Browse Source

init

tags/1.0.0
Robin Thoni 5 years ago
commit
142afeb22d

+ 2
- 0
.gitignore View File

@@ -0,0 +1,2 @@
1
+/data
2
+.idea

+ 41
- 0
docker-compose.yml View File

@@ -0,0 +1,41 @@
1
+version: '3.7'
2
+
3
+x-common: &common
4
+#        restart: unless-stopped
5
+        env_file:
6
+            - env
7
+
8
+services:
9
+    mongodb:
10
+        << : *common
11
+        build: ./mongodb
12
+        container_name: unfi-controller-mongodb
13
+        networks:
14
+            unfi-controller.internal.docker:
15
+                aliases:
16
+                    - mongodb.unfi-controller.internal.docker
17
+        volumes:
18
+            - ./data/mongodb/db:/data/db
19
+    unifi-controller:
20
+        << : *common
21
+        build: ./unifi-controller
22
+        container_name: unfi-controller-unifi-controller
23
+        networks:
24
+            unfi-controller.internal.docker:
25
+                aliases:
26
+                    - unifi-controller.unfi-controller.internal.docker
27
+        volumes:
28
+            - ./data/unfi-controller/data:/unifi/data
29
+            - ./data/unfi-controller/log:/unifi/log
30
+            - ./data/unfi-controller/cert:/unifi/cert
31
+            - ./data/unfi-controller/init:/unifi/init.d
32
+        ports:
33
+            - "127.0.0.1:8080:8080"
34
+            - "127.0.0.1:8443:8443"
35
+            - "127.0.0.1:8880:8880"
36
+            - "127.0.0.1:8843:8843"
37
+            - "127.0.0.1:10001:10001/udp"
38
+            - "0.0.0.0:3478:3478/udp"
39
+
40
+networks:
41
+    unfi-controller.internal.docker:

+ 3
- 0
env View File

@@ -0,0 +1,3 @@
1
+DB_URI=mongodb://mongodb.unfi-controller.internal.docker/unifi
2
+STATDB_URI=mongodb://mongodb.unfi-controller.internal.docker/unifi_stat
3
+DB_NAME=unifi

