} ${BASEDIR}/data
+ln -s ${RUNDIR} ${BASEDIR}/run
+ln -s ${LOGDIR} ${BASEDIR}/logs
+rm -rf {$ODATADIR} ${OLOGDIR}
+ln -s ${DATADIR} ${ODATADIR}
+ln -s ${LOGDIR} ${OLOGDIR}
+mkdir -p /var/cert ${CERTDIR}
+ln -s ${CERTDIR} /var/cert/unifi
+
+rm -rf "${0}"

unifi-controller/docker-entrypoint.sh

@@ -0,0 +1,185 @@
+#!/usr/bin/env bash
+
+. /usr/unifi/functions
+
+if [ -x /usr/local/bin/docker-build.sh ]; then
+    /usr/local/bin/docker-build.sh "${PKGURL}"
+fi
+
+exit_handler() {
+    log "Exit signal received, shutting down"
+    java -jar ${BASEDIR}/lib/ace.jar stop
+    for i in `seq 1 10` ; do
+        [ -z "$(pgrep -f ${BASEDIR}/lib/ace.jar)" ] && break
+        # graceful shutdown
+        [ $i -gt 1 ] && [ -d ${BASEDIR}/run ] && touch ${BASEDIR}/run/server.stop || true
+        # savage shutdown
+        [ $i -gt 7 ] && pkill -f ${BASEDIR}/lib/ace.jar || true
+        sleep 1
+    done
+    # shutdown mongod
+    if [ -f ${MONGOLOCK} ]; then
+        mongo localhost:${MONGOPORT} --eval "db.getSiblingDB('admin').shutdownServer()" >/dev/null 2>&1
+    fi
+    exit ${?};
+}
+
+trap 'kill ${!}; exit_handler' SIGHUP SIGINT SIGQUIT SIGTERM
+
+[ "x${JAVA_HOME}" != "x" ] || set_java_home
+
+
+# vars similar to those found in unifi.init
+MONGOPORT=27117
+
+CODEPATH=${BASEDIR}
+DATALINK=${BASEDIR}/data
+LOGLINK=${BASEDIR}/logs
+RUNLINK=${BASEDIR}/run
+
+DIRS="${RUNDIR} ${LOGDIR} ${DATADIR} ${BASEDIR}"
+
+JVM_MAX_HEAP_SIZE=${JVM_MAX_HEAP_SIZE:-1024M}
+#JVM_INIT_HEAP_SIZE=
+
+JVM_EXTRA_OPTS=""
+
+#JAVA_ENTROPY_GATHER_DEVICE=
+#UNIFI_JVM_EXTRA_OPTS=
+#ENABLE_UNIFI=yes
+
+
+MONGOLOCK="${DATAPATH}/db/mongod.lock"
+JVM_EXTRA_OPTS="${JVM_EXTRA_OPTS} -Dunifi.datadir=${DATADIR} -Dunifi.logdir=${LOGDIR} -Dunifi.rundir=${RUNDIR}"
+PIDFILE=/var/run/unifi/unifi.pid
+
+if [ ! -z "${JVM_MAX_HEAP_SIZE}" ]; then
+  JVM_EXTRA_OPTS="${JVM_EXTRA_OPTS} -Xmx${JVM_MAX_HEAP_SIZE}"
+fi
+
+if [ ! -z "${JVM_INIT_HEAP_SIZE}" ]; then
+  JVM_EXTRA_OPTS="${JVM_EXTRA_OPTS} -Xms${JVM_INIT_HEAP_SIZE}"
+fi
+
+if [ ! -z "${JVM_MAX_THREAD_STACK_SIZE}" ]; then
+  JVM_EXTRA_OPTS="${JVM_EXTRA_OPTS} -Xss${JVM_MAX_THREAD_STACK_SIZE}"
+fi
+
+
+JVM_OPTS="${JVM_EXTRA_OPTS}
+  -Djava.awt.headless=true
+  -Dfile.encoding=UTF-8"
+
+# Cleaning /var/run/unifi/* See issue #26, Docker takes care of exlusivity in the container anyway.
+rm -f /var/run/unifi/unifi.pid
+
+run-parts /usr/local/unifi/init.d
+run-parts /usr/unifi/init.d
+
+if [ -d "/unifi/init.d" ]; then
+    run-parts "/unifi/init.d"
+fi
+
+# Used to generate simple key/value pairs, for example system.properties
+confSet () {
+  file=$1
+  key=$2
+  value=$3
+  if [ "$newfile" != true ] && grep -q "^${key} *=" "$file"; then
+    ekey=$(echo "$key" | sed -e 's/[]\/$*.^|[]/\\&/g')
+    evalue=$(echo "$value" | sed -e 's/[\/&]/\\&/g')
+    sed -i "s/^\(${ekey}\s*=\s*\).*$/\1${evalue}/" "$file"
+  else
+    echo "${key}=${value}" >> "$file"
+  fi
+}
+
