[mirror_acme.sh.git] / deploy / routeros.sh

#!/usr/bin/env sh

# Here is a script to deploy cert to routeros router.
# Deploy the cert to remote routeros
#
# ```sh
# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
# ```
#
# Before you can deploy the certificate to router os, you need
# to add the id_rsa.pub key to the routeros and assign a user
# to that key.
#
# The user need to have access to ssh, ftp, read and write.
#
# There are no need to enable ftp service for the script to work,
# as they are transmitted over SCP, however ftp is needed to store
# the files on the router.
#
# Then you need to set the environment variables for the
# deploy script to work.
#
# ```sh
# export ROUTER_OS_USERNAME=certuser
# export ROUTER_OS_HOST=router.example.com
# export ROUTER_OS_PORT=22
#
# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
# ```
#
# The deploy script will remove previously deployed certificates,
# and it does this with an assumption on how RouterOS names imported
# certificates, adding a "cer_0" suffix at the end. This is true for
# versions 6.32 -> 6.41.3, but it is not guaranteed that it will be
# true for future versions when upgrading.
#
# If the router have other certificates with the same name as the one
# beeing deployed, then this script will remove those certificates.
#
# At the end of the script, the services that use those certificates
# could be updated. Currently only the www-ssl service is beeing
# updated, but more services could be added.
#
# For instance:
# ```sh
# export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0"
# ```
#
# One optional thing to do as well is to create a script that updates
# all the required services and run that script in a single command.
#
# To adopt parameters to `scp` and/or `ssh` set the optional
# `ROUTER_OS_SSH_CMD` and `ROUTER_OS_SCP_CMD` variables accordingly,
# see ssh(1) and scp(1) for parameters to those commands.
#
# Example:
# ```ssh
# export ROUTER_OS_SSH_CMD="ssh -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
# export ROUTER_OS_SCP_CMD="scp -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
# ````
#
# returns 0 means success, otherwise error.

########  Public functions #####################

#domain keyfile certfile cafile fullchain
routeros_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"
  _err_code=0

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  _getdeployconf ROUTER_OS_HOST

  if [ -z "$ROUTER_OS_HOST" ]; then
    _debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct."
    ROUTER_OS_HOST="$_cdomain"
  fi

  _getdeployconf ROUTER_OS_USERNAME

  if [ -z "$ROUTER_OS_USERNAME" ]; then
    _err "Need to set the env variable ROUTER_OS_USERNAME"
    return 1
  fi

  _getdeployconf ROUTER_OS_PORT

  if [ -z "$ROUTER_OS_PORT" ]; then
    _debug "Using default port 22 as ROUTER_OS_PORT, please set if not correct."
    ROUTER_OS_PORT=22
  fi

  _getdeployconf ROUTER_OS_SSH_CMD

  if [ -z "$ROUTER_OS_SSH_CMD" ]; then
    _debug "Use default ssh setup."
    ROUTER_OS_SSH_CMD="ssh -p $ROUTER_OS_PORT"
  fi

  _getdeployconf ROUTER_OS_SCP_CMD

  if [ -z "$ROUTER_OS_SCP_CMD" ]; then
    _debug "USe default scp setup."
    ROUTER_OS_SCP_CMD="scp -P $ROUTER_OS_PORT"
  fi

  _getdeployconf ROUTER_OS_ADDITIONAL_SERVICES

  if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then
    _debug "Not enabling additional services"
    ROUTER_OS_ADDITIONAL_SERVICES=""
  fi

  _savedeployconf ROUTER_OS_HOST "$ROUTER_OS_HOST"
  _savedeployconf ROUTER_OS_USERNAME "$ROUTER_OS_USERNAME"
  _savedeployconf ROUTER_OS_PORT "$ROUTER_OS_PORT"
  _savedeployconf ROUTER_OS_SSH_CMD "$ROUTER_OS_SSH_CMD"
  _savedeployconf ROUTER_OS_SCP_CMD "$ROUTER_OS_SCP_CMD"
  _savedeployconf ROUTER_OS_ADDITIONAL_SERVICES "$ROUTER_OS_ADDITIONAL_SERVICES"

  # push key to routeros
  if ! _scp_certificate "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"; then
    return $_err_code
  fi

  # push certificate chain to routeros
  if ! _scp_certificate "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"; then
    return $_err_code
  fi