+ 1
- 0
mongodb/Dockerfile View File

@@ -0,0 +1 @@
1
+FROM mongo:3.4

+ 92
- 0
unifi-controller/Dockerfile View File

@@ -0,0 +1,92 @@
1
+FROM ubuntu:xenial
2
+
3
+LABEL maintainer="Jacob Alberty <jacob.alberty@foundigital.com>"
4
+
5
+ARG DEBIAN_FRONTEND=noninteractive
6
+
7
+ENV PKGURL=https://dl.ubnt.com/unifi/5.10.17/unifi_sysvinit_all.deb
8
+
9
+ENV BASEDIR=/usr/lib/unifi \
10
+    DATADIR=/unifi/data \
11
+    LOGDIR=/unifi/log \
12
+    CERTDIR=/unifi/cert \
13
+    RUNDIR=/var/run/unifi \
14
+    ODATADIR=/var/lib/unifi \
15
+    OLOGDIR=/var/log/unifi \
16
+    CERTNAME=cert.pem \
17
+    CERT_PRIVATE_NAME=privkey.pem \
18
+    CERT_IS_CHAIN=false \
19
+    GOSU_VERSION=1.10 \
20
+    BIND_PRIV=true \
21
+    RUNAS_UID0=true \
22
+    UNIFI_GID=999 \
23
+    UNIFI_UID=999
24
+
25
+# Install gosu
26
+# https://github.com/tianon/gosu/blob/master/INSTALL.md
27
+# This should be integrated with the main run because it duplicates a lot of the steps there
28
+# but for now while shoehorning gosu in it is seperate
29
+RUN set -ex \
30
+    && fetchDeps=' \
31
+        ca-certificates \
32
+        wget \
33
+    ' \
34
+    && apt-get update \
35
+    && apt-get install -y --no-install-recommends $fetchDeps \
36
+    && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
37
+    && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
38
+    && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \
39
+# verify the signature
40
+    && export GNUPGHOME="$(mktemp -d)" \
41
+    && for server in $(shuf -e ha.pool.sks-keyservers.net \
42
+                            hkp://p80.pool.sks-keyservers.net:80 \
43
+                            keyserver.ubuntu.com \
44
+                            hkp://keyserver.ubuntu.com:80 \
45
+                            pgp.mit.edu) ; do \
46
+        gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
47
+    done \
48
+    && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
49
+    && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
50
+    && chmod +x /usr/local/bin/gosu \
51
+# verify that the binary works
52
+    && gosu nobody true \
53
+    && apt-get purge -y --auto-remove $fetchDeps \
54
+    && rm -rf /var/lib/apt/lists/*
55
+
56
+RUN mkdir -p /usr/unifi \
57
+     /usr/local/unifi/init.d \
58
+     /usr/unifi/init.d
59
+COPY docker-entrypoint.sh /usr/local/bin/
60
+COPY docker-healthcheck.sh /usr/local/bin/
61
+COPY docker-build.sh /usr/local/bin/
62
+COPY functions /usr/unifi/functions
63
+COPY import_cert /usr/unifi/init.d/
64
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh \
65
+ && chmod +x /usr/unifi/init.d/import_cert \
66
+ && chmod +x /usr/local/bin/docker-healthcheck.sh \
67
+ && chmod +x /usr/local/bin/docker-build.sh
68
+
69
+# Push installing openjdk-8-jre first, so that the unifi package doesn't pull in openjdk-7-jre as a dependency? Else uncomment and just go with openjdk-7.
70
+RUN set -ex \
71
+ && mkdir -p /usr/share/man/man1/ \
72
+ && groupadd -r unifi -g $UNIFI_GID \
73
+ && useradd --no-log-init -r -u $UNIFI_UID -g $UNIFI_GID unifi \
74
+ && /usr/local/bin/docker-build.sh "${PKGURL}"
75
+
76
+VOLUME ["/unifi", "${RUNDIR}"]
77
+
78
+EXPOSE 6789/tcp 8080/tcp 8443/tcp 8880/tcp 8843/tcp 3478/udp
79
+
80
+WORKDIR /unifi
81
+
82
+HEALTHCHECK CMD /usr/local/bin/docker-healthcheck.sh || exit 1
83
+
84
+# execute controller using JSVC like original debian package does
85
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
86
+
87
+CMD ["unifi"]
88
+
89
+# execute the conroller directly without using the service
90
+#ENTRYPOINT ["/usr/bin/java", "-Xmx${JVM_MAX_HEAP_SIZE}", "-jar", "/usr/lib/unifi/lib/ace.jar"]
91
+  # See issue #12 on github: probably want to consider how JSVC handled creating multiple processes, issuing the -stop instraction, etc. Not sure if the above ace.jar class gracefully handles TERM signals.
92
+#CMD ["start"]

