]>
Commit | Line | Data |
---|---|---|
555e0de9 BH |
1 | #!/usr/bin/env sh |
2 | ||
8e8cda13 | 3 | # Here is a script to deploy cert to Synology DSM |
555e0de9 BH |
4 | # |
5 | # it requires the jq and curl are in the $PATH and the following | |
6 | # environment variables must be set: | |
7 | # | |
8 | # SYNO_Username - Synology Username to login (must be an administrator) | |
9 | # SYNO_Password - Synology Password to login | |
10 | # SYNO_Certificate - Certificate description to target for replacement | |
11 | # | |
12 | # The following environmental variables may be set if you don't like their | |
13 | # default values: | |
14 | # | |
15 | # SYNO_Scheme - defaults to http | |
16 | # SYNO_Hostname - defaults to localhost | |
17 | # SYNO_Port - defaults to 5000 | |
80f1034d | 18 | # SYNO_DID - device ID to skip OTP - defaults to empty |
555e0de9 BH |
19 | # |
20 | #returns 0 means success, otherwise error. | |
21 | ||
22 | ######## Public functions ##################### | |
23 | ||
52a168b9 | 24 | _syno_get_cookie_data() { |
d15c14ab | 25 | grep "\W$1=" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';' |
52a168b9 BH |
26 | } |
27 | ||
555e0de9 BH |
28 | #domain keyfile certfile cafile fullchain |
29 | synology_dsm_deploy() { | |
30 | ||
31 | _cdomain="$1" | |
32 | _ckey="$2" | |
33 | _ccert="$3" | |
34 | _cca="$4" | |
35 | ||
36 | _debug _cdomain "$_cdomain" | |
37 | ||
38 | # Get Username and Password, but don't save until we successfully authenticate | |
12593410 BH |
39 | _getdeployconf SYNO_Username |
40 | _getdeployconf SYNO_Password | |
41 | _getdeployconf SYNO_Create | |
fd64c208 | 42 | _getdeployconf SYNO_DID |
555e0de9 BH |
43 | if [ -z "$SYNO_Username" ] || [ -z "$SYNO_Password" ]; then |
44 | SYNO_Username="" | |
45 | SYNO_Password="" | |
46 | _err "SYNO_Username & SYNO_Password must be set" | |
47 | return 1 | |
48 | fi | |
49 | _debug2 SYNO_Username "$SYNO_Username" | |
50 | _secure_debug2 SYNO_Password "$SYNO_Password" | |
51 | ||
52 | # Optional scheme, hostname, and port for Synology DSM | |
12593410 BH |
53 | _getdeployconf SYNO_Scheme |
54 | _getdeployconf SYNO_Hostname | |
55 | _getdeployconf SYNO_Port | |
555e0de9 BH |
56 | |
57 | # default vaules for scheme, hostname, and port | |
58 | # defaulting to localhost and http because it's localhost... | |
59 | [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http" | |
60 | [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost" | |
61 | [ -n "${SYNO_Port}" ] || SYNO_Port="5000" | |
62 | ||
12593410 BH |
63 | _savedeployconf SYNO_Scheme "$SYNO_Scheme" |
64 | _savedeployconf SYNO_Hostname "$SYNO_Hostname" | |
65 | _savedeployconf SYNO_Port "$SYNO_Port" | |
66 | ||
555e0de9 BH |
67 | _debug2 SYNO_Scheme "$SYNO_Scheme" |
68 | _debug2 SYNO_Hostname "$SYNO_Hostname" | |
69 | _debug2 SYNO_Port "$SYNO_Port" | |
70 | ||
71 | # Get the certificate description, but don't save it until we verfiy it's real | |
72 | _getdeployconf SYNO_Certificate | |
d07172a5 | 73 | if [ -z "${SYNO_Certificate:?}" ]; then |
555e0de9 BH |
74 | _err "SYNO_Certificate needs to be defined (with the Certificate description name)" |
75 | return 1 | |
76 | fi | |
77 | _debug SYNO_Certificate "$SYNO_Certificate" | |
78 | ||
555e0de9 BH |
79 | _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" |
80 | _debug _base_url "$_base_url" | |
81 | ||
555e0de9 | 82 | # Login, get the token from JSON and session id from cookie |
52a168b9 | 83 | _info "Logging into $SYNO_Hostname:$SYNO_Port" |
52b81608 BH |
84 | encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)" |
85 | encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)" | |
