From f8d5b0557cbce205712de7d66d0bbaafd87c68ed Mon Sep 17 00:00:00 2001
From: catchdave <823598+catchdave@users.noreply.github.com>
Date: Tue, 5 Nov 2024 11:58:07 -0800
Subject: [PATCH] Create replace_certs_protect.sh

---
 replace_certs_protect.sh | 71 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 replace_certs_protect.sh

diff --git a/replace_certs_protect.sh b/replace_certs_protect.sh
new file mode 100644
index 0000000..695758a
--- /dev/null
+++ b/replace_certs_protect.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+# This file renews SSL certificates on a "Unifi Protect Cloud Key+ Gen 2" that have already been copied over
+# from my "create_ssl_certs.sh" script.
+#
+# Caveat: You will need to run this again if you upgrade software. I have noticed changes to 
+#         file structures when Unifi updates minor versions, so no guarantee this will work above
+#         OS 3.1.x.
+# Prep: Add sudo perms to run this script for the user that executes this script, via visudo:
+#       your_user_name ALL=NOPASSWD:/root/replace_certs_protect.sh
+
+# Constants
+TARGET=/etc/ssl/private
+CORE_CONFIG=/usr/share/unifi-core/app/config/default.yaml  # Pre-3.1, this was config.yaml
+PROTECT_CONFIG=/usr/share/unifi-protect/app/config/config.json
+BACKUP_DIR=/root/ssl_backups
+DATE=$(date '+%Y-%m-%d')
+
+# Functions
+# ============================
+info() { echo "$0: [INFO] $1"; }
+error() { echo "$0: [ERROR] $1"; }
+error_exit() { echo "$0: [ERROR] $1"; exit 1; }
+backup_config() {
+    backup_file="$BACKUP_DIR/$(basename $1).$DATE"
+    if [ ! -f "$backup_file" ]; then
+        cp "$1" "$backup_file" || error_exit "Could not backup $1"
+    else
+        echo "$0: [WARN] Not saving copy of '$1' since a file already exists: $backup_file"
+    fi
+}
+# ============================
+
+# Verify root
+if [ "$EUID" -ne 0 ]; then
+  error_exit "$0: [ERROR] This script needs to run as root"
+fi
+
+# Verify new certificates were copied over before running.
+if [[ ! -f /tmp/fullchain.pem || ! -f /tmp/privkey.pem ]]; then
+    error_exit "No certificate files found in /tmp. Aborting."
+fi
+
+# Backup
+info "Backing up old certs and config"
+mkdir -p "$BACKUP_DIR"
+backup_config "$TARGET/unifi-core.crt"
+backup_config "$TARGET/unifi-core.key"
+backup_config $CORE_CONFIG
+backup_config $PROTECT_CONFIG
+
+# Update
+info "Replacing certificates"
+mv /tmp/fullchain.pem "$TARGET/unifi-core.crt" || error_exit "Error replacing fullchain/unifi-core.crt"
+mv /tmp/privkey.pem "$TARGET/unifi-core.key" || error_exit "Error replacing privkey/unifi-core.key"
+chown root:root "$TARGET/unifi-core.crt" "$TARGET/unifi-core.key"
+chmod o+r "$TARGET/unifi-core.crt" "$TARGET/unifi-core.key"  # unifi-protect user needs to access 
+
+# Modifying config to point to new certs
+sed -i "s#crt: '/data/unifi-core/config/unifi-core.crt'#crt: '/etc/ssl/private/unifi-core.crt'#" $CORE_CONFIG
+sed -i "s#key: '/data/unifi-core/config/unifi-core.key'#key: '/etc/ssl/private/unifi-core.key'#" $CORE_CONFIG
+sed -i 's#"./data/unifi-protect.crt"#"/etc/ssl/private/unifi-core.crt"#' $PROTECT_CONFIG
+sed -i 's#"./data/unifi-protect.key"#"/etc/ssl/private/unifi-core.key"#' $PROTECT_CONFIG
+sed -i 's#"./data/devices.crt"#"/etc/ssl/private/unifi-core.crt"#' $PROTECT_CONFIG
+sed -i 's#"./data/devices.key"#"/etc/ssl/private/unifi-core.key"#' $PROTECT_CONFIG
+
+# Restart
+info "Restarting services..."
+systemctl restart unifi-core || error "Error trying to restart unifi-core"
+systemctl restart unifi-protect || error "Error trying to restart unifi-protect"
+
+info "Completed."