stefan-matic · October 18, 2023 20:39
diff --git a/unifi_cert_replacement.sh b/unifi_cert_replacement.sh
 #!/bin/bash
 #
 # This script copies our domain cert over to the gateway. We use a wildcard cert so we can have
 # different names for the guest portal and main admin page if we want.
 #
 # Our pub ssh key is in /root/.ssh/authorized_keys on the gateway so we
 # don't need a password to run it.
 #
 # Call this from cron once in a while to make sure your cert stays updated.
 # Not too often though as it restarts the whole network container which isn't very desireable.
 #
 # Be sure to change the names/locations of the cert files and the IP address of the UDM-PRO as needed for your situation.
 #
 # Original source: https://github.com/gcarey3/copy_certs_to_udmpro/blob/main/copy_certs_to_udmpro.sh
 # Updated version: https://github.com/stefan-matic/

 CERT_LOCATION="/etc/letsencrypt/live/yourdomain.com/fullchain.pem"
 KEY_LOCATION="/etc/letsencrypt/live/yourdomain.com/privkey.pem"
 UDM_USER="root"
 UDM_IP="192.168.0.1"
 UDM_CERT_LOCATION="/data/unifi-core/config"
 UDM_KEYSTORE_LOCATION="/data/unifi/data"

 # First copy the full chain (*.yourdomain.com and the intermediate)
 /bin/scp ${CERT_LOCATION} ${UDM_USER}@${UDM_IP}:${UDM_CERT_LOCATION}/unifi-core.crt

 # Next copy the private key for *.yourdomain.com
 /bin/scp ${KEY_LOCATION} ${UDM_USER}@${UDM_IP}:${UDM_CERT_LOCATION}/unifi-core.key

 # Build a pkcs12 version of the cert that contains the cert, intermediate cert, and the key
 # Alias must be set to 'unifi' for this to work
 /bin/openssl pkcs12 -export -in ${CERT_LOCATION} -inkey ${KEY_LOCATION} -out /tmp/keystore.p12 -passout pass:aircontrolenterprise -name 'unifi'

 # Put the pkcs12 into keystore file needed by guest portal
 # 'aircontrolenterprise' is the default password expected for the keystore
 /bin/keytool -importkeystore -destkeystore /tmp/keystore -srckeystore /tmp/keystore.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststorepass aircontrolenterprise -alias unifi

 # Copy the keystore to proper dir on UDM-PRO
 /bin/scp /tmp/keystore ${UDM_USER}@${UDM_IP}:${UDM_KEYSTORE_LOCATION}/keystore

 # Cleanup temp files
 /bin/rm /tmp/keystore.p12
 /bin/rm /tmp/keystore

 # Change the ownership of the file to what it should be
 /bin/ssh ${UDM_USER}@${UDM_IP} "/bin/chown unifi:unifi /${UDM_KEYSTORE_LOCATION}/keystore"

 echo "Certificate replacement completed. You can restart the Unifi console"
	#!/bin/bash
	#
	# This script copies our domain cert over to the gateway. We use a wildcard cert so we can have
	# different names for the guest portal and main admin page if we want.
	#
	# Our pub ssh key is in /root/.ssh/authorized_keys on the gateway so we
	# don't need a password to run it.
	#
	# Call this from cron once in a while to make sure your cert stays updated.
	# Not too often though as it restarts the whole network container which isn't very desireable.
	#
	# Be sure to change the names/locations of the cert files and the IP address of the UDM-PRO as needed for your situation.
	#
	# Original source: https://github.com/gcarey3/copy_certs_to_udmpro/blob/main/copy_certs_to_udmpro.sh
	# Updated version: https://github.com/stefan-matic/

	CERT_LOCATION="/etc/letsencrypt/live/yourdomain.com/fullchain.pem"
	KEY_LOCATION="/etc/letsencrypt/live/yourdomain.com/privkey.pem"
	UDM_USER="root"
	UDM_IP="192.168.0.1"
	UDM_CERT_LOCATION="/data/unifi-core/config"
	UDM_KEYSTORE_LOCATION="/data/unifi/data"

	# First copy the full chain (*.yourdomain.com and the intermediate)
	/bin/scp ${CERT_LOCATION} ${UDM_USER}@${UDM_IP}:${UDM_CERT_LOCATION}/unifi-core.crt

	# Next copy the private key for *.yourdomain.com
	/bin/scp ${KEY_LOCATION} ${UDM_USER}@${UDM_IP}:${UDM_CERT_LOCATION}/unifi-core.key

	# Build a pkcs12 version of the cert that contains the cert, intermediate cert, and the key
	# Alias must be set to 'unifi' for this to work
	/bin/openssl pkcs12 -export -in ${CERT_LOCATION} -inkey ${KEY_LOCATION} -out /tmp/keystore.p12 -passout pass:aircontrolenterprise -name 'unifi'

	# Put the pkcs12 into keystore file needed by guest portal
	# 'aircontrolenterprise' is the default password expected for the keystore
	/bin/keytool -importkeystore -destkeystore /tmp/keystore -srckeystore /tmp/keystore.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststorepass aircontrolenterprise -alias unifi

	# Copy the keystore to proper dir on UDM-PRO
	/bin/scp /tmp/keystore ${UDM_USER}@${UDM_IP}:${UDM_KEYSTORE_LOCATION}/keystore

	# Cleanup temp files
	/bin/rm /tmp/keystore.p12
	/bin/rm /tmp/keystore

	# Change the ownership of the file to what it should be
	/bin/ssh ${UDM_USER}@${UDM_IP} "/bin/chown unifi:unifi /${UDM_KEYSTORE_LOCATION}/keystore"

	echo "Certificate replacement completed. You can restart the Unifi console"