deploy/unifi.sh

   1 #!/usr/bin/env sh
   2
   3 # Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
   4 # It supports:
   5 #   - self-hosted Unifi Controller
   6 #   - Unifi Cloud Key (Gen1/2/2+)
   7 #   - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
   8 # Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
   9
  10 #returns 0 means success, otherwise error.
  11
  12 # The deploy-hook automatically detects standard Unifi installations
  13 # for each of the supported environments. Most users should not need
  14 # to set any of these variables, but if you are running a self-hosted
  15 # Controller with custom locations, set these as necessary before running
  16 # the deploy hook. (Defaults shown below.)
  17 #
  18 # Settings for Unifi Controller:
  19 # Location of Java keystore or unifi.keystore.jks file:
  20 #DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
  21 # Keystore password (built into Unifi Controller, not a user-set password):
  22 #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
  23 # Command to restart Unifi Controller:
  24 #DEPLOY_UNIFI_RELOAD="service unifi restart"
  25 #
  26 # Settings for Unifi Cloud Key Gen1 (nginx admin pages):
  27 # Directory where cloudkey.crt and cloudkey.key live:
  28 #DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
  29 # Command to restart maintenance pages and Controller
  30 # (same setting as above, default is updated when running on Cloud Key Gen1):
  31 #DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
  32 #
  33 # Settings for UnifiOS (Cloud Key Gen2):
  34 # Directory where unifi-core.crt and unifi-core.key live:
  35 #DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
  36 # Command to restart unifi-core:
  37 #DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
  38 #
  39 # At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
  40 # or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
  41
  42 ########  Public functions #####################
  43
  44 #domain keyfile certfile cafile fullchain
  45 unifi_deploy() {
  46   _cdomain="$1"
  47   _ckey="$2"
  48   _ccert="$3"
  49   _cca="$4"
  50   _cfullchain="$5"
  51
  52   _debug _cdomain "$_cdomain"
  53   _debug _ckey "$_ckey"
  54   _debug _ccert "$_ccert"
  55   _debug _cca "$_cca"
  56   _debug _cfullchain "$_cfullchain"
  57
  58   _getdeployconf DEPLOY_UNIFI_KEYSTORE
  59   _getdeployconf DEPLOY_UNIFI_KEYPASS
  60   _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
  61   _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
  62   _getdeployconf DEPLOY_UNIFI_RELOAD
  63
  64   _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
  65   _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
  66   _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  67   _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
  68   _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
  69
  70   # Space-separated list of environments detected and installed:
  71   _services_updated=""
  72
  73   # Default reload commands accumulated as we auto-detect environments:
  74   _reload_cmd=""
  75
  76   # Unifi Controller environment (self hosted or any Cloud Key) --
  77   # auto-detect by file /usr/lib/unifi/data/keystore:
  78   _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
  79   if [ -f "$_unifi_keystore" ]; then
  80     _info "Installing certificate for Unifi Controller (Java keystore)"
  81     _debug _unifi_keystore "$_unifi_keystore"
  82     if ! _exists keytool; then
  83       _err "keytool not found"
  84       return 1
  85     fi
  86     if [ ! -w "$_unifi_keystore" ]; then
  87       _err "The file $_unifi_keystore is not writable, please change the permission."
  88       return 1
  89     fi
  90
  91     _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
  92
  93     _debug "Generate import pkcs12"
  94     _import_pkcs12="$(_mktemp)"
  95     _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
  96     # shellcheck disable=SC2181
  97     if [ "$?" != "0" ]; then
  98       _err "Error generating pkcs12. Please re-run with --debug and report a bug."
  99       return 1
 100     fi
 101
 102     _debug "Import into keystore: $_unifi_keystore"
 103     if keytool -importkeystore \
 104       -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
 105       -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
 106       -alias unifi -noprompt; then
 107       _debug "Import keystore success!"
 108       rm "$_import_pkcs12"
 109     else
 110       _err "Error importing into Unifi Java keystore."
 111       _err "Please re-run with --debug and report a bug."
 112       rm "$_import_pkcs12"
 113       return 1
 114     fi
 115
 116     if systemctl -q is-active unifi; then
 117       _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
 118     fi
 119     _services_updated="${_services_updated} unifi"
 120     _info "Install Unifi Controller certificate success!"
 121   elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
 122     _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
 123     return 1
 124   fi
 125
 126   # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
 127   # auto-detect by file /etc/ssl/private/cloudkey.key:
 128   _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
 129   if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
 130     _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
 131     _debug _cloudkey_certdir "$_cloudkey_certdir"
 132     if [ ! -w "$_cloudkey_certdir" ]; then
 133       _err "The directory $_cloudkey_certdir is not writable; please check permissions."
 134       return 1
 135     fi
 136     # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
 137     # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
 138     # updated above), but if not, we don't know how to handle this installation:
 139     if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
 140       _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
 141       return 1
 142     fi
 143
 144     cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
 145     cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
 146     (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
 147
 148     if systemctl -q is-active nginx; then
 149       _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
 150     fi
 151     _info "Install Cloud Key Gen1 certificate success!"
 152     _services_updated="${_services_updated} nginx"
 153   elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
 154     _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
 155     return 1
 156   fi
 157
 158   # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
 159   _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
 160   if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
 161     _info "Installing certificate for UnifiOS"
 162     _debug _unifi_core_config "$_unifi_core_config"
 163     if [ ! -w "$_unifi_core_config" ]; then
 164       _err "The directory $_unifi_core_config is not writable; please check permissions."
 165       return 1
 166     fi
 167
 168     cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
 169     cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
 170
 171     if systemctl -q is-active unifi-core; then
 172       _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
 173     fi
 174     _info "Install UnifiOS certificate success!"
 175     _services_updated="${_services_updated} unifi-core"
 176   elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
 177     _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
 178     return 1
 179   fi
 180
 181   if [ -z "$_services_updated" ]; then
 182     # None of the Unifi environments were auto-detected, so no deployment has occurred
 183     # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
 184     _err "Unable to detect Unifi environment in standard location."
 185     _err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
 186     _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
 187     _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
 188     return 1
 189   fi
 190
 191   _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
 192   if [ -z "$_reload_cmd" ]; then
 193     _err "Certificates were installed for services:${_services_updated},"
 194     _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
 195     _err "to a command that will restart the necessary services."
 196     return 1
 197   fi
 198   _info "Reload services (this may take some time): $_reload_cmd"
 199   if eval "$_reload_cmd"; then
 200     _info "Reload success!"
 201   else
 202     _err "Reload error"
 203     return 1
 204   fi
 205
 206   # Successful, so save all (non-default) config:
 207   _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
 208   _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
 209   _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
 210   _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
 211   _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
 212
 213   return 0
 214 }