]>
Commit | Line | Data |
---|---|---|
8eab77f3 BC |
1 | #!/usr/bin/env sh |
2 | ||
c384ed96 AK |
3 | # Here is a script to deploy cert on a Unifi Controller or Cloud Key device. |
4 | # It supports: | |
5 | # - self-hosted Unifi Controller | |
6 | # - Unifi Cloud Key (Gen1/2/2+) | |
7 | # - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only) | |
8 | # Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359 | |
8eab77f3 BC |
9 | |
10 | #returns 0 means success, otherwise error. | |
11 | ||
c384ed96 AK |
12 | # The deploy-hook automatically detects standard Unifi installations |
13 | # for each of the supported environments. Most users should not need | |
14 | # to set any of these variables, but if you are running a self-hosted | |
15 | # Controller with custom locations, set these as necessary before running | |
16 | # the deploy hook. (Defaults shown below.) | |
17 | # | |
18 | # Settings for Unifi Controller: | |
19 | # Location of Java keystore or unifi.keystore.jks file: | |
8eab77f3 | 20 | #DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore" |
c384ed96 | 21 | # Keystore password (built into Unifi Controller, not a user-set password): |
8eab77f3 | 22 | #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise" |
c384ed96 | 23 | # Command to restart Unifi Controller: |
8eab77f3 | 24 | #DEPLOY_UNIFI_RELOAD="service unifi restart" |
c384ed96 AK |
25 | # |
26 | # Settings for Unifi Cloud Key Gen1 (nginx admin pages): | |
27 | # Directory where cloudkey.crt and cloudkey.key live: | |
28 | #DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private" | |
29 | # Command to restart maintenance pages and Controller | |
30 | # (same setting as above, default is updated when running on Cloud Key Gen1): | |
31 | #DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart" | |
32 | # | |
33 | # Settings for UnifiOS (Cloud Key Gen2): | |
34 | # Directory where unifi-core.crt and unifi-core.key live: | |
35 | #DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/" | |
36 | # Command to restart unifi-core: | |
37 | #DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core" | |
38 | # | |
39 | # At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR, | |
40 | # or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs. | |
8eab77f3 BC |
41 | |
42 | ######## Public functions ##################### | |
43 | ||
44 | #domain keyfile certfile cafile fullchain | |
45 | unifi_deploy() { | |
46 | _cdomain="$1" | |
47 | _ckey="$2" | |
48 | _ccert="$3" | |
49 | _cca="$4" | |
50 | _cfullchain="$5" | |
51 | ||
52 | _debug _cdomain "$_cdomain" | |
53 | _debug _ckey "$_ckey" | |
54 | _debug _ccert "$_ccert" | |
55 | _debug _cca "$_cca" | |
56 | _debug _cfullchain "$_cfullchain" | |
57 | ||
c384ed96 AK |
58 | _getdeployconf DEPLOY_UNIFI_KEYSTORE |
59 | _getdeployconf DEPLOY_UNIFI_KEYPASS | |
60 | _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR | |
61 | _getdeployconf DEPLOY_UNIFI_CORE_CONFIG | |
62 | _getdeployconf DEPLOY_UNIFI_RELOAD | |
63 | ||
64 | _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" | |
65 | _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS" | |
66 | _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" | |
67 | _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG" | |
68 | _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD" | |
69 | ||
70 | # Space-separated list of environments detected and installed: | |
71 | _services_updated="" | |
72 | ||
73 | # Default reload commands accumulated as we auto-detect environments: | |
74 | _reload_cmd="" | |
75 | ||
76 | # Unifi Controller environment (self hosted or any Cloud Key) -- | |
77 | # auto-detect by file /usr/lib/unifi/data/keystore: | |
78 | _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}" | |
79 | if [ -f "$_unifi_keystore" ]; then | |
80 | _info "Installing certificate for Unifi Controller (Java keystore)" | |
81 | _debug _unifi_keystore "$_unifi_keystore" | |
82 | if ! _exists keytool; then | |
83 | _err "keytool not found" | |
84 | return 1 | |
85 | fi | |
86 | if [ ! -w "$_unifi_keystore" ]; then | |
87 | _err "The file $_unifi_keystore is not writable, please change the permission." | |
88 | return 1 | |
89 | fi | |
90 | ||
91 | _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}" | |
8eab77f3 | 92 | |
c384ed96 AK |
93 | _debug "Generate import pkcs12" |
94 | _import_pkcs12="$(_mktemp)" | |
95 | _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root | |
96 | # shellcheck disable=SC2181 | |
97 | if [ "$?" != "0" ]; then | |
98 | _err "Error generating pkcs12. Please re-run with --debug and report a bug." | |
8eab77f3 | 99 | return 1 |
c384ed96 AK |
100 | fi |
101 | ||
102 | _debug "Import into keystore: $_unifi_keystore" | |
103 | if keytool -importkeystore \ | |
104 | -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \ | |
105 | -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \ | |
106 | -alias unifi -noprompt; then | |
107 | _debug "Import keystore success!" | |
108 | rm "$_import_pkcs12" | |
8eab77f3 | 109 | else |
c384ed96 AK |
