]>
Commit | Line | Data |
---|---|---|
86fbb595 | 1 | #!/usr/bin/env sh |
b8a8e228 | 2 | |
e19753dc PH |
3 | # Here is a script to deploy cert to routeros router. |
4 | # Deploy the cert to remote routeros | |
5 | # | |
6 | # ```sh | |
7 | # acme.sh --deploy -d ftp.example.com --deploy-hook routeros | |
8 | # ``` | |
9 | # | |
10 | # Before you can deploy the certificate to router os, you need | |
11 | # to add the id_rsa.pub key to the routeros and assign a user | |
12 | # to that key. | |
13 | # | |
14 | # The user need to have access to ssh, ftp, read and write. | |
15 | # | |
16 | # There are no need to enable ftp service for the script to work, | |
17 | # as they are transmitted over SCP, however ftp is needed to store | |
18 | # the files on the router. | |
19 | # | |
20 | # Then you need to set the environment variables for the | |
21 | # deploy script to work. | |
22 | # | |
23 | # ```sh | |
24 | # export ROUTER_OS_USERNAME=certuser | |
25 | # export ROUTER_OS_HOST=router.example.com | |
205e95a2 | 26 | # export ROUTER_OS_PORT=22 |
e19753dc PH |
27 | # |
28 | # acme.sh --deploy -d ftp.example.com --deploy-hook routeros | |
29 | # ``` | |
30 | # | |
31 | # The deploy script will remove previously deployed certificates, | |
32 | # and it does this with an assumption on how RouterOS names imported | |
33 | # certificates, adding a "cer_0" suffix at the end. This is true for | |
34 | # versions 6.32 -> 6.41.3, but it is not guaranteed that it will be | |
35 | # true for future versions when upgrading. | |
36 | # | |
37 | # If the router have other certificates with the same name as the one | |
38 | # beeing deployed, then this script will remove those certificates. | |
39 | # | |
40 | # At the end of the script, the services that use those certificates | |
41 | # could be updated. Currently only the www-ssl service is beeing | |
42 | # updated, but more services could be added. | |
43 | # | |
44 | # For instance: | |
45 | # ```sh | |
46 | # export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0" | |
47 | # ``` | |
48 | # | |
49 | # One optional thing to do as well is to create a script that updates | |
50 | # all the required services and run that script in a single command. | |
51 | # | |
8a2f6739 AB |
52 | # To adopt parameters to `scp` and/or `ssh` set the optional |
53 | # `ROUTER_OS_SSH_CMD` and `ROUTER_OS_SCP_CMD` variables accordingly, | |
54 | # see ssh(1) and scp(1) for parameters to those commands. | |
55 | # | |
56 | # Example: | |
57 | # ```ssh | |
58 | # export ROUTER_OS_SSH_CMD="ssh -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts" | |
59 | # export ROUTER_OS_SCP_CMD="scp -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts" | |
60 | # ```` | |
61 | # | |
e19753dc | 62 | # returns 0 means success, otherwise error. |
b8a8e228 PH |
63 | |
64 | ######## Public functions ##################### | |
65 | ||
66 | #domain keyfile certfile cafile fullchain | |
67 | routeros_deploy() { | |
68 | _cdomain="$1" | |
69 | _ckey="$2" | |
70 | _ccert="$3" | |
71 | _cca="$4" | |
72 | _cfullchain="$5" | |
c603b9c4 | 73 | _err_code=0 |
b8a8e228 PH |
74 | |
75 | _debug _cdomain "$_cdomain" | |
76 | _debug _ckey "$_ckey" | |
77 | _debug _ccert "$_ccert" | |
78 | _debug _cca "$_cca" | |
79 | _debug _cfullchain "$_cfullchain" | |
80 | ||
df671a77 RS |
81 | _getdeployconf ROUTER_OS_HOST |
82 | ||
b8a8e228 | 83 | if [ -z "$ROUTER_OS_HOST" ]; then |
e629985c | 84 | _debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct." |
d698c109 | 85 | ROUTER_OS_HOST="$_cdomain" |
b8a8e228 PH |
86 | fi |
87 | ||
df671a77 RS |
88 | _getdeployconf ROUTER_OS_USERNAME |
89 | ||
b8a8e228 PH |
90 | if [ -z "$ROUTER_OS_USERNAME" ]; then |
91 | _err "Need to set the env variable ROUTER_OS_USERNAME" | |
92 | return 1 | |
93 | fi | |
94 | ||
205e95a2 M |
95 | _getdeployconf ROUTER_OS_PORT |
96 | ||
97 | if [ -z "$ROUTER_OS_PORT" ]; then | |
98 | _debug "Using default port 22 as ROUTER_OS_PORT, please set if not correct." | |