86 | encoded_did="$(printf "%s" "$SYNO_DID" | _url_encode)" | |
d15c14ab BH |
87 | response=$(_get "$_base_url/webman/login.cgi?username=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_id=$encoded_did" 1) |
88 | token=$(echo "$response" | grep "X-SYNO-TOKEN:" | sed -n 's/^X-SYNO-TOKEN: \(.*\)$/\1/p' | tr -d "\r\n") | |
52a168b9 | 89 | _debug3 response "$response" |
d15c14ab | 90 | _debug token "$token" |
52a168b9 BH |
91 | |
92 | if [ -z "$token" ]; then | |
555e0de9 BH |
93 | _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme." |
94 | _err "Check your username and password." | |
555e0de9 BH |
95 | return 1 |
96 | fi | |
97 | ||
d15c14ab | 98 | _H1="Cookie: $(echo "$response" | _syno_get_cookie_data "id"); $(echo "$response" | _syno_get_cookie_data "smid")" |
52a168b9 BH |
99 | _H2="X-SYNO-TOKEN: $token" |
100 | export _H1 | |
101 | export _H2 | |
5d3bc95a BH |
102 | _debug2 H1 "${_H1}" |
103 | _debug2 H2 "${_H2}" | |
52a168b9 | 104 | |
555e0de9 | 105 | # Now that we know the username and password are good, save them |
52a168b9 BH |
106 | _savedeployconf SYNO_Username "$SYNO_Username" |
107 | _savedeployconf SYNO_Password "$SYNO_Password" | |
fd64c208 | 108 | _savedeployconf SYNO_DID "$SYNO_DID" |
555e0de9 | 109 | |
52a168b9 BH |
110 | _info "Getting certificates in Synology DSM" |
111 | response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1" "$_base_url/webapi/entry.cgi") | |
555e0de9 | 112 | _debug3 response "$response" |
95769de4 | 113 | id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p") |
52a168b9 | 114 | _debug2 id "$id" |
555e0de9 | 115 | |
668967a7 | 116 | if [ -z "$id" ] && [ -z "$SYNO_Create" ]; then |
de25232a | 117 | _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set" |
555e0de9 BH |
118 | return 1 |
119 | fi | |
120 | ||
121 | # we've verified this certificate description is a thing, so save it | |
122 | _savedeployconf SYNO_Certificate "$SYNO_Certificate" | |
123 | ||
52a168b9 | 124 | default=false |
1b475cf9 | 125 | if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then |
95769de4 | 126 | default=true |
52a168b9 | 127 | fi |
555e0de9 BH |
128 | _debug2 default "$default" |
129 | ||
52a168b9 BH |
130 | _info "Generate form POST request" |
131 | nl="\015\012" | |
79637097 | 132 | delim="--------------------------$(_utc_date | tr -d -- '-: ')" |
52a168b9 BH |
133 | content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\012" |
134 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\012" | |
135 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\012" | |
136 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id" | |
137 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}" | |
138 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}" | |
139 | content="$content${nl}--$delim--${nl}" | |
95769de4 BH |
140 | content="$(printf "%b_" "$content")" |
141 | content="${content%_}" # protect trailing \n | |
52a168b9 BH |
142 | |
143 | _info "Upload certificate to the Synology DSM" | |
144 | response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token" "" "POST" "multipart/form-data; boundary=${delim}") | |
555e0de9 | 145 | _debug3 response "$response" |
555e0de9 | 146 | |
1b475cf9 BH |
147 | if ! echo "$response" | grep '"error":' >/dev/null; then |
148 | if echo "$response" | grep '"restart_httpd":true' >/dev/null; then | |
6459ccb1 | 149 | _info "http services were restarted" |
555e0de9 | 150 | else |
6459ccb1 | 151 | _info "http services were NOT restarted" |
555e0de9 | 152 | fi |
6459ccb1 | 153 | return 0 |
555e0de9 | 154 | else |
52a168b9 | 155 | _err "Unable to update certificate, error code $response" |
555e0de9 BH |
156 | return 1 |
157 | fi | |
158 | } |