[mirror_acme.sh.git] / deploy / unifi.sh

#!/usr/bin/env sh

# Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
# It supports:
#   - self-hosted Unifi Controller
#   - Unifi Cloud Key (Gen1/2/2+)
#   - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359

#returns 0 means success, otherwise error.

# The deploy-hook automatically detects standard Unifi installations
# for each of the supported environments. Most users should not need
# to set any of these variables, but if you are running a self-hosted
# Controller with custom locations, set these as necessary before running
# the deploy hook. (Defaults shown below.)
#
# Settings for Unifi Controller:
# Location of Java keystore or unifi.keystore.jks file:
#DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
# Keystore password (built into Unifi Controller, not a user-set password):
#DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
# Command to restart Unifi Controller:
#DEPLOY_UNIFI_RELOAD="service unifi restart"
#
# Settings for Unifi Cloud Key Gen1 (nginx admin pages):
# Directory where cloudkey.crt and cloudkey.key live:
#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
# Command to restart maintenance pages and Controller
# (same setting as above, default is updated when running on Cloud Key Gen1):
#DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
#
# Settings for UnifiOS (Cloud Key Gen2):
# Directory where unifi-core.crt and unifi-core.key live:
#DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
# Command to restart unifi-core:
#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
#
# At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
# or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.

########  Public functions #####################

#domain keyfile certfile cafile fullchain
unifi_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  _getdeployconf DEPLOY_UNIFI_KEYSTORE
  _getdeployconf DEPLOY_UNIFI_KEYPASS
  _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
  _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
  _getdeployconf DEPLOY_UNIFI_RELOAD

  _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
  _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
  _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
  _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"

  # Space-separated list of environments detected and installed:
  _services_updated=""

  # Default reload commands accumulated as we auto-detect environments:
  _reload_cmd=""

  # Unifi Controller environment (self hosted or any Cloud Key) --
  # auto-detect by file /usr/lib/unifi/data/keystore:
  _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
  if [ -f "$_unifi_keystore" ]; then
    _info "Installing certificate for Unifi Controller (Java keystore)"
    _debug _unifi_keystore "$_unifi_keystore"
    if ! _exists keytool; then
      _err "keytool not found"
      return 1
    fi
    if [ ! -w "$_unifi_keystore" ]; then
      _err "The file $_unifi_keystore is not writable, please change the permission."
      return 1
    fi

    _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"

    _debug "Generate import pkcs12"
    _import_pkcs12="$(_mktemp)"
    _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
    # shellcheck disable=SC2181
    if [ "$?" != "0" ]; then
      _err "Error generating pkcs12. Please re-run with --debug and report a bug."
      return 1
    fi

    _debug "Import into keystore: $_unifi_keystore"
    if keytool -importkeystore \
      -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
      -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
      -alias unifi -noprompt; then
      _debug "Import keystore success!"
      rm "$_import_pkcs12"
    else
      _err "Error importing into Unifi Java keystore."
      _err "Please re-run with --debug and report a bug."
      rm "$_import_pkcs12"
      return 1
    fi

    if systemctl -q is-active unifi; then
      _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
    fi
    _services_updated="${_services_updated} unifi"
    _info "Install Unifi Controller certificate success!"
  elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
    _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
    return 1
  fi

  # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
  # auto-detect by file /etc/ssl/private/cloudkey.key:
  _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
  if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
    _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
    _debug _cloudkey_certdir "$_cloudkey_certdir"
    if [ ! -w "$_cloudkey_certdir" ]; then
      _err "The directory $_cloudkey_certdir is not writable; please check permissions."
      return 1
    fi
    # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
    # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
    # updated above), but if not, we don't know how to handle this installation:
    if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
      _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
      return 1
    fi

    cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
    cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
    (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)

    if systemctl -q is-active nginx; then
      _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
    fi
    _info "Install Cloud Key Gen1 certificate success!"
    _services_updated="${_services_updated} nginx"
  elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
    _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
    return 1
  fi

  # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
  _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
  if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
    _info "Installing certificate for UnifiOS"
    _debug _unifi_core_config "$_unifi_core_config"
    if [ ! -w "$_unifi_core_config" ]; then
      _err "The directory $_unifi_core_config is not writable; please check permissions."
      return 1
    fi

    cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
    cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"

    if systemctl -q is-active unifi-core; then
      _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
    fi
    _info "Install UnifiOS certificate success!"
    _services_updated="${_services_updated} unifi-core"
  elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
    _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
    return 1
  fi

  if [ -z "$_services_updated" ]; then
    # None of the Unifi environments were auto-detected, so no deployment has occurred
    # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
    _err "Unable to detect Unifi environment in standard location."
    _err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
    _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
    _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
    return 1
  fi

  _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
  if [ -z "$_reload_cmd" ]; then
    _err "Certificates were installed for services:${_services_updated},"
    _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
    _err "to a command that will restart the necessary services."
    return 1
  fi
  _info "Reload services (this may take some time): $_reload_cmd"
  if eval "$_reload_cmd"; then
    _info "Reload success!"
  else
    _err "Reload error"
    return 1
  fi

  # Successful, so save all (non-default) config:
  _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
  _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
  _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
  _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"

  return 0
}
Commit	Line	Data
8eab77f3 BC	1	#!/usr/bin/env sh
8eab77f3 BC	2
bf8c3370 ME	3	# Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
	4	# It supports:
	5	# - self-hosted Unifi Controller
	6	# - Unifi Cloud Key (Gen1/2/2+)
	7	# - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
	8	# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
8eab77f3 BC	9
	10	#returns 0 means success, otherwise error.
	11
bf8c3370 ME	12	# The deploy-hook automatically detects standard Unifi installations
	13	# for each of the supported environments. Most users should not need
	14	# to set any of these variables, but if you are running a self-hosted
	15	# Controller with custom locations, set these as necessary before running
	16	# the deploy hook. (Defaults shown below.)
	17	#
	18	# Settings for Unifi Controller:
	19	# Location of Java keystore or unifi.keystore.jks file:
8eab77f3	20	#DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
bf8c3370	21	# Keystore password (built into Unifi Controller, not a user-set password):
8eab77f3	22	#DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
bf8c3370	23	# Command to restart Unifi Controller:
8eab77f3	24	#DEPLOY_UNIFI_RELOAD="service unifi restart"
bf8c3370 ME	25	#
	26	# Settings for Unifi Cloud Key Gen1 (nginx admin pages):
	27	# Directory where cloudkey.crt and cloudkey.key live:
	28	#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
	29	# Command to restart maintenance pages and Controller
	30	# (same setting as above, default is updated when running on Cloud Key Gen1):
	31	#DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
	32	#
	33	# Settings for UnifiOS (Cloud Key Gen2):
	34	# Directory where unifi-core.crt and unifi-core.key live:
	35	#DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
	36	# Command to restart unifi-core:
	37	#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
	38	#
	39	# At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
	40	# or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
8eab77f3 BC	41
	42	######## Public functions #####################
	43
	44	#domain keyfile certfile cafile fullchain
	45	unifi_deploy() {
	46	_cdomain="$1"
	47	_ckey="$2"
	48	_ccert="$3"
	49	_cca="$4"
	50	_cfullchain="$5"
	51
	52	_debug _cdomain "$_cdomain"
	53	_debug _ckey "$_ckey"
	54	_debug _ccert "$_ccert"
	55	_debug _cca "$_cca"
	56	_debug _cfullchain "$_cfullchain"
	57
bf8c3370 ME	58	_getdeployconf DEPLOY_UNIFI_KEYSTORE
	59	_getdeployconf DEPLOY_UNIFI_KEYPASS
	60	_getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
	61	_getdeployconf DEPLOY_UNIFI_CORE_CONFIG
	62	_getdeployconf DEPLOY_UNIFI_RELOAD
	63
	64	_debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
	65	_debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
	66	_debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
	67	_debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
	68	_debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
	69
	70	# Space-separated list of environments detected and installed:
	71	_services_updated=""
	72
	73	# Default reload commands accumulated as we auto-detect environments:
	74	_reload_cmd=""
	75
	76	# Unifi Controller environment (self hosted or any Cloud Key) --
	77	# auto-detect by file /usr/lib/unifi/data/keystore:
	78	_unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
	79	if [ -f "$_unifi_keystore" ]; then
	80	_info "Installing certificate for Unifi Controller (Java keystore)"