99 | ROUTER_OS_PORT=22 | |
100 | fi | |
101 | ||
8a2f6739 AB |
102 | _getdeployconf ROUTER_OS_SSH_CMD |
103 | ||
104 | if [ -z "$ROUTER_OS_SSH_CMD" ]; then | |
105 | _debug "Use default ssh setup." | |
106 | ROUTER_OS_SSH_CMD="ssh -p $ROUTER_OS_PORT" | |
107 | fi | |
108 | ||
109 | _getdeployconf ROUTER_OS_SCP_CMD | |
110 | ||
111 | if [ -z "$ROUTER_OS_SCP_CMD" ]; then | |
112 | _debug "USe default scp setup." | |
113 | ROUTER_OS_SCP_CMD="scp -P $ROUTER_OS_PORT" | |
114 | fi | |
115 | ||
df671a77 RS |
116 | _getdeployconf ROUTER_OS_ADDITIONAL_SERVICES |
117 | ||
e19753dc PH |
118 | if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then |
119 | _debug "Not enabling additional services" | |
120 | ROUTER_OS_ADDITIONAL_SERVICES="" | |
121 | fi | |
122 | ||
df671a77 RS |
123 | _savedeployconf ROUTER_OS_HOST "$ROUTER_OS_HOST" |
124 | _savedeployconf ROUTER_OS_USERNAME "$ROUTER_OS_USERNAME" | |
205e95a2 | 125 | _savedeployconf ROUTER_OS_PORT "$ROUTER_OS_PORT" |
8a2f6739 AB |
126 | _savedeployconf ROUTER_OS_SSH_CMD "$ROUTER_OS_SSH_CMD" |
127 | _savedeployconf ROUTER_OS_SCP_CMD "$ROUTER_OS_SCP_CMD" | |
df671a77 RS |
128 | _savedeployconf ROUTER_OS_ADDITIONAL_SERVICES "$ROUTER_OS_ADDITIONAL_SERVICES" |
129 | ||
3411b736 AB |
130 | # push key to routeros |
131 | if ! _scp_certificate "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"; then | |
132 | return $_err_code | |
133 | fi | |
134 | ||
135 | # push certificate chain to routeros | |
136 | if ! _scp_certificate "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"; then | |
137 | return $_err_code | |
138 | fi | |
139 | ||
9d6d96ad | 140 | DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \ |
c46ceb06 AB |
141 | comment=\"generated by routeros deploy script in acme.sh\" \ |
142 | source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\ | |
b23e05db | 143 | \n/certificate remove [ find name=$_cdomain.cer_1 ];\ |
92e4ecce | 144 | \n/certificate remove [ find name=$_cdomain.cer_2 ];\ |
b23e05db CG |
145 | \ndelay 1;\ |
146 | \n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\ | |
147 | \n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\ | |
148 | \ndelay 1;\ | |
149 | \n/file remove $_cdomain.cer;\ | |
150 | \n/file remove $_cdomain.key;\ | |
151 | \ndelay 2;\ | |
152 | \n/ip service set www-ssl certificate=$_cdomain.cer_0;\ | |
153 | \n$ROUTER_OS_ADDITIONAL_SERVICES;\ | |
c42dbbfe CG |
154 | \n\" |
155 | " | |
9d6d96ad | 156 | |
c603b9c4 AB |
157 | if ! _ssh_remote_cmd "$DEPLOY_SCRIPT_CMD"; then |
158 | return $_err_code | |
159 | fi | |
160 | ||
161 | if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then | |
162 | return $_err_code | |
163 | fi | |
164 | ||
165 | if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then | |
166 | return $_err_code | |
167 | fi | |
b8a8e228 | 168 | |
b8a8e228 PH |
169 | return 0 |
170 | } | |
c603b9c4 AB |
171 | |
172 | # inspired by deploy/ssh.sh | |
173 | _ssh_remote_cmd() { | |
174 | _cmd="$1" | |
175 | _secure_debug "Remote commands to execute: $_cmd" | |
176 | _info "Submitting sequence of commands to routeros" | |
177 | # quotations in bash cmd below intended. Squash travis spellcheck error | |
178 | # shellcheck disable=SC2029 | |
179 | $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$_cmd" | |
180 | _err_code="$?" | |
181 | ||
182 | if [ "$_err_code" != "0" ]; then | |
183 | _err "Error code $_err_code returned from routeros" | |
184 | fi | |
185 | ||
186 | return $_err_code | |
187 | } | |
3411b736 AB |
188 | |
189 | _scp_certificate() { | |
190 | _src="$1" | |
191 | _dst="$2" | |
192 | _secure_debug "scp '$_src' to '$_dst'" | |
193 | _info "Push key '$_src' to routeros" | |
194 | ||
195 | $ROUTER_OS_SCP_CMD "$_src" "$_dst" | |
196 | _err_code="$?" | |
197 | ||
198 | if [ "$_err_code" != "0" ]; then | |
199 | _err "Error code $_err_code returned from scp" | |
200 | fi | |
201 | ||
202 | return $_err_code | |
203 | } |