3 # Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
5 # - self-hosted Unifi Controller
6 # - Unifi Cloud Key (Gen1/2/2+)
7 # - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
8 # Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
10 #returns 0 means success, otherwise error.
12 # The deploy-hook automatically detects standard Unifi installations
13 # for each of the supported environments. Most users should not need
14 # to set any of these variables, but if you are running a self-hosted
15 # Controller with custom locations, set these as necessary before running
16 # the deploy hook. (Defaults shown below.)
18 # Settings for Unifi Controller:
19 # Location of Java keystore or unifi.keystore.jks file:
20 #DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
21 # Keystore password (built into Unifi Controller, not a user-set password):
22 #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
23 # Command to restart Unifi Controller:
24 #DEPLOY_UNIFI_RELOAD="service unifi restart"
26 # Settings for Unifi Cloud Key Gen1 (nginx admin pages):
27 # Directory where cloudkey.crt and cloudkey.key live:
28 #DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
29 # Command to restart maintenance pages and Controller
30 # (same setting as above, default is updated when running on Cloud Key Gen1):
31 #DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
33 # Settings for UnifiOS (Cloud Key Gen2):
34 # Directory where unifi-core.crt and unifi-core.key live:
35 #DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
36 # Command to restart unifi-core:
37 #DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
39 # At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
40 # or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
42 ######## Public functions #####################
44 #domain keyfile certfile cafile fullchain
52 _debug _cdomain
"$_cdomain"
54 _debug _ccert
"$_ccert"
56 _debug _cfullchain
"$_cfullchain"
58 _getdeployconf DEPLOY_UNIFI_KEYSTORE
59 _getdeployconf DEPLOY_UNIFI_KEYPASS
60 _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
61 _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
62 _getdeployconf DEPLOY_UNIFI_RELOAD
64 _debug2 DEPLOY_UNIFI_KEYSTORE
"$DEPLOY_UNIFI_KEYSTORE"
65 _debug2 DEPLOY_UNIFI_KEYPASS
"$DEPLOY_UNIFI_KEYPASS"
66 _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR
"$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
67 _debug2 DEPLOY_UNIFI_CORE_CONFIG
"$DEPLOY_UNIFI_CORE_CONFIG"
68 _debug2 DEPLOY_UNIFI_RELOAD
"$DEPLOY_UNIFI_RELOAD"
70 # Space-separated list of environments detected and installed:
73 # Default reload commands accumulated as we auto-detect environments:
76 # Unifi Controller environment (self hosted or any Cloud Key) --
77 # auto-detect by file /usr/lib/unifi/data/keystore:
78 _unifi_keystore
="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
79 if [ -f "$_unifi_keystore" ]; then
80 _info
"Installing certificate for Unifi Controller (Java keystore)"
81 _debug _unifi_keystore
"$_unifi_keystore"
82 if ! _exists keytool
; then
83 _err
"keytool not found"
86 if [ ! -w "$_unifi_keystore" ]; then
87 _err
"The file $_unifi_keystore is not writable, please change the permission."
91 _unifi_keypass
="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
93 _debug
"Generate import pkcs12"
94 _import_pkcs12
="$(_mktemp)"
95 _toPkcs
"$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
96 # shellcheck disable=SC2181
97 if [ "$?" != "0" ]; then
98 _err
"Error generating pkcs12. Please re-run with --debug and report a bug."
102 _debug
"Import into keystore: $_unifi_keystore"
103 if keytool
-importkeystore \
104 -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
105 -srckeystore "$_import_pkcs12" -srcstoretype PKCS12
-srcstorepass "$_unifi_keypass" \
106 -alias unifi
-noprompt; then
107 _debug
"Import keystore success!"
110 _err
"Error importing into Unifi Java keystore."
111 _err
"Please re-run with --debug and report a bug."
116 if systemctl
-q is-active unifi
; then
117 _reload_cmd
="${_reload_cmd:+$_reload_cmd && }service unifi restart"
119 _services_updated
="${_services_updated} unifi"
120 _info
"Install Unifi Controller certificate success!"
121 elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
122 _err
"The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
126 # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
127 # auto-detect by file /etc/ssl/private/cloudkey.key:
128 _cloudkey_certdir
="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
129 if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
130 _info
"Installing certificate for Cloud Key Gen1 (nginx admin pages)"
131 _debug _cloudkey_certdir
"$_cloudkey_certdir"
132 if [ ! -w "$_cloudkey_certdir" ]; then
133 _err
"The directory $_cloudkey_certdir is not writable; please check permissions."
136 # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
137 # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
138 # updated above), but if not, we don't know how to handle this installation:
139 if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
140 _err
"Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
144 cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
145 cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
146 (cd "$_cloudkey_certdir" && tar -cf cert.
tar cloudkey.crt cloudkey.key unifi.keystore.jks
)
148 if systemctl
-q is-active nginx
; then
149 _reload_cmd
="${_reload_cmd:+$_reload_cmd && }service nginx restart"
151 _info
"Install Cloud Key Gen1 certificate success!"
152 _services_updated
="${_services_updated} nginx"
153 elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
154 _err
"The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
158 # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
159 _unifi_core_config
="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
160 if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
161 _info
"Installing certificate for UnifiOS"
162 _debug _unifi_core_config
"$_unifi_core_config"
163 if [ ! -w "$_unifi_core_config" ]; then
164 _err
"The directory $_unifi_core_config is not writable; please check permissions."
168 cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
169 cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
171 if systemctl
-q is-active unifi-core
; then
172 _reload_cmd
="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
174 _info
"Install UnifiOS certificate success!"
175 _services_updated
="${_services_updated} unifi-core"
176 elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
177 _err
"The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
181 if [ -z "$_services_updated" ]; then
182 # None of the Unifi environments were auto-detected, so no deployment has occurred
183 # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
184 _err
"Unable to detect Unifi environment in standard location."
185 _err
"(This deploy hook must be run on the Unifi device, not a remote machine.)"
186 _err
"For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
187 _err
"DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
191 _reload_cmd
="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
192 if [ -z "$_reload_cmd" ]; then
193 _err
"Certificates were installed for services:${_services_updated},"
194 _err
"but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
195 _err
"to a command that will restart the necessary services."
198 _info
"Reload services (this may take some time): $_reload_cmd"
199 if eval "$_reload_cmd"; then
200 _info
"Reload success!"
206 # Successful, so save all (non-default) config:
207 _savedeployconf DEPLOY_UNIFI_KEYSTORE
"$DEPLOY_UNIFI_KEYSTORE"
208 _savedeployconf DEPLOY_UNIFI_KEYPASS
"$DEPLOY_UNIFI_KEYPASS"
209 _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
"$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
210 _savedeployconf DEPLOY_UNIFI_CORE_CONFIG
"$DEPLOY_UNIFI_CORE_CONFIG"
211 _savedeployconf DEPLOY_UNIFI_RELOAD
"$DEPLOY_UNIFI_RELOAD"