Ubiquiti removed keytool (and java) from recent releases of Unifi OS. This moves from keytool to openssl's native pkcs12.
Tested on Unifi Dream Machine which runs Unifi OS and a built-in Unifi controller.
Also added backup of existing files prior to change in case anything goes wrong, and update system configuration with compatible ciphers.
In the case where importing the cert and key removes the files from disk
the existing deploy will fail when it tries to remove those files. This
still attempts to remove the files but catches the error and moves on instead
of bombing like before.
Similarly, if the deploy had failed before, subsequent deploys would fail
because the script already existed, so it would not be able to create
the script. This first attempts to remove the script if it exists, and then
creates the script.
it is related to this bug report: opnsense/plugins#3525
FreeBSD's sed doesn't have the -z option, so empty certificates are delivered to vault when running the script on FreeBSD.
By default acme.sh uses the '*' character in the filename for wildcard.
That can be confusing within HAProxy since the * character in front of a
filename in the stat socket is used to specified an uncommitted
transaction.
This patch replace the '*' by a '_' in the filename.
This is only done when using the default filename, the name can still be
forced with an asterisk.
DEPLOY_HAPROXY_MASTER_CLI allows to use the HAProxy master CLI instead
of a stats socket for DEPLOY_HAPROXY_HOT_UPDATE="yes"
The syntax of the master CLI is slightly different, a prefix with the
process number need to be added before any command.
This patch uses ${_cmdpfx} in front of every socat commands which is
filled when the master CLI is used.
DEPLOY_HAPROXY_HOT_UPDATE="yes" now allows to add a new certificate
within HAProxy instead of updating an existing one.
In order to work, the ${DEPLOY_HAPROXY_PEM_PATH} value must be used as a
parameter to the "crt" keyword in the haproxy configuration.
The patch uses the following commands over HAProxy stats socket:
- show ssl cert
- new ssl cert
- set ssl cert
- commit ssl cert
- add ssl crt-list
Since version 2.2, HAProxy is able to update dynamically certificates,
without a reload.
This patch uses socat to push the certificate into HAProxy in order to
achieve hot update. With this method, reloading is not required.
This should be used only to update an existing certificate in haproxy.
2 new variables are available:
- DEPLOY_HAPROXY_HOT_UPDATE="yes" update over the stats socket instead
of reloading
- DEPLOY_HAPROXY_STATS_SOCKET="UNIX:/run/haproxy/admin.sock" set the path on
the stats socket.
neil