nitobuendia · January 3, 2021 11:50
diff --git a/import_ssl_certificates.sh b/import_ssl_certificates.sh
 #!/usr/bin/env bash

 # Modified from:
 # https://github.com/jacobalberty/unifi-docker/blob/master/import_cert

 echo "Loading constants"

 DATADIR="/usr/lib/unifi/data"
 CERTDIR="/ssl"
 CERTNAME="fullchain.pem"
 CERT_PRIVATE_NAME="privkey.pem"
 CERT_IS_CHAIN=true

 TEMP_SSL_PATH="${CERTDIR}/tmp"
 TEMP_KEYSTORE_FILE="${TEMP_SSL_PATH}/tmp_keystore"
 TEMP_CERT_FILE="${TEMP_SSL_PATH}/tmp_cert"
 TEMP_CHAIN_FILE="${TEMP_SSL_PATH}/tmp_chain"

 echo "Checking existing keystore"
 if [ ! -e "${DATADIR}/keystore" ]; then
  echo "Creating new keystore"
  keytool -genkey -keyalg RSA -alias unifi -keystore "${DATADIR}/keystore" \
      -storepass aircontrolenterprise -keypass aircontrolenterprise -validity 1825 \
      -keysize 4096 -dname "cn=UniFi"
 fi

 echo "Creating temporary files"
 mkdir -p ${TEMP_SSL_PATH}
 touch ${TEMP_KEYSTORE_FILE}
 touch ${TEMP_CERT_FILE}
 touch ${TEMP_CHAIN_FILE}

 echo "Generating cross-signed certificate"
 CERTURI=$(openssl x509 -noout -ocsp_uri -in "${CERTDIR}/${CERTNAME}")
 # Identrust cross-signed CA cert needed by the java keystore for import.
 # Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
 cat > "${TEMP_CERT_FILE}" <<'_EOF'
 -----BEGIN CERTIFICATE-----
 MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
 MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
 DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
 PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
 Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
 rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
 OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
 xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
 aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
 HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
 SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
 AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
 R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
 Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
 -----END CERTIFICATE-----
 _EOF

 echo "Copying certificate data to temp certificate"
 # Letsencrypt fullchain.pem
 awk 1 "${TEMP_CERT_FILE}" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"
 # Letsencrypt cert.pem
 # awk 1 "${TEMP_CERT_FILE}" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"
 # Default
 # awk 1 "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"

 echo "Exporting certificate as keystore"
 openssl pkcs12 -export  -passout pass:aircontrolenterprise \
    -in "${TEMP_CHAIN_FILE}" \
    -inkey "${CERTDIR}/${CERT_PRIVATE_NAME}" \
    -out "${TEMP_KEYSTORE_FILE}" -name unifi

 echo "Deleting existing keystore alias"
 keytool -delete -alias unifi -keystore "${DATADIR}/keystore" \
    -deststorepass aircontrolenterprise

 echo "Importing certificates to keystore"
 keytool -trustcacerts -importkeystore \
    -deststorepass aircontrolenterprise \
    -destkeypass aircontrolenterprise \
    -destkeystore "${DATADIR}/keystore" \
    -srckeystore "${TEMP_KEYSTORE_FILE}" -srcstoretype PKCS12 \
    -srcstorepass aircontrolenterprise \
    -alias unifi

 echo "Remove temporary files."
 rm -R ${TEMP_SSL_PATH}
	#!/usr/bin/env bash

	# Modified from:
	# https://github.com/jacobalberty/unifi-docker/blob/master/import_cert

	echo "Loading constants"

	DATADIR="/usr/lib/unifi/data"
	CERTDIR="/ssl"
	CERTNAME="fullchain.pem"
	CERT_PRIVATE_NAME="privkey.pem"
	CERT_IS_CHAIN=true

	TEMP_SSL_PATH="${CERTDIR}/tmp"
	TEMP_KEYSTORE_FILE="${TEMP_SSL_PATH}/tmp_keystore"
	TEMP_CERT_FILE="${TEMP_SSL_PATH}/tmp_cert"
	TEMP_CHAIN_FILE="${TEMP_SSL_PATH}/tmp_chain"

	echo "Checking existing keystore"
	if [ ! -e "${DATADIR}/keystore" ]; then
	echo "Creating new keystore"
	keytool -genkey -keyalg RSA -alias unifi -keystore "${DATADIR}/keystore" \
	-storepass aircontrolenterprise -keypass aircontrolenterprise -validity 1825 \
	-keysize 4096 -dname "cn=UniFi"
	fi

	echo "Creating temporary files"
	mkdir -p ${TEMP_SSL_PATH}
	touch ${TEMP_KEYSTORE_FILE}
	touch ${TEMP_CERT_FILE}
	touch ${TEMP_CHAIN_FILE}

	echo "Generating cross-signed certificate"
	CERTURI=$(openssl x509 -noout -ocsp_uri -in "${CERTDIR}/${CERTNAME}")
	# Identrust cross-signed CA cert needed by the java keystore for import.
	# Can get original here: https://www.identrust.com/certificates/trustid/root-download-x3.html
	cat > "${TEMP_CERT_FILE}" <<'_EOF'
	-----BEGIN CERTIFICATE-----
	MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
	MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
	DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
	PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
	Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
	AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
	rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
	OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
	xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
	7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
	aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
	HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
	SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
	ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
	AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
	R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
	JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
	Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
	-----END CERTIFICATE-----
	_EOF

	echo "Copying certificate data to temp certificate"
	# Letsencrypt fullchain.pem
	awk 1 "${TEMP_CERT_FILE}" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"
	# Letsencrypt cert.pem
	# awk 1 "${TEMP_CERT_FILE}" "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"
	# Default
	# awk 1 "${CERTDIR}/chain.pem" "${CERTDIR}/${CERTNAME}" >> "${TEMP_CHAIN_FILE}"

	echo "Exporting certificate as keystore"
	openssl pkcs12 -export -passout pass:aircontrolenterprise \
	-in "${TEMP_CHAIN_FILE}" \
	-inkey "${CERTDIR}/${CERT_PRIVATE_NAME}" \
	-out "${TEMP_KEYSTORE_FILE}" -name unifi

	echo "Deleting existing keystore alias"
	keytool -delete -alias unifi -keystore "${DATADIR}/keystore" \
	-deststorepass aircontrolenterprise

	echo "Importing certificates to keystore"
	keytool -trustcacerts -importkeystore \
	-deststorepass aircontrolenterprise \
	-destkeypass aircontrolenterprise \
	-destkeystore "${DATADIR}/keystore" \
	-srckeystore "${TEMP_KEYSTORE_FILE}" -srcstoretype PKCS12 \
	-srcstorepass aircontrolenterprise \
	-alias unifi

	echo "Remove temporary files."
	rm -R ${TEMP_SSL_PATH}