]>
Commit | Line | Data |
---|---|---|
86fbb595 | 1 | #!/usr/bin/env sh |
b8a8e228 | 2 | |
e19753dc PH |
3 | # Here is a script to deploy cert to routeros router. |
4 | # Deploy the cert to remote routeros | |
5 | # | |
6 | # ```sh | |
7 | # acme.sh --deploy -d ftp.example.com --deploy-hook routeros | |
8 | # ``` | |
9 | # | |
10 | # Before you can deploy the certificate to router os, you need | |
11 | # to add the id_rsa.pub key to the routeros and assign a user | |
12 | # to that key. | |
13 | # | |
14 | # The user need to have access to ssh, ftp, read and write. | |
15 | # | |
16 | # There are no need to enable ftp service for the script to work, | |
17 | # as they are transmitted over SCP, however ftp is needed to store | |
18 | # the files on the router. | |
19 | # | |
20 | # Then you need to set the environment variables for the | |
21 | # deploy script to work. | |
22 | # | |
23 | # ```sh | |
24 | # export ROUTER_OS_USERNAME=certuser | |
25 | # export ROUTER_OS_HOST=router.example.com | |
26 | # | |
27 | # acme.sh --deploy -d ftp.example.com --deploy-hook routeros | |
28 | # ``` | |
29 | # | |
30 | # The deploy script will remove previously deployed certificates, | |
31 | # and it does this with an assumption on how RouterOS names imported | |
32 | # certificates, adding a "cer_0" suffix at the end. This is true for | |
33 | # versions 6.32 -> 6.41.3, but it is not guaranteed that it will be | |
34 | # true for future versions when upgrading. | |
35 | # | |
36 | # If the router have other certificates with the same name as the one | |
37 | # beeing deployed, then this script will remove those certificates. | |
38 | # | |
39 | # At the end of the script, the services that use those certificates | |
40 | # could be updated. Currently only the www-ssl service is beeing | |
41 | # updated, but more services could be added. | |
42 | # | |
43 | # For instance: | |
44 | # ```sh | |
45 | # export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0" | |
46 | # ``` | |
47 | # | |
48 | # One optional thing to do as well is to create a script that updates | |
49 | # all the required services and run that script in a single command. | |
50 | # | |
51 | # returns 0 means success, otherwise error. | |
b8a8e228 PH |
52 | |
53 | ######## Public functions ##################### | |
54 | ||
55 | #domain keyfile certfile cafile fullchain | |
56 | routeros_deploy() { | |
57 | _cdomain="$1" | |
58 | _ckey="$2" | |
59 | _ccert="$3" | |
60 | _cca="$4" | |
61 | _cfullchain="$5" | |
62 | ||
63 | _debug _cdomain "$_cdomain" | |
64 | _debug _ckey "$_ckey" | |
65 | _debug _ccert "$_ccert" | |
66 | _debug _cca "$_cca" | |
67 | _debug _cfullchain "$_cfullchain" | |
68 | ||
69 | if [ -z "$ROUTER_OS_HOST" ]; then | |
e629985c | 70 | _debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct." |
d698c109 | 71 | ROUTER_OS_HOST="$_cdomain" |
b8a8e228 PH |
72 | fi |
73 | ||
74 | if [ -z "$ROUTER_OS_USERNAME" ]; then | |
75 | _err "Need to set the env variable ROUTER_OS_USERNAME" | |
76 | return 1 | |
77 | fi | |
78 | ||
e19753dc PH |
79 | if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then |
80 | _debug "Not enabling additional services" | |
81 | ROUTER_OS_ADDITIONAL_SERVICES="" | |
82 | fi | |
83 | ||
b8a8e228 | 84 | _info "Trying to push key '$_ckey' to router" |
8a604bd2 | 85 | scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key" |
8d38cf4d PH |
86 | _info "Trying to push cert '$_cfullchain' to router" |
87 | scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer" | |
b23e05db CG |
88 | DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive \ |
89 | source=\"## generated by routeros deploy script in acme.sh;\ | |
90 | \n/certificate remove [ find name=$_cdomain.cer_0 ];\ | |
91 | \n/certificate remove [ find name=$_cdomain.cer_1 ];\ | |
92 | \ndelay 1;\ | |
93 | \n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\ | |
94 | \n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\ | |
95 | \ndelay 1;\ | |
96 | \n/file remove $_cdomain.cer;\ | |
97 | \n/file remove $_cdomain.key;\ | |
98 | \ndelay 2;\ | |
99 | \n/ip service set www-ssl certificate=$_cdomain.cer_0;\ | |
100 | \n$ROUTER_OS_ADDITIONAL_SERVICES;\ | |
c42dbbfe CG |
101 | \n\" |
102 | " | |
8a604bd2 | 103 | # shellcheck disable=SC2029 |
c42dbbfe | 104 | ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD" |
03a407d4 | 105 | # shellcheck disable=SC2029 |
0cddc8a1 | 106 | ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\"" |
03a407d4 | 107 | # shellcheck disable=SC2029 |
0cddc8a1 | 108 | ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\"" |
b8a8e228 | 109 | |
b8a8e228 PH |
110 | return 0 |
111 | } |