+confFile="${DATADIR}/system.properties"
+if [ -e "$confFile" ]; then
+  newfile=false
+else
+  newfile=true
+fi
+
+declare -A settings
+
+h2mb() {
+  awkcmd='
+    /[0-9]$/{print $1/1024/1024;next};
+    /[mM]$/{printf "%u\n", $1;next};
+    /[kK]$/{printf "%u\n", $1/1024;next}
+    /[gG]$/{printf "%u\n", $1*1024;next}
+  '
+  echo $1 | awk "${awkcmd}"
+}
+
+if ! [[ -z "$LOTSOFDEVICES" ]]; then
+  settings["unifi.G1GC.enabled"]="true"
+  settings["unifi.xms"]="$(h2mb $JVM_INIT_HEAP_SIZE)"
+  settings["unifi.xmx"]="$(h2mb ${JVM_MAX_HEAP_SIZE:-1024M})"
+fi
+
+# Implements issue #30
+if ! [[ -z "$DB_URI" || -z "$STATDB_URI" || -z "$DB_NAME" ]]; then
+  settings["db.mongo.local"]="false"
+  settings["db.mongo.uri"]="$DB_URI"
+  settings["statdb.mongo.uri"]="$STATDB_URI"
+  settings["unifi.db.name"]="$DB_NAME"
+fi
+
+for key in "${!settings[@]}"; do
+  confSet "$confFile" "$key" "${settings[$key]}"
+done
+UNIFI_CMD="java ${JVM_OPTS} -jar ${BASEDIR}/lib/ace.jar start"
+
+# controller writes to relative path logs/server.log
+cd ${BASEDIR}
+
+CUID=$(id -u)
+
+if [[ "${@}" == "unifi" ]]; then
+    # keep attached to shell so we can wait on it
+    log 'Starting unifi controller service.'
+    for dir in "${DATADIR}" "${LOGDIR}"; do
+        if [ ! -d "${dir}" ]; then
+            if [ "${UNSAFE_IO}" == "true" ]; then
+                rm -rf "${dir}"
+            fi
+            mkdir -p "${dir}"
+        fi
+    done
+    if [ "${RUNAS_UID0}" == "true" ] || [ "${CUID}" != "0" ]; then
+        if [ "${CUID}" == 0 ]; then
+            log 'WARNING: Running UniFi in insecure (root) mode'
+        fi
+        ${UNIFI_CMD} &
+    elif [ "${RUNAS_UID0}" == "false" ]; then
+        if [ "${BIND_PRIV}" == "true" ]; then
+            if setcap 'cap_net_bind_service=+ep' "${JAVA_HOME}/jre/bin/java"; then
+                sleep 1
+            else
+                log "ERROR: setcap failed, can not continue"
+                log "ERROR: You may either launch with -e BIND_PRIV=false and only use ports >1024"
+                log "ERROR: or run this container as root with -e RUNAS_UID0=true"
+                exit 1
+            fi
+        fi
+        if [ "$(id unifi -u)" != "${UNIFI_UID}" ] || [ "$(id unifi -g)" != "${UNIFI_GID}" ]; then
+            log "INFO: Changing 'unifi' UID to '${UNIFI_UID}' and GID to '${UNIFI_GID}'"
+            usermod -o -u ${UNIFI_UID} unifi && groupmod -o -g ${UNIFI_GID} unifi
+        fi
+        # Using a loop here so I can check more directories easily later
+        for dir in ${DIRS}; do
+            if [ "$(stat -c '%u' "${dir}")" != "${UNIFI_UID}" ]; then
+                chown -R "${UNIFI_UID}:${UNIFI_GID}" "${dir}"
+            fi
+        done
+        gosu unifi:unifi ${UNIFI_CMD} &
+    fi
+    wait
+    log "WARN: unifi service process ended without being singaled? Check for errors in ${LOGDIR}." >&2
+else
+    log "Executing: ${@}"
+    exec ${@}
+fi
+exit 1

