search

stevejenkins / unifi-linux-utils

Helpful Linux / Unix scripts for admins of Ubiquiti (UBNT) UniFi wireless products
https://www.stevejenkins.com/blog/tag/unifi/
MIT License
695 stars 127 forks source link

OpenSSL 3 breaks PKCS12 tmp file generation #53

Open satmandu opened 2 years ago

satmandu commented 2 years ago

This section no longer generates a working certificate with openssl 3.x, as the password gets mangled:

if [[ -f ${SIGNED_CRT} ]]; then
    openssl pkcs12 -export \
    -in "${CHAIN_FILE}" \
    -in "${SIGNED_CRT}" \
    -inkey "${PRIV_KEY}" \
    -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
    -name "${ALIAS}"
else
    openssl pkcs12 -export \
    -in "${CHAIN_FILE}" \
    -inkey "${PRIV_KEY}" \
    -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
    -name "${ALIAS}"
fi

Giving this issue:

Importing SSL certificate into UniFi keystore...
+ keytool -importkeystore -srckeystore /tmp/tmp.ruliTepb76 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststoretype pkcs12 -destkeystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -alias unifi -trustcacerts
Importing keystore /tmp/tmp.ruliTepb76 to /var/lib/unifi/keystore...
keytool error: java.io.IOException: keystore password was incorrect

The solution for openssl 3 is to add a check for openssl 3 and do this:

# Check for OpenSSL 3.x
OPENSSL_VERSION=$(openssl version -v | awk '{print $2}'| awk -F '.' '{print $1}')
if [[ "${OPENSSL_VERSION}" -ge '3' ]]; then
  OPENSSL_LEGACY_FLAG='-legacy'
else
  OPENSSL_LEGACY_FLAG=
fi

#If there is a signed crt we should include this in the export
if [[ -f ${SIGNED_CRT} ]]; then
    openssl pkcs12 -export \
    -in "${CHAIN_FILE}" \
    -in "${SIGNED_CRT}" \
    -inkey "${PRIV_KEY}" \
    -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
    -name "${ALIAS}" \
    ${OPENSSL_LEGACY_FLAG}
else
    openssl pkcs12 -export \
    -in "${CHAIN_FILE}" \
    -inkey "${PRIV_KEY}" \
    -out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
    -name "${ALIAS}" \
    ${OPENSSL_LEGACY_FLAG}
fi

Which gives this:

Exporting SSL certificate and key data into temporary PKCS12 file...
++ openssl version -v
++ awk '{print $2}'
++ awk -F . '{print $1}'
+ OPENSSL_VERSION=3
+ [[ 3 -ge 3 ]]
+ OPENSSL_LEGACY_FLAG=-legacy
+ [[ -f /etc/ssl/certs/hostname.example.com.crt ]]
+ openssl pkcs12 -export -in /etc/letsencrypt/live/hostname.com/fullchain.pem -inkey /etc/letsencrypt/live/hostname.com/privkey.pem -out /tmp/tmp.mnx3wlaSE5 -passout pass:aircontrolenterprise -name unifi -legacy
+ printf '\nRemoving previous certificate data from UniFi keystore...\n'

Removing previous certificate data from UniFi keystore...
+ keytool -delete -alias unifi -keystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise
+ printf '\nImporting SSL certificate into UniFi keystore...\n'

Importing SSL certificate into UniFi keystore...
+ keytool -importkeystore -srckeystore /tmp/tmp.mnx3wlaSE5 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -deststoretype pkcs12 -destkeystore /var/lib/unifi/keystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -alias unifi -trustcacerts
Importing keystore /tmp/tmp.mnx3wlaSE5 to /var/lib/unifi/keystore...
+ printf '\nRemoving temporary files...\n'
nosebeggar commented 2 years ago

Damn son, I just spent 3 hours troubleshooting this and meant to post this. I wish I had looked up the issues earlier and found your solution.

dharrigan commented 2 years ago

Same. This has bit me in the rear end. Just discovered this fix there now!

gctwnl commented 1 year ago

The current version people download doesn't have this fix. Is there still maintenance on this script or is everybody on their own now? Because I would like to make this script work when the controller is run inside a docker container.