110 | _err "Error importing into Unifi Java keystore." |
111 | _err "Please re-run with --debug and report a bug." | |
112 | rm "$_import_pkcs12" | |
8eab77f3 BC |
113 | return 1 |
114 | fi | |
c384ed96 AK |
115 | |
116 | if systemctl -q is-active unifi; then | |
117 | _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart" | |
118 | fi | |
119 | _services_updated="${_services_updated} unifi" | |
120 | _info "Install Unifi Controller certificate success!" | |
121 | elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then | |
122 | _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check." | |
123 | return 1 | |
8eab77f3 | 124 | fi |
c384ed96 AK |
125 | |
126 | # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) -- | |
127 | # auto-detect by file /etc/ssl/private/cloudkey.key: | |
128 | _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}" | |
129 | if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then | |
130 | _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)" | |
131 | _debug _cloudkey_certdir "$_cloudkey_certdir" | |
132 | if [ ! -w "$_cloudkey_certdir" ]; then | |
133 | _err "The directory $_cloudkey_certdir is not writable; please check permissions." | |
134 | return 1 | |
135 | fi | |
136 | # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks. | |
137 | # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was | |
138 | # updated above), but if not, we don't know how to handle this installation: | |
139 | if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then | |
140 | _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'" | |
141 | return 1 | |
142 | fi | |
143 | ||
144 | cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt" | |
145 | cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key" | |
146 | (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks) | |
147 | ||
148 | if systemctl -q is-active nginx; then | |
149 | _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart" | |
150 | fi | |
151 | _info "Install Cloud Key Gen1 certificate success!" | |
152 | _services_updated="${_services_updated} nginx" | |
153 | elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then | |
154 | _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check." | |
8eab77f3 BC |
155 | return 1 |
156 | fi | |
157 | ||
c384ed96 AK |
158 | # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key: |
159 | _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}" | |
160 | if [ -f "${_unifi_core_config}/unifi-core.key" ]; then | |
161 | _info "Installing certificate for UnifiOS" | |
162 | _debug _unifi_core_config "$_unifi_core_config" | |
163 | if [ ! -w "$_unifi_core_config" ]; then | |
164 | _err "The directory $_unifi_core_config is not writable; please check permissions." | |
165 | return 1 | |
166 | fi | |
167 | ||
168 | cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt" | |
169 | cat "$_ckey" >"${_unifi_core_config}/unifi-core.key" | |
170 | ||
171 | if systemctl -q is-active unifi-core; then | |
172 | _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core" | |
173 | fi | |
174 | _info "Install UnifiOS certificate success!" | |
175 | _services_updated="${_services_updated} unifi-core" | |
176 | elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then | |
177 | _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check." | |
8eab77f3 BC |
178 | return 1 |
179 | fi | |
180 | ||
c384ed96 AK |
181 | if [ -z "$_services_updated" ]; then |
182 | # None of the Unifi environments were auto-detected, so no deployment has occurred | |
183 | # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set). | |
184 | _err "Unable to detect Unifi environment in standard location." | |
185 | _err "(This deploy hook must be run on the Unifi device, not a remote machine.)" | |
186 | _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE," | |
187 | _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate." | |
8eab77f3 BC |
188 | return 1 |
189 | fi | |
190 | ||
c384ed96 AK |
191 | _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}" |
192 | if [ -z "$_reload_cmd" ]; then | |
193 | _err "Certificates were installed for services:${_services_updated}," | |
194 | _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD" | |
195 | _err "to a command that will restart the necessary services." | |
196 | return 1 | |
197 | fi | |
198 | _info "Reload services (this may take some time): $_reload_cmd" | |
199 | if eval "$_reload_cmd"; then | |
8eab77f3 | 200 | _info "Reload success!" |
8eab77f3 BC |
201 | else |
202 | _err "Reload error" | |
203 | return 1 | |
204 | fi | |
8eab77f3 | 205 | |
c384ed96 AK |
206 | # Successful, so save all (non-default) config: |
207 | _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE" | |
208 | _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS" | |
209 | _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" | |
210 | _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG" | |
211 | _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD" | |
212 | ||
213 | return 0 | |
8eab77f3 | 214 | } |