robin.thoni
/
docker-unifi-controller-server
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
2 Branches
Tree: 142afeb22d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '142afeb22d'
${ noResults }
docker-unifi-controller-server/unifi-controller/import_cert

import_cert 3.9KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 
  1. #!/usr/bin/env bash

  2. 

  3. PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

  4. 

  5. . /usr/unifi/functions

  6. 

  7. if [[ ! -d "${CERTDIR}" || ! -f "${CERTDIR}/${CERTNAME}" ]]; then

  8.     exit 0

  9. fi

  10. 

  11. log 'Cert directory found. Checking Certs'

  12. 

  13. if `md5sum -c "${CERTDIR}/${CERTNAME}.md5" &>/dev/null`; then

  14.     log "Cert has not changed, not updating controller."

  15.     exit 0

  16. else

  17.     if [ ! -e "${DATADIR}/keystore" ]; then

  18.         log "WARN: Missing keystore, creating a new one"

  19. 

  20.         if [ ! -d "${DATADIR}" ]; then

  21.             log "Missing data directory, creating..."

  22.             mkdir "${DATADIR}"

  23.         fi

  24. 

  25.         keytool -genkey -keyalg RSA -alias unifi -keystore "${DATADIR}/keystore" \

  26.             -storepass aircontrolenterprise -keypass aircontrolenterprise -validity 1825 \

  27.             -keysize 4096 -dname "cn=UniFi"

  28.     fi

  29. 

  30.     TEMPFILE=$(mktemp)

  31.     TMPLIST="${TEMPFILE}"

  32.     CERTTEMPFILE=$(mktemp)

  33.     TMPLIST+=" ${CERTTEMPFILE}"

  34.     CERTURI=$(openssl x509 -noout -ocsp_uri -in "${CERTDIR}/${CERTNAME}")

  35.     # Identrust cross-signed CA cert needed by the java keystore for import.

  36.     # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html

  37.     cat > "${CERTTEMPFILE}" <<'_EOF'

  38. -----BEGIN CERTIFICATE-----

  39. MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/

  40. MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

  41. DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow

  42. PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD

  43. Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

  44. AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O

  45. rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq

  46. OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b

  47. xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw

  48. 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD

  49. aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV

  50. HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG

  51. SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69

  52. ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr

  53. AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz

  54. R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5

  55. JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo

  56. Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

  57. -----END CERTIFICATE-----

  58. _EOF

  59. 

  60.     log "Cert has changed, updating controller..."

  61.     md5sum "${CERTDIR}/${CERTNAME}" > "${CERTDIR}/${CERTNAME}.md5"

  62.     log "Using openssl to prepare certificate..."

  63.     CHAIN=$(mktemp)

  64.     TMPLIST+=" ${CHAIN}"

  65. 

  66.     if [[ "${CERTURI}" == *"letsencrypt"* && "$CERT_IS_CHAIN" == "true" ]]; then

  67.         awk 1 "${CERTTEMPFILE}" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"

  68.     elif [[ "${CERTURI}" == *"letsencrypt"* ]]; then

  69.         awk 1 "${CERTTEMPFILE}" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"

  70.     elif [[ -f "${CERTDIR}/ca.pem" ]]; then

  71.         awk 1 "${CERTDIR}/ca.pem" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"

  72.     else

  73.         awk 1 "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${CHAIN}"

  74.     fi

  75.    openssl pkcs12 -export  -passout pass:aircontrolenterprise \

  76.         -in "${CHAIN}" \

  77.         -inkey "${CERTDIR}/${CERT_PRIVATE_NAME}" \

  78.         -out "${TEMPFILE}" -name unifi

  79.     log "Removing existing certificate from Unifi protected keystore..."

  80.     keytool -delete -alias unifi -keystore "${DATADIR}/keystore" \

  81.         -deststorepass aircontrolenterprise

  82.     log "Inserting certificate into Unifi keystore..."

  83.     keytool -trustcacerts -importkeystore \

  84.         -deststorepass aircontrolenterprise \

  85.         -destkeypass aircontrolenterprise \

  86.         -destkeystore "${DATADIR}/keystore" \

  87.         -srckeystore "${TEMPFILE}" -srcstoretype PKCS12 \

  88.         -srcstorepass aircontrolenterprise \

  89.         -alias unifi

  90.     log "Cleaning up temp files"

  91.     for file in ${TMPLIST}; do

  92.         rm -f "${file}"

  93.     done

  94.     log "Done!"

  95. fi