Import and use SSL certificates (including Let's Encrypt) with the Ubiquiti UniFi Controller on Unix/Linux Systems

unifi_ssl_import.sh

#!/usr/bin/env bash

# unifi_ssl_import.sh
# UniFi Controller SSL Certificate Import Script for Unix/Linux Systems
# by Steve Jenkins <http://www.stevejenkins.com/>
# modified by Abraham Vegh <https://abrahamvegh.com>
# Incorporates ideas from https://source.sosdg.org/brielle/lets-encrypt-scripts
# Version 3.0
# Last Updated October 8, 2016

# Changes:
# * Removed support for Let's Encrypt
# * Updated defaults for Debian

# REQUIREMENTS
# 1) Assumes you have a UniFi Controller installed and running on your system.
# 2) Assumes you have a valid private key, signed certificate, and certificate
#    authority chain file. See http://wp.me/p1iGgP-2wU for detailed instructions
#    on how to generate these files and use them with this script.

# KEYSTORE BACKUP
# Even though this script attempts to be clever and careful in how it backs up your existing keystore,
# it's never a bad idea to manually back up your keystore (located at $UNIFI_DIR/data/keystore)
# to a separate directory before running this script. If anything goes wrong, you can restore from your
# backup, restart the UniFi Controller service, and be back online immediately.

# CONFIGURATION OPTIONS
UNIFI_DIR=/usr/lib/unifi
UNIFI_SERVICE_NAME=unifi
PRIV_KEY=/etc/ssl/private/hostname.example.com.key
SIGNED_CRT=/etc/ssl/certs/hostname.example.com.crt
CHAIN_FILE=/etc/ssl/certs/startssl-chain.crt

# CONFIGURATION OPTIONS YOU PROBABLY SHOULDN'T CHANGE
KEYSTORE=${UNIFI_DIR}/data/keystore
ALIAS=unifi
PASSWORD=aircontrolenterprise

#### SHOULDN'T HAVE TO TOUCH ANYTHING PAST THIS POINT ####

printf "\nStarting UniFi Controller SSL Import...\n"

# Verify required files exist
if [ ! -f ${PRIV_KEY} ] || [ ! -f ${SIGNED_CRT} ] || [ ! -f ${CHAIN_FILE} ]; then
	printf "\nMissing one or more required files. Check your settings.\n"
	exit 1
else
	# Everything looks OK to proceed
	printf "\nImporting the following files:\n"
	printf "Private Key: %s\n" "$PRIV_KEY"
	printf "Signed Certificate: %s\n" "$SIGNED_CRT"
	printf "CA File: %s\n" "$CHAIN_FILE"
fi

# Create temp files
P12_TEMP=$(mktemp)
CA_TEMP=$(mktemp)

# Stop the UniFi Controller
printf "\nStopping UniFi Controller...\n"
service ${UNIFI_SERVICE_NAME} stop

# Create double-safe keystore backup
if [ -s "${KEYSTORE}.orig" ]; then
	printf "\nBackup of original keystore exists!\n"
	printf "\nCreating non-destructive backup as keystore.bak...\n"

	cp ${KEYSTORE} ${KEYSTORE}.bak
else
	cp ${KEYSTORE} ${KEYSTORE}.orig

	printf "\nNo original keystore backup found.\n"
	printf "\nCreating backup as keystore.orig...\n"
fi

# Export your existing SSL key, cert, and CA data to a PKCS12 file
printf "\nExporting SSL certificate and key data into temporary PKCS12 file...\n"

openssl pkcs12 -export \
	-in ${SIGNED_CRT} \
	-inkey ${PRIV_KEY} \
	-CAfile ${CHAIN_FILE} \
	-out ${P12_TEMP} -passout pass:${PASSWORD} \
	-caname root -name ${ALIAS}

# Delete the previous certificate data from keystore to avoid "already exists" message
printf "\nRemoving previous certificate data from UniFi keystore...\n"

keytool -delete -alias ${ALIAS} -keystore ${KEYSTORE} -deststorepass ${PASSWORD}

# Import the temp PKCS12 file into the UniFi keystore
printf "\nImporting SSL certificate into UniFi keystore...\n"

keytool -importkeystore \
	-srckeystore ${P12_TEMP} -srcstoretype PKCS12 \
	-srcstorepass ${PASSWORD} \
	-destkeystore ${KEYSTORE} \
	-deststorepass ${PASSWORD} \
	-destkeypass ${PASSWORD} \
	-alias ${ALIAS} -trustcacerts

# Import the certificate authority data into the UniFi keystore
printf "\nImporting certificate authority into UniFi keystore...\n\n"

java -jar ${UNIFI_DIR}/lib/ace.jar import_cert \
	${SIGNED_CRT} \
	${CHAIN_FILE}

# Clean up temp files
printf "\nRemoving temporary files...\n"
rm -f ${P12_TEMP}
rm -f ${CA_TEMP}

# Restart the UniFi Controller to pick up the updated keystore
printf "\nRestarting UniFi Controller...\n"
service ${UNIFI_SERVICE_NAME} start

# That's all, folks!
printf "\nDone!\n"

exit 0