72 lines
2.9 KiB
Bash
72 lines
2.9 KiB
Bash
#!/bin/bash
|
|
# This file renews SSL certificates on a "Unifi Protect Cloud Key+ Gen 2" that have already been copied over
|
|
# from my "create_ssl_certs.sh" script.
|
|
#
|
|
# Caveat: You will need to run this again if you upgrade software. I have noticed changes to
|
|
# file structures when Unifi updates minor versions, so no guarantee this will work above
|
|
# OS 3.1.x.
|
|
# Prep: Add sudo perms to run this script for the user that executes this script, via visudo:
|
|
# your_user_name ALL=NOPASSWD:/root/replace_certs_protect.sh
|
|
|
|
# Constants
|
|
TARGET=/etc/ssl/private
|
|
CORE_CONFIG=/usr/share/unifi-core/app/config/default.yaml # Pre-3.1, this was config.yaml
|
|
PROTECT_CONFIG=/usr/share/unifi-protect/app/config/config.json
|
|
BACKUP_DIR=/root/ssl_backups
|
|
DATE=$(date '+%Y-%m-%d')
|
|
|
|
# Functions
|
|
# ============================
|
|
info() { echo "$0: [INFO] $1"; }
|
|
error() { echo "$0: [ERROR] $1"; }
|
|
error_exit() { echo "$0: [ERROR] $1"; exit 1; }
|
|
backup_config() {
|
|
backup_file="$BACKUP_DIR/$(basename $1).$DATE"
|
|
if [ ! -f "$backup_file" ]; then
|
|
cp "$1" "$backup_file" || error_exit "Could not backup $1"
|
|
else
|
|
echo "$0: [WARN] Not saving copy of '$1' since a file already exists: $backup_file"
|
|
fi
|
|
}
|
|
# ============================
|
|
|
|
# Verify root
|
|
if [ "$EUID" -ne 0 ]; then
|
|
error_exit "$0: [ERROR] This script needs to run as root"
|
|
fi
|
|
|
|
# Verify new certificates were copied over before running.
|
|
if [[ ! -f /tmp/fullchain.pem || ! -f /tmp/privkey.pem ]]; then
|
|
error_exit "No certificate files found in /tmp. Aborting."
|
|
fi
|
|
|
|
# Backup
|
|
info "Backing up old certs and config"
|
|
mkdir -p "$BACKUP_DIR"
|
|
backup_config "$TARGET/unifi-core.crt"
|
|
backup_config "$TARGET/unifi-core.key"
|
|
backup_config $CORE_CONFIG
|
|
backup_config $PROTECT_CONFIG
|
|
|
|
# Update
|
|
info "Replacing certificates"
|
|
mv /tmp/fullchain.pem "$TARGET/unifi-core.crt" || error_exit "Error replacing fullchain/unifi-core.crt"
|
|
mv /tmp/privkey.pem "$TARGET/unifi-core.key" || error_exit "Error replacing privkey/unifi-core.key"
|
|
chown root:root "$TARGET/unifi-core.crt" "$TARGET/unifi-core.key"
|
|
chmod o+r "$TARGET/unifi-core.crt" "$TARGET/unifi-core.key" # unifi-protect user needs to access
|
|
|
|
# Modifying config to point to new certs
|
|
sed -i "s#crt: '/data/unifi-core/config/unifi-core.crt'#crt: '/etc/ssl/private/unifi-core.crt'#" $CORE_CONFIG
|
|
sed -i "s#key: '/data/unifi-core/config/unifi-core.key'#key: '/etc/ssl/private/unifi-core.key'#" $CORE_CONFIG
|
|
sed -i 's#"./data/unifi-protect.crt"#"/etc/ssl/private/unifi-core.crt"#' $PROTECT_CONFIG
|
|
sed -i 's#"./data/unifi-protect.key"#"/etc/ssl/private/unifi-core.key"#' $PROTECT_CONFIG
|
|
sed -i 's#"./data/devices.crt"#"/etc/ssl/private/unifi-core.crt"#' $PROTECT_CONFIG
|
|
sed -i 's#"./data/devices.key"#"/etc/ssl/private/unifi-core.key"#' $PROTECT_CONFIG
|
|
|
|
# Restart
|
|
info "Restarting services..."
|
|
systemctl restart unifi-core || error "Error trying to restart unifi-core"
|
|
systemctl restart unifi-protect || error "Error trying to restart unifi-protect"
|
|
|
|
info "Completed."
|