	81	_debug _unifi_keystore "$_unifi_keystore"
	82	if ! _exists keytool; then
	83	_err "keytool not found"
	84	return 1
	85	fi
	86	if [ ! -w "$_unifi_keystore" ]; then
	87	_err "The file $_unifi_keystore is not writable, please change the permission."
	88	return 1
	89	fi
	90
	91	_unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
8eab77f3	92
bf8c3370 ME	93	_debug "Generate import pkcs12"
	94	_import_pkcs12="$(_mktemp)"
	95	_toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
	96	# shellcheck disable=SC2181
	97	if [ "$?" != "0" ]; then
	98	_err "Error generating pkcs12. Please re-run with --debug and report a bug."
8eab77f3	99	return 1
bf8c3370 ME	100	fi
	101
	102	_debug "Import into keystore: $_unifi_keystore"
	103	if keytool -importkeystore \
	104	-deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
	105	-srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
	106	-alias unifi -noprompt; then
	107	_debug "Import keystore success!"
	108	rm "$_import_pkcs12"
8eab77f3	109	else
bf8c3370 ME	110	_err "Error importing into Unifi Java keystore."
	111	_err "Please re-run with --debug and report a bug."
	112	rm "$_import_pkcs12"
8eab77f3 BC	113	return 1
8eab77f3 BC	114	fi
bf8c3370 ME	115
	116	if systemctl -q is-active unifi; then
	117	_reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
	118	fi
	119	_services_updated="${_services_updated} unifi"
	120	_info "Install Unifi Controller certificate success!"
	121	elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
	122	_err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
	123	return 1
8eab77f3	124	fi
bf8c3370 ME	125
	126	# Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
	127	# auto-detect by file /etc/ssl/private/cloudkey.key:
	128	_cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
	129	if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
	130	_info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
	131	_debug _cloudkey_certdir "$_cloudkey_certdir"
	132	if [ ! -w "$_cloudkey_certdir" ]; then
	133	_err "The directory $_cloudkey_certdir is not writable; please check permissions."
	134	return 1
	135	fi
	136	# Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
	137	# Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
	138	# updated above), but if not, we don't know how to handle this installation:
	139	if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
	140	_err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
	141	return 1
	142	fi
	143
	144	cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
	145	cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
	146	(cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
	147
	148	if systemctl -q is-active nginx; then
	149	_reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
	150	fi
	151	_info "Install Cloud Key Gen1 certificate success!"
	152	_services_updated="${_services_updated} nginx"
	153	elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
	154	_err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
8eab77f3 BC	155	return 1
	156	fi
	157
bf8c3370 ME	158	# UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
	159	_unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
	160	if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
	161	_info "Installing certificate for UnifiOS"
	162	_debug _unifi_core_config "$_unifi_core_config"
	163	if [ ! -w "$_unifi_core_config" ]; then
	164	_err "The directory $_unifi_core_config is not writable; please check permissions."
	165	return 1
	166	fi
	167
	168	cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
	169	cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
	170
	171	if systemctl -q is-active unifi-core; then
	172	_reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
	173	fi
	174	_info "Install UnifiOS certificate success!"
	175	_services_updated="${_services_updated} unifi-core"
	176	elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
	177	_err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
8eab77f3 BC	178	return 1
	179	fi
	180
bf8c3370 ME	181	if [ -z "$_services_updated" ]; then
	182	# None of the Unifi environments were auto-detected, so no deployment has occurred
	183	# (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
	184	_err "Unable to detect Unifi environment in standard location."
	185	_err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
	186	_err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
	187	_err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
8eab77f3 BC	188	return 1
	189	fi
	190
bf8c3370 ME	191	_reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
	192	if [ -z "$_reload_cmd" ]; then
	193	_err "Certificates were installed for services:${_services_updated},"
	194	_err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
	195	_err "to a command that will restart the necessary services."
	196	return 1
	197	fi
	198	_info "Reload services (this may take some time): $_reload_cmd"
	199	if eval "$_reload_cmd"; then
8eab77f3	200	_info "Reload success!"
8eab77f3 BC	201	else
	202	_err "Reload error"
	203	return 1
	204	fi
8eab77f3	205
bf8c3370 ME	206	# Successful, so save all (non-default) config:
	207	_savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
	208	_savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
	209	_savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
	210	_savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
	211	_savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
	212
	213	return 0
8eab77f3	214	}