]>
Commit | Line | Data |
---|---|---|
555e0de9 BH |
1 | #!/usr/bin/env sh |
2 | ||
8e8cda13 | 3 | # Here is a script to deploy cert to Synology DSM |
555e0de9 BH |
4 | # |
5 | # it requires the jq and curl are in the $PATH and the following | |
6 | # environment variables must be set: | |
7 | # | |
8 | # SYNO_Username - Synology Username to login (must be an administrator) | |
9 | # SYNO_Password - Synology Password to login | |
10 | # SYNO_Certificate - Certificate description to target for replacement | |
11 | # | |
12 | # The following environmental variables may be set if you don't like their | |
13 | # default values: | |
14 | # | |
15 | # SYNO_Scheme - defaults to http | |
16 | # SYNO_Hostname - defaults to localhost | |
17 | # SYNO_Port - defaults to 5000 | |
80f1034d | 18 | # SYNO_DID - device ID to skip OTP - defaults to empty |
555e0de9 BH |
19 | # |
20 | #returns 0 means success, otherwise error. | |
21 | ||
22 | ######## Public functions ##################### | |
23 | ||
24 | #domain keyfile certfile cafile fullchain | |
25 | synology_dsm_deploy() { | |
26 | ||
27 | _cdomain="$1" | |
28 | _ckey="$2" | |
29 | _ccert="$3" | |
30 | _cca="$4" | |
31 | ||
32 | _debug _cdomain "$_cdomain" | |
33 | ||
34 | # Get Username and Password, but don't save until we successfully authenticate | |
12593410 BH |
35 | _getdeployconf SYNO_Username |
36 | _getdeployconf SYNO_Password | |
37 | _getdeployconf SYNO_Create | |
fd64c208 | 38 | _getdeployconf SYNO_DID |
3a7c7fe4 | 39 | if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then |
555e0de9 BH |
40 | _err "SYNO_Username & SYNO_Password must be set" |
41 | return 1 | |
42 | fi | |
43 | _debug2 SYNO_Username "$SYNO_Username" | |
44 | _secure_debug2 SYNO_Password "$SYNO_Password" | |
45 | ||
46 | # Optional scheme, hostname, and port for Synology DSM | |
12593410 BH |
47 | _getdeployconf SYNO_Scheme |
48 | _getdeployconf SYNO_Hostname | |
49 | _getdeployconf SYNO_Port | |
555e0de9 BH |
50 | |
51 | # default vaules for scheme, hostname, and port | |
52 | # defaulting to localhost and http because it's localhost... | |
53 | [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http" | |
54 | [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost" | |
55 | [ -n "${SYNO_Port}" ] || SYNO_Port="5000" | |
56 | ||
12593410 BH |
57 | _savedeployconf SYNO_Scheme "$SYNO_Scheme" |
58 | _savedeployconf SYNO_Hostname "$SYNO_Hostname" | |
59 | _savedeployconf SYNO_Port "$SYNO_Port" | |
60 | ||
555e0de9 BH |
61 | _debug2 SYNO_Scheme "$SYNO_Scheme" |
62 | _debug2 SYNO_Hostname "$SYNO_Hostname" | |
63 | _debug2 SYNO_Port "$SYNO_Port" | |
64 | ||
65 | # Get the certificate description, but don't save it until we verfiy it's real | |
66 | _getdeployconf SYNO_Certificate | |
694194be | 67 | _debug SYNO_Certificate "${SYNO_Certificate:-}" |
555e0de9 | 68 | |
dcb51683 | 69 | # shellcheck disable=SC1003 # We are not trying to escape a single quote |
74a4a788 BH |
70 | if printf "%s" "$SYNO_Certificate" | grep '\\'; then |
71 | _err "Do not use a backslash (\) in your certificate description" | |
72 | return 1 | |
73 | fi | |
74 | ||
555e0de9 BH |
75 | _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" |
76 | _debug _base_url "$_base_url" | |
77 | ||
cc692854 T |
78 | _debug "Getting API version" |
79 | response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth") | |
80 | api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p') | |
81 | _debug3 response "$response" | |
82 | _debug3 api_version "$api_version" | |
83 | ||
555e0de9 | 84 | # Login, get the token from JSON and session id from cookie |
52a168b9 | 85 | _info "Logging into $SYNO_Hostname:$SYNO_Port" |
52b81608 BH |
86 | encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)" |
87 | encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)" | |
cc692854 | 88 | |