  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
comment=\"generated by routeros deploy script in acme.sh\" \
source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
\n/certificate remove [ find name=$_cdomain.cer_1 ];\
\n/certificate remove [ find name=$_cdomain.cer_2 ];\
\ndelay 1;\
\n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
\n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\
\ndelay 1;\
\n/file remove $_cdomain.cer;\
\n/file remove $_cdomain.key;\
\ndelay 2;\
\n/ip service set www-ssl certificate=$_cdomain.cer_0;\
\n$ROUTER_OS_ADDITIONAL_SERVICES;\
\n\"
"

  if ! _ssh_remote_cmd "$DEPLOY_SCRIPT_CMD"; then
    return $_err_code
  fi

  if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then
    return $_err_code
  fi

  if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then
    return $_err_code
  fi

  return 0
}

# inspired by deploy/ssh.sh
_ssh_remote_cmd() {
  _cmd="$1"
  _secure_debug "Remote commands to execute: $_cmd"
  _info "Submitting sequence of commands to routeros"
  # quotations in bash cmd below intended.  Squash travis spellcheck error
  # shellcheck disable=SC2029
  $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$_cmd"
  _err_code="$?"

  if [ "$_err_code" != "0" ]; then
    _err "Error code $_err_code returned from routeros"
  fi

  return $_err_code
}

_scp_certificate() {
  _src="$1"
  _dst="$2"
  _secure_debug "scp '$_src' to '$_dst'"
  _info "Push key '$_src' to routeros"

  $ROUTER_OS_SCP_CMD "$_src" "$_dst"
  _err_code="$?"

  if [ "$_err_code" != "0" ]; then
    _err "Error code $_err_code returned from scp"
  fi