+ 61
- 0
unifi-controller/docker-build.sh View File

@@ -0,0 +1,61 @@
1
+#!/usr/bin/env bash
2
+
3
+# fail on error
4
+set -e
5
+
6
+# Retry 5 times with a wait of 10 seconds between each retry
7
+tryfail() {
8
+    for i in $(seq 1 5);
9
+        do [ $i -gt 1 ] && sleep 10; $* && s=0 && break || s=$?; done;
10
+    (exit $s)
11
+}
12
+
13
+# Try multiple keyservers in case of failure
14
+addKey() {
15
+    for server in $(shuf -e ha.pool.sks-keyservers.net \
16
+        hkp://p80.pool.sks-keyservers.net:80 \
17
+        keyserver.ubuntu.com \
18
+        hkp://keyserver.ubuntu.com:80 \
19
+        pgp.mit.edu) ; do \
20
+        if apt-key adv --keyserver "$server" --recv "$1"; then
21
+            exit 0
22
+        fi
23
+    done
24
+    return 1
25
+}
26
+
27
+if [ "x${1}" == "x" ]; then
28
+    echo please pass PKGURL as an environment variable
29
+    exit 0
30
+fi
31
+
32
+apt-get update
33
+apt-get install -qy --no-install-recommends \
34
+    apt-transport-https \
35
+    curl \
36
+    openjdk-8-jre-headless \
37
+    procps \
38
+    libcap2-bin
39
+tryfail apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
40
+echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-3.4.list
41
+apt-get update
42
+echo "deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti" > /etc/apt/sources.list.d/20ubiquiti.list
43
+tryfail apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv C0A52C50
44
+curl -L -o ./unifi.deb "${1}"
45
+apt -qy install mongodb-org ./unifi.deb
46
+rm -f ./unifi.deb
47
+chown -R unifi:unifi /usr/lib/unifi
48
+rm -rf /var/lib/apt/lists/*
49
+
50
+rm -rf ${ODATADIR} ${OLOGDIR}
51
+mkdir -p ${DATADIR} ${LOGDIR}
52
+ln -s ${DATADIR} ${BASEDIR}/data
53
+ln -s ${RUNDIR} ${BASEDIR}/run
54
+ln -s ${LOGDIR} ${BASEDIR}/logs
55
+rm -rf {$ODATADIR} ${OLOGDIR}
56
+ln -s ${DATADIR} ${ODATADIR}
57
+ln -s ${LOGDIR} ${OLOGDIR}
58
+mkdir -p /var/cert ${CERTDIR}
59
+ln -s ${CERTDIR} /var/cert/unifi
60
+
61
+rm -rf "${0}"

