Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unifi OS removed keytool in v3.1+ and other updates to unifi deploy hook #5095

Closed
wants to merge 4 commits into from
Closed

Unifi OS removed keytool in v3.1+ and other updates to unifi deploy hook #5095

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ebaa39b
Merge pull request #5075 from acmesh-official/dev
Neilpang Apr 1, 2024
5dd1328
Tested on Unifi Dream Machine, updated header text. Back up existing …
3VAbdAVE Apr 17, 2024
7ef3192
Removed a confusing comment.
3VAbdAVE Apr 17, 2024
e48851a
Fixed Formatting
3VAbdAVE Apr 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
71 changes: 67 additions & 4 deletions deploy/unifi.sh
View file
Open in desktop
Expand Up @@ -5,6 +5,18 @@
# - self-hosted Unifi Controller
# - Unifi Cloud Key (Gen1/2/2+)
# - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
# See below regarding keytool. Not tested.
# - Unifi Dream Machine
# This has not been tested on other "all-in-one" devices such as
# UDM Pro or Unifi Express.
#
# OS Version v2.0.0+
# Network Application version 7.0.0+
# OS version ~3.1 removed java and keytool from the UnifiOS. These must be
# manually installed by the system owner at their own risk, as
# doing so may invalidate official Ubiquiti support/warranty.
# `apt update && apt install openjdk-11-jre-headless -y`
#
# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359

#returns 0 means success, otherwise error.
Expand Down Expand Up @@ -74,14 +86,30 @@ unifi_deploy() {
_reload_cmd=""

# Unifi Controller environment (self hosted or any Cloud Key) --
# auto-detect by file /usr/lib/unifi/data/keystore:
# auto-detect by file /usr/lib/unifi/data/keystore
_unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
if [ -f "$_unifi_keystore" ]; then
_info "Installing certificate for Unifi Controller (Java keystore)"
_debug _unifi_keystore "$_unifi_keystore"
if ! _exists keytool; then
_err "keytool not found"
_err "keytool not found."
_keytool_instructions=$(
cat <<-EOF
Unifi removed keytool from the console OS after version 3.
You may be able to reinstall with
"apt update && apt install openjdk-11-jre-headless -y"
THIS MAY AFFECT UBIQUITI SUPPORT, DO SO AT YOUR OWN RISK.
It's also possible that apt will not work in future versions.

If you don't want to (or can't use apt), then it's recommended
to deploy from a remote host via SSH. See
https://github.com/acmesh-official/acme.sh/wiki/deployhooks#examples-using-ssh-deploy

EOF
)
_info "$_keytool_instructions"
return 1
else
_info "Installing certificate for Unifi Controller (Java keystore)"
fi
if [ ! -w "$_unifi_keystore" ]; then
_err "The file $_unifi_keystore is not writable, please change the permission."
Expand All @@ -99,20 +127,50 @@ unifi_deploy() {
return 1
fi

# Save the existing keystore in case something goes wrong.
cp -f "${_unifi_keystore}" "${_unifi_keystore}"_original
_info "Previous certificate and key saved to ${_unifi_keystore}_original."

# May not be necessary, but seems more reliable
_debug "Remove existing key from keystore: $_unifi_keystore"
if keytool -delete -alias unifi -keystore "$_unifi_keystore" \
-deststorepass "$_unifi_keypass"; then
_debug "Successfully removed old certificate from keystore."
fi

_debug "Import into keystore: $_unifi_keystore"
if keytool -importkeystore \
-deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
-srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
-alias unifi -noprompt; then
_debug "Import keystore success!"
rm "$_import_pkcs12"
else
_err "Error importing into Unifi Java keystore."
_err "Please re-run with --debug and report a bug."
rm "$_import_pkcs12"
return 1
fi

# Update unifi service for certificate cipher compatibility
if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \
-in "$_import_pkcs12" \
-password pass:aircontrolenterprise \
-nokeys | ${ACME_OPENSSL_BIN:-openssl} x509 -text \
-noout | grep -i "signature" | grep -iq ecdsa >/dev/null 2>&1; then
cp -f /usr/lib/unifi/data/system.properties /usr/lib/unifi/data/system.properties_original
_info "Updating system configuration for cipher compatibility."
_info "Saved original system config to /usr/lib/unifi/data/system.properties_original"
sed -i '/unifi\.https\.ciphers/d' /usr/lib/unifi/data/system.properties
echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" &
>>/usr/lib/unifi/data/system.properties
sed -i '/unifi\.https\.sslEnabledProtocols/d' /usr/lib/unifi/data/system.properties
echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" &
>>/usr/lib/unifi/data/system.properties
_info "System configuration updated."
fi

rm "$_import_pkcs12"

if systemctl -q is-active unifi; then
_reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
fi
Expand Down Expand Up @@ -165,6 +223,11 @@ unifi_deploy() {
return 1
fi

# Save the existing certs in case something goes wrong.
cp -f "${_unifi_core_config}"/unifi-core.crt "${_unifi_core_config}"/unifi-core_original.crt
cp -f "${_unifi_core_config}"/unifi-core.key "${_unifi_core_config}"/unifi-core_original.key
_info "Previous certificate and key saved to ${_unifi_core_config}/unifi-core_original.crt/key."

cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"

Expand Down