2635dfef | 89 | if [ -n "$SYNO_DID" ]; then |
cc692854 T |
90 | _H1="Cookie: did=$SYNO_DID" |
91 | export _H1 | |
92 | _debug3 H1 "${_H1}" | |
93 | fi | |
94 | ||
7d7789ae | 95 | response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes" "$_base_url/webapi/auth.cgi?enable_syno_token=yes") |
cc692854 | 96 | token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p') |
52a168b9 | 97 | _debug3 response "$response" |
d15c14ab | 98 | _debug token "$token" |
52a168b9 BH |
99 | |
100 | if [ -z "$token" ]; then | |
555e0de9 BH |
101 | _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme." |
102 | _err "Check your username and password." | |
555e0de9 BH |
103 | return 1 |
104 | fi | |
cc692854 | 105 | sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p') |
555e0de9 | 106 | |
cc692854 | 107 | _H1="X-SYNO-TOKEN: $token" |
52a168b9 | 108 | export _H1 |
5d3bc95a | 109 | _debug2 H1 "${_H1}" |
52a168b9 | 110 | |
555e0de9 | 111 | # Now that we know the username and password are good, save them |
52a168b9 BH |
112 | _savedeployconf SYNO_Username "$SYNO_Username" |
113 | _savedeployconf SYNO_Password "$SYNO_Password" | |
fd64c208 | 114 | _savedeployconf SYNO_DID "$SYNO_DID" |
555e0de9 | 115 | |
52a168b9 | 116 | _info "Getting certificates in Synology DSM" |
cc692854 | 117 | response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi") |
555e0de9 | 118 | _debug3 response "$response" |
74a4a788 BH |
119 | escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')" |
120 | _debug escaped_certificate "$escaped_certificate" | |
121 | id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p") | |
52a168b9 | 122 | _debug2 id "$id" |
555e0de9 | 123 | |
3a7c7fe4 | 124 | if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then |
de25232a | 125 | _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set" |
555e0de9 BH |
126 | return 1 |
127 | fi | |
128 | ||
129 | # we've verified this certificate description is a thing, so save it | |
74a4a788 | 130 | _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64" |
555e0de9 | 131 | |
52a168b9 | 132 | _info "Generate form POST request" |
0deea539 | 133 | nl="\0015\0012" |
79637097 | 134 | delim="--------------------------$(_utc_date | tr -d -- '-: ')" |
0deea539 | 135 | content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\0012" |
136 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\0012" | |
137 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012" | |
52a168b9 BH |
138 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id" |
139 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}" | |
74a4a788 | 140 | if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then |
5ab9ca1c BH |
141 | _debug2 default "this is the default certificate" |
142 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true" | |
143 | else | |
144 | _debug2 default "this is NOT the default certificate" | |
145 | fi | |
52a168b9 | 146 | content="$content${nl}--$delim--${nl}" |
95769de4 BH |
147 | content="$(printf "%b_" "$content")" |
148 | content="${content%_}" # protect trailing \n | |
52a168b9 BH |
149 | |
150 | _info "Upload certificate to the Synology DSM" | |
cc692854 | 151 | response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token&_sid=$sid" "" "POST" "multipart/form-data; boundary=${delim}") |
555e0de9 | 152 | _debug3 response "$response" |
555e0de9 | 153 | |
1b475cf9 BH |
154 | if ! echo "$response" | grep '"error":' >/dev/null; then |
155 | if echo "$response" | grep '"restart_httpd":true' >/dev/null; then | |
6459ccb1 | 156 | _info "http services were restarted" |
555e0de9 | 157 | else |
6459ccb1 | 158 | _info "http services were NOT restarted" |
555e0de9 | 159 | fi |
6459ccb1 | 160 | return 0 |
555e0de9 | 161 | else |
52a168b9 | 162 | _err "Unable to update certificate, error code $response" |
555e0de9 BH |
163 | return 1 |
164 | fi | |
165 | } |