+ 185
- 0
unifi-controller/docker-entrypoint.sh View File

@@ -0,0 +1,185 @@
1
+#!/usr/bin/env bash
2
+
3
+. /usr/unifi/functions
4
+
5
+if [ -x /usr/local/bin/docker-build.sh ]; then
6
+    /usr/local/bin/docker-build.sh "${PKGURL}"
7
+fi
8
+
9
+exit_handler() {
10
+    log "Exit signal received, shutting down"
11
+    java -jar ${BASEDIR}/lib/ace.jar stop
12
+    for i in `seq 1 10` ; do
13
+        [ -z "$(pgrep -f ${BASEDIR}/lib/ace.jar)" ] && break
14
+        # graceful shutdown
15
+        [ $i -gt 1 ] && [ -d ${BASEDIR}/run ] && touch ${BASEDIR}/run/server.stop || true
16
+        # savage shutdown
17
+        [ $i -gt 7 ] && pkill -f ${BASEDIR}/lib/ace.jar || true
18
+        sleep 1
19
+    done
20
+    # shutdown mongod
21
+    if [ -f ${MONGOLOCK} ]; then
22
+        mongo localhost:${MONGOPORT} --eval "db.getSiblingDB('admin').shutdownServer()" >/dev/null 2>&1
23
+    fi
24
+    exit ${?};
25
+}
26
+
27
+trap 'kill ${!}; exit_handler' SIGHUP SIGINT SIGQUIT SIGTERM
28
+
29
+[ "x${JAVA_HOME}" != "x" ] || set_java_home
30
+
31
+
32
+# vars similar to those found in unifi.init
33
+MONGOPORT=27117
34
+
35
+CODEPATH=${BASEDIR}
36
+DATALINK=${BASEDIR}/data
37
+LOGLINK=${BASEDIR}/logs
38
+RUNLINK=${BASEDIR}/run
39
+
40
+DIRS="${RUNDIR} ${LOGDIR} ${DATADIR} ${BASEDIR}"
41
+
42
+JVM_MAX_HEAP_SIZE=${JVM_MAX_HEAP_SIZE:-1024M}
43
+#JVM_INIT_HEAP_SIZE=
44
+
45
+JVM_EXTRA_OPTS=""
46
+
47
+#JAVA_ENTROPY_GATHER_DEVICE=
48
+#UNIFI_JVM_EXTRA_OPTS=
49
+#ENABLE_UNIFI=yes
50
+
51
+
52
+MONGOLOCK="${DATAPATH}/db/mongod.lock"
53
+JVM_EXTRA_OPTS="${JVM_EXTRA_OPTS} -Dunifi.datadir=${DATADIR} -Dunifi.logdir=${LOGDIR} -Dunifi.rundir=${RUNDIR}"
54
+PIDFILE=/var/run/unifi/unifi.pid
55
+
56
+if [ ! -z "${JVM_MAX_HEAP_SIZE}" ]; then
57
+  JVM_EXTRA_OPTS="${JVM_EXTRA_OPTS} -Xmx${JVM_MAX_HEAP_SIZE}"
58
+fi
59
+
60
+if [ ! -z "${JVM_INIT_HEAP_SIZE}" ]; then
61
+  JVM_EXTRA_OPTS="${JVM_EXTRA_OPTS} -Xms${JVM_INIT_HEAP_SIZE}"
62
+fi
63
+
64
+if [ ! -z "${JVM_MAX_THREAD_STACK_SIZE}" ]; then
65
+  JVM_EXTRA_OPTS="${JVM_EXTRA_OPTS} -Xss${JVM_MAX_THREAD_STACK_SIZE}"
66
+fi
67
+
68
+
69
+JVM_OPTS="${JVM_EXTRA_OPTS}
70
+  -Djava.awt.headless=true
71
+  -Dfile.encoding=UTF-8"
72
+
73
+# Cleaning /var/run/unifi/* See issue #26, Docker takes care of exlusivity in the container anyway.
74
+rm -f /var/run/unifi/unifi.pid
75
+
76
+run-parts /usr/local/unifi/init.d
77
+run-parts /usr/unifi/init.d
78
+
79
+if [ -d "/unifi/init.d" ]; then
80
+    run-parts "/unifi/init.d"
81
+fi
82
+
83
+# Used to generate simple key/value pairs, for example system.properties
84
+confSet () {
85
+  file=$1
86
+  key=$2
87
+  value=$3
88
+  if [ "$newfile" != true ] && grep -q "^${key} *=" "$file"; then
89
+    ekey=$(echo "$key" | sed -e 's/[]\/$*.^|[]/\\&/g')
90
+    evalue=$(echo "$value" | sed -e 's/[\/&]/\\&/g')
91
+    sed -i "s/^\(${ekey}\s*=\s*\).*$/\1${evalue}/" "$file"
92
+  else
93
+    echo "${key}=${value}" >> "$file"
94
+  fi
95
+}
96
+
97
+confFile="${DATADIR}/system.properties"
98
+if [ -e "$confFile" ]; then
99
+  newfile=false
100
+else
101
+  newfile=true
102
+fi
103
+
104
+declare -A settings
105
+
106
+h2mb() {
107
+  awkcmd='
108
+    /[0-9]$/{print $1/1024/1024;next};
109
+    /[mM]$/{printf "%u\n", $1;next};
110
+    /[kK]$/{printf "%u\n", $1/1024;next}
111
+    /[gG]$/{printf "%u\n", $1*1024;next}
112
+  '
113
+  echo $1 | awk "${awkcmd}"
114
+}
115
+
116
+if ! [[ -z "$LOTSOFDEVICES" ]]; then
117
+  settings["unifi.G1GC.enabled"]="true"
118
+  settings["unifi.xms"]="$(h2mb $JVM_INIT_HEAP_SIZE)"
119
+  settings["unifi.xmx"]="$(h2mb ${JVM_MAX_HEAP_SIZE:-1024M})"
120
+fi
121
+
122
+# Implements issue #30
123
+if ! [[ -z "$DB_URI" || -z "$STATDB_URI" || -z "$DB_NAME" ]]; then
124
+  settings["db.mongo.local"]="false"
125
+  settings["db.mongo.uri"]="$DB_URI"
126
+  settings["statdb.mongo.uri"]="$STATDB_URI"
127
+  settings["unifi.db.name"]="$DB_NAME"
128
+fi
129
+
130
+for key in "${!settings[@]}"; do
131
+  confSet "$confFile" "$key" "${settings[$key]}"
132
+done
133
+UNIFI_CMD="java ${JVM_OPTS} -jar ${BASEDIR}/lib/ace.jar start"
134
+
135
+# controller writes to relative path logs/server.log
136
+cd ${BASEDIR}
137
+
138
+CUID=$(id -u)
139
+
140
+if [[ "${@}" == "unifi" ]]; then
141
+    # keep attached to shell so we can wait on it
142
+    log 'Starting unifi controller service.'
143
+    for dir in "${DATADIR}" "${LOGDIR}"; do
144
+        if [ ! -d "${dir}" ]; then
145
+            if [ "${UNSAFE_IO}" == "true" ]; then
146
+                rm -rf "${dir}"
147
+            fi
148
+            mkdir -p "${dir}"
149
+        fi
150
+    done
151
+    if [ "${RUNAS_UID0}" == "true" ] || [ "${CUID}" != "0" ]; then
152
+        if [ "${CUID}" == 0 ]; then
153
+            log 'WARNING: Running UniFi in insecure (root) mode'
154
+        fi
155
+        ${UNIFI_CMD} &
156
+    elif [ "${RUNAS_UID0}" == "false" ]; then
157
+        if [ "${BIND_PRIV}" == "true" ]; then
158
+            if setcap 'cap_net_bind_service=+ep' "${JAVA_HOME}/jre/bin/java"; then
159
+                sleep 1
160
+            else
161
+                log "ERROR: setcap failed, can not continue"
162
+                log "ERROR: You may either launch with -e BIND_PRIV=false and only use ports >1024"
163
+                log "ERROR: or run this container as root with -e RUNAS_UID0=true"
164
+                exit 1
165
+            fi
166
+        fi
167
+        if [ "$(id unifi -u)" != "${UNIFI_UID}" ] || [ "$(id unifi -g)" != "${UNIFI_GID}" ]; then
168
+            log "INFO: Changing 'unifi' UID to '${UNIFI_UID}' and GID to '${UNIFI_GID}'"
169
+            usermod -o -u ${UNIFI_UID} unifi && groupmod -o -g ${UNIFI_GID} unifi
170
+        fi
171
+        # Using a loop here so I can check more directories easily later
172
+        for dir in ${DIRS}; do
173
+            if [ "$(stat -c '%u' "${dir}")" != "${UNIFI_UID}" ]; then
174
+                chown -R "${UNIFI_UID}:${UNIFI_GID}" "${dir}"
175
+            fi
176
+        done
177
+        gosu unifi:unifi ${UNIFI_CMD} &
178
+    fi
179
+    wait
180
+    log "WARN: unifi service process ended without being singaled? Check for errors in ${LOGDIR}." >&2
181
+else
182
+    log "Executing: ${@}"
183
+    exec ${@}
184
+fi
185
+exit 1