  return $_err_code
}
Commit	Line	Data
86fbb595	1	#!/usr/bin/env sh
b8a8e228	2
e19753dc PH	3	# Here is a script to deploy cert to routeros router.
	4	# Deploy the cert to remote routeros
	5	#
	6	# ```sh
	7	# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
	8	# ```
	9	#
	10	# Before you can deploy the certificate to router os, you need
	11	# to add the id_rsa.pub key to the routeros and assign a user
	12	# to that key.
	13	#
	14	# The user need to have access to ssh, ftp, read and write.
	15	#
	16	# There are no need to enable ftp service for the script to work,
	17	# as they are transmitted over SCP, however ftp is needed to store
	18	# the files on the router.
	19	#
	20	# Then you need to set the environment variables for the
	21	# deploy script to work.
	22	#
	23	# ```sh
	24	# export ROUTER_OS_USERNAME=certuser
	25	# export ROUTER_OS_HOST=router.example.com
205e95a2	26	# export ROUTER_OS_PORT=22
e19753dc PH	27	#
	28	# acme.sh --deploy -d ftp.example.com --deploy-hook routeros
	29	# ```
	30	#
	31	# The deploy script will remove previously deployed certificates,
	32	# and it does this with an assumption on how RouterOS names imported
	33	# certificates, adding a "cer_0" suffix at the end. This is true for
	34	# versions 6.32 -> 6.41.3, but it is not guaranteed that it will be
	35	# true for future versions when upgrading.
	36	#
	37	# If the router have other certificates with the same name as the one
	38	# beeing deployed, then this script will remove those certificates.
	39	#
	40	# At the end of the script, the services that use those certificates
	41	# could be updated. Currently only the www-ssl service is beeing
	42	# updated, but more services could be added.
	43	#
	44	# For instance:
	45	# ```sh
	46	# export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0"
	47	# ```
	48	#
	49	# One optional thing to do as well is to create a script that updates
	50	# all the required services and run that script in a single command.
	51	#
8a2f6739 AB	52	# To adopt parameters to `scp` and/or `ssh` set the optional
	53	# `ROUTER_OS_SSH_CMD` and `ROUTER_OS_SCP_CMD` variables accordingly,
	54	# see ssh(1) and scp(1) for parameters to those commands.
	55	#
	56	# Example:
	57	# ```ssh
	58	# export ROUTER_OS_SSH_CMD="ssh -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
	59	# export ROUTER_OS_SCP_CMD="scp -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
	60	# ````
	61	#
e19753dc	62	# returns 0 means success, otherwise error.
b8a8e228 PH	63
	64	######## Public functions #####################
	65
	66	#domain keyfile certfile cafile fullchain
	67	routeros_deploy() {
	68	_cdomain="$1"
	69	_ckey="$2"
	70	_ccert="$3"
	71	_cca="$4"
	72	_cfullchain="$5"
c603b9c4	73	_err_code=0
b8a8e228 PH	74
	75	_debug _cdomain "$_cdomain"
	76	_debug _ckey "$_ckey"
	77	_debug _ccert "$_ccert"
	78	_debug _cca "$_cca"
	79	_debug _cfullchain "$_cfullchain"
	80
df671a77 RS	81	_getdeployconf ROUTER_OS_HOST
df671a77 RS	82
b8a8e228	83	if [ -z "$ROUTER_OS_HOST" ]; then
e629985c	84	_debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct."
d698c109	85	ROUTER_OS_HOST="$_cdomain"
b8a8e228 PH	86	fi
b8a8e228 PH	87
df671a77 RS	88	_getdeployconf ROUTER_OS_USERNAME
df671a77 RS	89
b8a8e228 PH	90	if [ -z "$ROUTER_OS_USERNAME" ]; then
	91	_err "Need to set the env variable ROUTER_OS_USERNAME"
	92	return 1
	93	fi
	94
205e95a2 M	95	_getdeployconf ROUTER_OS_PORT
	96
	97	if [ -z "$ROUTER_OS_PORT" ]; then
	98	_debug "Using default port 22 as ROUTER_OS_PORT, please set if not correct."
	99	ROUTER_OS_PORT=22
	100	fi
	101
8a2f6739 AB	102	_getdeployconf ROUTER_OS_SSH_CMD
	103
	104	if [ -z "$ROUTER_OS_SSH_CMD" ]; then
	105	_debug "Use default ssh setup."
	106	ROUTER_OS_SSH_CMD="ssh -p $ROUTER_OS_PORT"
	107	fi
	108
	109	_getdeployconf ROUTER_OS_SCP_CMD
	110
	111	if [ -z "$ROUTER_OS_SCP_CMD" ]; then
	112	_debug "USe default scp setup."
	113	ROUTER_OS_SCP_CMD="scp -P $ROUTER_OS_PORT"
	114	fi
	115
df671a77 RS	116	_getdeployconf ROUTER_OS_ADDITIONAL_SERVICES
df671a77 RS	117
e19753dc PH	118	if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then
	119	_debug "Not enabling additional services"
	120	ROUTER_OS_ADDITIONAL_SERVICES=""
	121	fi
	122
df671a77 RS	123	_savedeployconf ROUTER_OS_HOST "$ROUTER_OS_HOST"
df671a77 RS	124	_savedeployconf ROUTER_OS_USERNAME "$ROUTER_OS_USERNAME"
205e95a2	125	_savedeployconf ROUTER_OS_PORT "$ROUTER_OS_PORT"
8a2f6739 AB	126	_savedeployconf ROUTER_OS_SSH_CMD "$ROUTER_OS_SSH_CMD"
8a2f6739 AB	127	_savedeployconf ROUTER_OS_SCP_CMD "$ROUTER_OS_SCP_CMD"
df671a77 RS	128	_savedeployconf ROUTER_OS_ADDITIONAL_SERVICES "$ROUTER_OS_ADDITIONAL_SERVICES"
df671a77 RS	129
3411b736 AB	130	# push key to routeros
	131	if ! _scp_certificate "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"; then
	132	return $_err_code
	133	fi
	134
	135	# push certificate chain to routeros
	136	if ! _scp_certificate "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"; then
	137	return $_err_code
	138	fi
	139
9d6d96ad	140	DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
c46ceb06 AB	141	comment=\"generated by routeros deploy script in acme.sh\" \
c46ceb06 AB	142	source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
b23e05db	143	\n/certificate remove [ find name=$_cdomain.cer_1 ];\
92e4ecce	144	\n/certificate remove [ find name=$_cdomain.cer_2 ];\
b23e05db CG	145	\ndelay 1;\
	146	\n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
	147	\n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\
	148	\ndelay 1;\
	149	\n/file remove $_cdomain.cer;\
	150	\n/file remove $_cdomain.key;\
	151	\ndelay 2;\
	152	\n/ip service set www-ssl certificate=$_cdomain.cer_0;\
	153	\n$ROUTER_OS_ADDITIONAL_SERVICES;\
c42dbbfe CG	154	\n\"
c42dbbfe CG	155	"
9d6d96ad	156
c603b9c4 AB	157	if ! _ssh_remote_cmd "$DEPLOY_SCRIPT_CMD"; then
	158	return $_err_code
	159	fi
	160
	161	if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then
	162	return $_err_code
	163	fi
	164
	165	if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then
	166	return $_err_code
	167	fi
b8a8e228	168
b8a8e228 PH	169	return 0
b8a8e228 PH	170	}
c603b9c4 AB	171
	172	# inspired by deploy/ssh.sh
	173	_ssh_remote_cmd() {
	174	_cmd="$1"
	175	_secure_debug "Remote commands to execute: $_cmd"
	176	_info "Submitting sequence of commands to routeros"
	177	# quotations in bash cmd below intended. Squash travis spellcheck error
	178	# shellcheck disable=SC2029
	179	$ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$_cmd"
	180	_err_code="$?"
	181
	182	if [ "$_err_code" != "0" ]; then
	183	_err "Error code $_err_code returned from routeros"
	184	fi
	185
	186	return $_err_code
	187	}
3411b736 AB	188
	189	_scp_certificate() {
	190	_src="$1"
	191	_dst="$2"
	192	_secure_debug "scp '$_src' to '$_dst'"
	193	_info "Push key '$_src' to routeros"
	194
	195	$ROUTER_OS_SCP_CMD "$_src" "$_dst"
	196	_err_code="$?"
	197
	198	if [ "$_err_code" != "0" ]; then
	199	_err "Error code $_err_code returned from scp"
	200	fi
	201
	202	return $_err_code
	203	}