I tried to verify the SSL certificate via openssl (icinga/nagios) but it failed with missing certificates.
It turns out that unifi_ssl_import.sh doesn't include the intermediate cert in the bundle.
I modified the script to concatenate the $SIGNED_CERT and $CHAIN_FILE to another temporary file, and then included that. Now the SSL certificate is verifyable via openssl.
--- unifi_ssl_import.sh.dist 2023-03-29 11:24:55.970766471 +0300
+++ unifi_ssl_import.sh 2023-03-29 11:21:02.437590249 +0300
@@ -92,6 +92,7 @@
printf "\nImporting the following files:\n"
printf "Private Key: %s\n" "$PRIV_KEY"
printf "CA File: %s\n" "$CHAIN_FILE"
+ printf "Certificate File: %s\n" "$SIGNED_CERT"
fi
# Create temp files
@@ -126,9 +127,19 @@
#If there is a signed crt we should include this in the export
if [[ -f ${SIGNED_CRT} ]]; then
+
+ # 2023-03-29 Harald
+ tmpfile="/tmp/$(mcookie)"
+ if [ -f "${tmpfile}" ] ; then
+ echo "tmpfile $tmpfile exists, exiting"
+ exit 1
+ else # create a file containing cert + intermediate cert;
+ cat "${SIGNED_CRT}" "${CHAIN_FILE}" > "${tmpfile}"
+ fi
+
+# -in "${CHAIN_FILE}" \
openssl pkcs12 -export \
- -in "${CHAIN_FILE}" \
- -in "${SIGNED_CRT}" \
+ -in "${tmpfile}" \
-inkey "${PRIV_KEY}" \
-out "${P12_TEMP}" -passout pass:"${PASSWORD}" \
-name "${ALIAS}"
@@ -156,7 +167,7 @@
# Clean up temp files
printf "\nRemoving temporary files...\n"
-rm -f "${P12_TEMP}"
+rm -f "${P12_TEMP}" "${tmpfile}"
# Restart the UniFi Controller to pick up the updated keystore
printf "\nRestarting UniFi Controller to apply new Let's Encrypt SSL certificate...\n"
I tried to verify the SSL certificate via openssl (icinga/nagios) but it failed with missing certificates.
It turns out that unifi_ssl_import.sh doesn't include the intermediate cert in the bundle.
I modified the script to concatenate the $SIGNED_CERT and $CHAIN_FILE to another temporary file, and then included that. Now the SSL certificate is verifyable via openssl.