# To get the script installed:
curl https://get.acme.sh | sh

# Cloudflare API key and other detaisl:
# https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_cf
# Acme commands:
# https://github.com/acmesh-official/acme.sh
# add following to ~/.bashrc and close terminal and reopen ( close ssh and get back )
export CF_Token="xxxx"
export CF_Account_ID="xxxxx"
export CF_Zone_ID="xxxx"

source ~/.bashrc
# acme auto update
# acme.sh --upgrade --auto-upgrade
# disable auto update:
# acme.sh --upgrade --auto-upgrade 0

# register email where you get info about certificates success/fail
acme.sh --register-account -m email@example.co.uk
# change from default ZeroTrust to Letsencrypt CA:
acme.sh --set-default-ca  --server  letsencrypt
# request certificate (this one is wildcard for all subdomains)
acme.sh --issue -d example.co.uk -d '*.example.co.uk' --dns dns_cf \
    --renew-hook "/root/unifi_controller-stuff/certs/update-unifi-keystore.sh" \
    --reloadcmd "/root/unifi_controller-stuff/certs/update-unifi-keystore.sh"

acme.sh --install-cert -d example.co.uk \
    --key-file /root/unifi_controller-stuff/certs/unifi.key \
    --fullchain-file /root/unifi_controller-stuff/certs/unifi.pem

openssl pkcs12 -export \
    -inkey /root/unifi_controller-stuff/certs/unifi.key \
    -in /root/unifi_controller-stuff/certs/unifi.pem \
    -out /root/unifi_controller-stuff/certs/unifi.p12 \
    -name unifi \
    -password pass:aircontrolenterprise

keytool -importkeystore \
    -deststorepass aircontrolenterprise \
    -destkeypass aircontrolenterprise \
    -destkeystore /var/lib/unifi/keystore \
    -srckeystore /root/unifi_controller-stuff/certs/unifi.p12 \
    -srcstoretype PKCS12 \
    -srcstorepass aircontrolenterprise \
    -alias unifi -noprompt

systemctl restart unifi

# force cert renewal:
# acme.sh --renew -d example.co.uk --force

# conf for domain:
/root/.acme.sh/example.co.uk_ecc/example.co.uk.conf
# content:
Le_Domain='example.co.uk'
Le_Alt='*.example.co.uk'
Le_Webroot='dns_cf'
Le_PostHook='/root/unifi_controller-stuff/certs/update-unifi-keystore.sh'
Le_RenewHook='/root/unifi_controller-stuff/certs/update-unifi-keystore.sh'
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_RealKeyPath='/root/unifi_controller-stuff/certs/unifi.key'
Le_RealFullChainPath='/root/unifi_controller-stuff/certs/unifi.pem'