+ 9
- 0
unifi-controller/docker-healthcheck.sh View File

@@ -0,0 +1,9 @@
1
+#!/usr/bin/env bash
2
+
3
+SYSPROPS_FILE=${DATADIR}/system.properties
4
+if [ -f "${SYSPROPS_FILE}" ]; then
5
+    SYSPROPS_PORT=`grep "^unifi.https.port=" ${SYSPROPS_FILE} | cut -d'=' -f2`
6
+fi
7
+PORT=${SYSPROPS_PORT:-8443}
8
+
9
+curl --max-time 5 -kILs --fail https://localhost:${PORT}

+ 24
- 0
unifi-controller/functions View File

@@ -0,0 +1,24 @@
1
+#!/usr/bin/env bash
2
+
3
+log() {
4
+    echo "$(date +"[%Y-%m-%d %T,%3N]") <docker-entrypoint> $*"
5
+}
6
+
7
+set_java_home() {
8
+    JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:/jre/bin/java::")
9
+    if [ ! -d "${JAVA_HOME}" ]; then
10
+        # For some reason readlink failed so lets just make some assumptions instead
11
+        # We're assuming openjdk 8 since thats what we install in Dockerfile
12
+        arch=`dpkg --print-architecture 2>/dev/null`
13
+        JAVA_HOME=/usr/lib/jvm/java-8-openjdk-${arch}
14
+    fi
15
+}
16
+
17
+instPkg() {
18
+    for pkg in $*; do
19
+        if [ $(dpkg-query -W -f='${Status}' "${pkg}" 2>/dev/null | grep -c "ok installed") -eq 0 ];
20
+        then
21
+            apt-get -qy install "${pkg}";
22
+        fi
23
+    done
24
+}