unifi-controller/docker-healthcheck.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+SYSPROPS_FILE=${DATADIR}/system.properties
+if [ -f "${SYSPROPS_FILE}" ]; then
+    SYSPROPS_PORT=`grep "^unifi.https.port=" ${SYSPROPS_FILE} | cut -d'=' -f2`
+fi
+PORT=${SYSPROPS_PORT:-8443}
+
+curl --max-time 5 -kILs --fail https://localhost:${PORT}

unifi-controller/functions

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+log() {
+    echo "$(date +"[%Y-%m-%d %T,%3N]") <docker-entrypoint> $*"
+}
+
+set_java_home() {
+    JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:/jre/bin/java::")
+    if [ ! -d "${JAVA_HOME}" ]; then
+        # For some reason readlink failed so lets just make some assumptions instead
+        # We're assuming openjdk 8 since thats what we install in Dockerfile
+        arch=`dpkg --print-architecture 2>/dev/null`
+        JAVA_HOME=/usr/lib/jvm/java-8-openjdk-${arch}
+    fi
+}
+
+instPkg() {
+    for pkg in $*; do
+        if [ $(dpkg-query -W -f='${Status}' "${pkg}" 2>/dev/null | grep -c "ok installed") -eq 0 ];
+        then
+            apt-get -qy install "${pkg}";
+        fi
+    done
+}

unifi-controller/import_cert

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+
+PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+. /usr/unifi/functions
+
+if [[ ! -d "${CERTDIR}" || ! -f "${CERTDIR}/${CERTNAME}" ]]; then
+    exit 0
+fi
+
+log 'Cert directory found. Checking Certs'
+
+if `md5sum -c "${CERTDIR}/${CERTNAME}.md5" &>/dev/null`; then
+    log "Cert has not changed, not updating controller."
+    exit 0
+else
+    if [ ! -e "${DATADIR}/keystore" ]; then
+        log "WARN: Missing keystore, creating a new one"
+
+        if [ ! -d "${DATADIR}" ]; then
+            log "Missing data directory, creating..."
+            mkdir "${DATADIR}"
+        fi
+
+        keytool -genkey -keyalg RSA -alias unifi -keystore "${DATADIR}/keystore" \
+            -storepass aircontrolenterprise -keypass aircontrolenterprise -validity 1825 \
+            -keysize 4096 -dname "cn=UniFi"
+    fi
+
+    TEMPFILE=$(mktemp)
+    TMPLIST="${TEMPFILE}"
+    CERTTEMPFILE=$(mktemp)
+    TMPLIST+=" ${CERTTEMPFILE}"
+    CERTURI=$(openssl x509 -noout -ocsp_uri -in "${CERTDIR}/${CERTNAME}")
+    # Identrust cross-signed CA cert needed by the java keystore for import.
+    # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
+    cat > "${CERTTEMPFILE}" <<'_EOF'
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----
+_EOF
+
+    log "Cert has changed, updating controller..."
+    md5sum "${CERTDIR}/${CERTNAME}" > "${CERTDIR}/${CERTNAME}.md5"
+    log "Using openssl to prepare certificate..."
+    CHAIN=$(mktemp)
+    TMPLIST+=" ${CHAIN}"
+
+    if [[ "${CERTURI}" == *"letsencrypt"* && "$CERT_IS_CHAIN" == "true" ]]; then
+        awk 1 "${CERTTEMPFILE}" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"
+    elif [[ "${CERTURI}" == *"letsencrypt"* ]]; then
+        awk 1 "${CERTTEMPFILE}" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"
+    elif [[ -f "${CERTDIR}/ca.pem" ]]; then
+        awk 1 "${CERTDIR}/ca.pem" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"
+    else
+        awk 1 "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"
+    fi
+   openssl pkcs12 -export  -passout pass:aircontrolenterprise \
+        -in "${CHAIN}" \
+        -inkey "${CERTDIR}/${CERT_PRIVATE_NAME}" \
+        -out "${TEMPFILE}" -name unifi
+    log "Removing existing certificate from Unifi protected keystore..."
+    keytool -delete -alias unifi -keystore "${DATADIR}/keystore" \
+        -deststorepass aircontrolenterprise
+    log "Inserting certificate into Unifi keystore..."
+    keytool -trustcacerts -importkeystore \
+        -deststorepass aircontrolenterprise \
+        -destkeypass aircontrolenterprise \
+        -destkeystore "${DATADIR}/keystore" \
+        -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
+        -srcstorepass aircontrolenterprise \
+        -alias unifi
+    log "Cleaning up temp files"
+    for file in ${TMPLIST}; do
+        rm -f "${file}"
+    done
+    log "Done!"
+fi