[mirror_acme.sh.git] / deploy / routeros.sh

#!/usr/bin/env sh

# Here is a script to deploy cert to routeros router.
# Deploy the cert to remote routeros
#
# ```sh
# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
# ```
#
# Before you can deploy the certificate to router os, you need
# to add the id_rsa.pub key to the routeros and assign a user
# to that key.
#
# The user need to have access to ssh, ftp, read and write.
#
# There are no need to enable ftp service for the script to work,
# as they are transmitted over SCP, however ftp is needed to store
# the files on the router.
#
# Then you need to set the environment variables for the
# deploy script to work.
#
# ```sh
# export ROUTER_OS_USERNAME=certuser
# export ROUTER_OS_HOST=router.example.com
#
# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
# ```
#
# The deploy script will remove previously deployed certificates,
# and it does this with an assumption on how RouterOS names imported
# certificates, adding a "cer_0" suffix at the end. This is true for
# versions 6.32 -> 6.41.3, but it is not guaranteed that it will be
# true for future versions when upgrading.
#
# If the router have other certificates with the same name as the one
# beeing deployed, then this script will remove those certificates.
#
# At the end of the script, the services that use those certificates
# could be updated. Currently only the www-ssl service is beeing
# updated, but more services could be added.
#
# For instance:
# ```sh
# export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0"
# ```
#
# One optional thing to do as well is to create a script that updates
# all the required services and run that script in a single command.
#
# returns 0 means success, otherwise error.

########  Public functions #####################

#domain keyfile certfile cafile fullchain
routeros_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  if [ -z "$ROUTER_OS_HOST" ]; then
    _debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct."
    ROUTER_OS_HOST="$_cdomain"
  fi

  if [ -z "$ROUTER_OS_USERNAME" ]; then
    _err "Need to set the env variable ROUTER_OS_USERNAME"
    return 1
  fi

  if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then
    _debug "Not enabling additional services"
    ROUTER_OS_ADDITIONAL_SERVICES=""
  fi

  _info "Trying to push key '$_ckey' to router"
  scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
  _info "Trying to push cert '$_cfullchain' to router"
  scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive \
source=\"## generated by routeros deploy script in acme.sh;\
\n/certificate remove [ find name=$_cdomain.cer_0 ];\
\n/certificate remove [ find name=$_cdomain.cer_1 ];\
\ndelay 1;\
\n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
\n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\
\ndelay 1;\
\n/file remove $_cdomain.cer;\
\n/file remove $_cdomain.key;\
\ndelay 2;\
\n/ip service set www-ssl certificate=$_cdomain.cer_0;\
\n$ROUTER_OS_ADDITIONAL_SERVICES;\
\n\"
"
  # shellcheck disable=SC2029
  ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD"
  # shellcheck disable=SC2029
  ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\""
  # shellcheck disable=SC2029
  ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\""

  return 0
}
Commit	Line	Data
86fbb595	1	#!/usr/bin/env sh
b8a8e228	2
e19753dc PH	3	# Here is a script to deploy cert to routeros router.
	4	# Deploy the cert to remote routeros
	5	#
	6	# ```sh
	7	# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
	8	# ```
	9	#
	10	# Before you can deploy the certificate to router os, you need
	11	# to add the id_rsa.pub key to the routeros and assign a user
	12	# to that key.
	13	#
	14	# The user need to have access to ssh, ftp, read and write.
	15	#
	16	# There are no need to enable ftp service for the script to work,
	17	# as they are transmitted over SCP, however ftp is needed to store
	18	# the files on the router.
	19	#
	20	# Then you need to set the environment variables for the
	21	# deploy script to work.
	22	#
	23	# ```sh
	24	# export ROUTER_OS_USERNAME=certuser
	25	# export ROUTER_OS_HOST=router.example.com
	26	#
	27	# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
	28	# ```
	29	#
	30	# The deploy script will remove previously deployed certificates,
	31	# and it does this with an assumption on how RouterOS names imported
	32	# certificates, adding a "cer_0" suffix at the end. This is true for
	33	# versions 6.32 -> 6.41.3, but it is not guaranteed that it will be
	34	# true for future versions when upgrading.
	35	#
	36	# If the router have other certificates with the same name as the one
	37	# beeing deployed, then this script will remove those certificates.
	38	#
	39	# At the end of the script, the services that use those certificates
	40	# could be updated. Currently only the www-ssl service is beeing
	41	# updated, but more services could be added.
	42	#
	43	# For instance:
	44	# ```sh
	45	# export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0"
	46	# ```
	47	#
	48	# One optional thing to do as well is to create a script that updates
	49	# all the required services and run that script in a single command.
	50	#
	51	# returns 0 means success, otherwise error.
b8a8e228 PH	52
	53	######## Public functions #####################
	54
	55	#domain keyfile certfile cafile fullchain
	56	routeros_deploy() {
	57	_cdomain="$1"
	58	_ckey="$2"
	59	_ccert="$3"
	60	_cca="$4"
	61	_cfullchain="$5"
	62
	63	_debug _cdomain "$_cdomain"
	64	_debug _ckey "$_ckey"
	65	_debug _ccert "$_ccert"
	66	_debug _cca "$_cca"
	67	_debug _cfullchain "$_cfullchain"
	68
	69	if [ -z "$ROUTER_OS_HOST" ]; then
e629985c	70	_debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct."
d698c109	71	ROUTER_OS_HOST="$_cdomain"
b8a8e228 PH	72	fi
	73
	74	if [ -z "$ROUTER_OS_USERNAME" ]; then
	75	_err "Need to set the env variable ROUTER_OS_USERNAME"
	76	return 1
	77	fi
	78
e19753dc PH	79	if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then
	80	_debug "Not enabling additional services"
	81	ROUTER_OS_ADDITIONAL_SERVICES=""
	82	fi
	83
b8a8e228	84	_info "Trying to push key '$_ckey' to router"
8a604bd2	85	scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
8d38cf4d PH	86	_info "Trying to push cert '$_cfullchain' to router"
8d38cf4d PH	87	scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
b23e05db CG	88	DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive \
	89	source=\"## generated by routeros deploy script in acme.sh;\
	90	\n/certificate remove [ find name=$_cdomain.cer_0 ];\
	91	\n/certificate remove [ find name=$_cdomain.cer_1 ];\
	92	\ndelay 1;\
	93	\n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
	94	\n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\
	95	\ndelay 1;\
	96	\n/file remove $_cdomain.cer;\
	97	\n/file remove $_cdomain.key;\
	98	\ndelay 2;\
	99	\n/ip service set www-ssl certificate=$_cdomain.cer_0;\
	100	\n$ROUTER_OS_ADDITIONAL_SERVICES;\
c42dbbfe CG	101	\n\"
c42dbbfe CG	102	"
8a604bd2	103	# shellcheck disable=SC2029
c42dbbfe	104	ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD"
03a407d4	105	# shellcheck disable=SC2029
0cddc8a1	106	ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\""
03a407d4	107	# shellcheck disable=SC2029
0cddc8a1	108	ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\""
b8a8e228	109
b8a8e228 PH	110	return 0
b8a8e228 PH	111	}