+ 95
- 0
unifi-controller/import_cert View File

@@ -0,0 +1,95 @@
1
+#!/usr/bin/env bash
2
+
3
+PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
4
+
5
+. /usr/unifi/functions
6
+
7
+if [[ ! -d "${CERTDIR}" || ! -f "${CERTDIR}/${CERTNAME}" ]]; then
8
+    exit 0
9
+fi
10
+
11
+log 'Cert directory found. Checking Certs'
12
+
13
+if `md5sum -c "${CERTDIR}/${CERTNAME}.md5" &>/dev/null`; then
14
+    log "Cert has not changed, not updating controller."
15
+    exit 0
16
+else
17
+    if [ ! -e "${DATADIR}/keystore" ]; then
18
+        log "WARN: Missing keystore, creating a new one"
19
+
20
+        if [ ! -d "${DATADIR}" ]; then
21
+            log "Missing data directory, creating..."
22
+            mkdir "${DATADIR}"
23
+        fi
24
+
25
+        keytool -genkey -keyalg RSA -alias unifi -keystore "${DATADIR}/keystore" \
26
+            -storepass aircontrolenterprise -keypass aircontrolenterprise -validity 1825 \
27
+            -keysize 4096 -dname "cn=UniFi"
28
+    fi
29
+
30
+    TEMPFILE=$(mktemp)
31
+    TMPLIST="${TEMPFILE}"
32
+    CERTTEMPFILE=$(mktemp)
33
+    TMPLIST+=" ${CERTTEMPFILE}"
34
+    CERTURI=$(openssl x509 -noout -ocsp_uri -in "${CERTDIR}/${CERTNAME}")
35
+    # Identrust cross-signed CA cert needed by the java keystore for import.
36
+    # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
37
+    cat > "${CERTTEMPFILE}" <<'_EOF'
38
+-----BEGIN CERTIFICATE-----
39
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
40
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
41
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
42
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
43
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
44
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
45
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
46
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
47
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
48
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
49
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
50
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
51
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
52
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
53
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
54
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
55
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
56
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
57
+-----END CERTIFICATE-----
58
+_EOF
59
+
60
+    log "Cert has changed, updating controller..."
61
+    md5sum "${CERTDIR}/${CERTNAME}" > "${CERTDIR}/${CERTNAME}.md5"
62
+    log "Using openssl to prepare certificate..."
63
+    CHAIN=$(mktemp)
64
+    TMPLIST+=" ${CHAIN}"
65
+
66
+    if [[ "${CERTURI}" == *"letsencrypt"* && "$CERT_IS_CHAIN" == "true" ]]; then
67
+        awk 1 "${CERTTEMPFILE}" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"
68
+    elif [[ "${CERTURI}" == *"letsencrypt"* ]]; then
69
+        awk 1 "${CERTTEMPFILE}" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"
70
+    elif [[ -f "${CERTDIR}/ca.pem" ]]; then
71
+        awk 1 "${CERTDIR}/ca.pem" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"
72
+    else
73
+        awk 1 "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"
74
+    fi
75
+   openssl pkcs12 -export  -passout pass:aircontrolenterprise \
76
+        -in "${CHAIN}" \
77
+        -inkey "${CERTDIR}/${CERT_PRIVATE_NAME}" \
78
+        -out "${TEMPFILE}" -name unifi
79
+    log "Removing existing certificate from Unifi protected keystore..."
80
+    keytool -delete -alias unifi -keystore "${DATADIR}/keystore" \
81
+        -deststorepass aircontrolenterprise
82
+    log "Inserting certificate into Unifi keystore..."
83
+    keytool -trustcacerts -importkeystore \
84
+        -deststorepass aircontrolenterprise \
85
+        -destkeypass aircontrolenterprise \
86
+        -destkeystore "${DATADIR}/keystore" \
87
+        -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \
88
+        -srcstorepass aircontrolenterprise \
89
+        -alias unifi
90
+    log "Cleaning up temp files"
91
+    for file in ${TMPLIST}; do
92
+        rm -f "${file}"
93
+    done
94
+    log "Done!"
95
+fi

Loading…
Cancel
Save