]>
Commit | Line | Data |
---|---|---|
555e0de9 BH |
1 | #!/usr/bin/env sh |
2 | ||
8e8cda13 | 3 | # Here is a script to deploy cert to Synology DSM |
555e0de9 BH |
4 | # |
5 | # it requires the jq and curl are in the $PATH and the following | |
6 | # environment variables must be set: | |
7 | # | |
8 | # SYNO_Username - Synology Username to login (must be an administrator) | |
9 | # SYNO_Password - Synology Password to login | |
10 | # SYNO_Certificate - Certificate description to target for replacement | |
11 | # | |
12 | # The following environmental variables may be set if you don't like their | |
13 | # default values: | |
14 | # | |
15 | # SYNO_Scheme - defaults to http | |
16 | # SYNO_Hostname - defaults to localhost | |
17 | # SYNO_Port - defaults to 5000 | |
18 | # | |
19 | #returns 0 means success, otherwise error. | |
20 | ||
21 | ######## Public functions ##################### | |
22 | ||
52a168b9 | 23 | _syno_get_cookie_data() { |
52a168b9 BH |
24 | grep "\W$1=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';' |
25 | } | |
26 | ||
555e0de9 BH |
27 | #domain keyfile certfile cafile fullchain |
28 | synology_dsm_deploy() { | |
29 | ||
30 | _cdomain="$1" | |
31 | _ckey="$2" | |
32 | _ccert="$3" | |
33 | _cca="$4" | |
34 | ||
35 | _debug _cdomain "$_cdomain" | |
36 | ||
37 | # Get Username and Password, but don't save until we successfully authenticate | |
52a168b9 BH |
38 | SYNO_Username="${SYNO_Username:-$(_getdeployconf SYNO_Username)}" |
39 | SYNO_Password="${SYNO_Password:-$(_getdeployconf SYNO_Password)}" | |
de25232a | 40 | SYNO_Create="${SYNO_Create:-$(_getdeployconf SYNO_Create)}" |
555e0de9 BH |
41 | if [ -z "$SYNO_Username" ] || [ -z "$SYNO_Password" ]; then |
42 | SYNO_Username="" | |
43 | SYNO_Password="" | |
44 | _err "SYNO_Username & SYNO_Password must be set" | |
45 | return 1 | |
46 | fi | |
47 | _debug2 SYNO_Username "$SYNO_Username" | |
48 | _secure_debug2 SYNO_Password "$SYNO_Password" | |
49 | ||
50 | # Optional scheme, hostname, and port for Synology DSM | |
52a168b9 BH |
51 | SYNO_Scheme="${SYNO_Scheme:-$(_getdeployconf SYNO_Scheme)}" |
52 | SYNO_Hostname="${SYNO_Hostname:-$(_getdeployconf SYNO_Hostname)}" | |
53 | SYNO_Port="${SYNO_Port:-$(_getdeployconf SYNO_Port)}" | |
54 | _savedeployconf SYNO_Scheme "$SYNO_Scheme" | |
55 | _savedeployconf SYNO_Hostname "$SYNO_Hostname" | |
56 | _savedeployconf SYNO_Port "$SYNO_Port" | |
555e0de9 BH |
57 | |
58 | # default vaules for scheme, hostname, and port | |
59 | # defaulting to localhost and http because it's localhost... | |
60 | [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http" | |
61 | [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost" | |
62 | [ -n "${SYNO_Port}" ] || SYNO_Port="5000" | |
63 | ||
64 | _debug2 SYNO_Scheme "$SYNO_Scheme" | |
65 | _debug2 SYNO_Hostname "$SYNO_Hostname" | |
66 | _debug2 SYNO_Port "$SYNO_Port" | |
67 | ||
68 | # Get the certificate description, but don't save it until we verfiy it's real | |
69 | _getdeployconf SYNO_Certificate | |
548f83c3 | 70 | # shellcheck disable=SC2154 |
555e0de9 BH |
71 | if [ -z "${SYNO_Certificate}" ]; then |
72 | _err "SYNO_Certificate needs to be defined (with the Certificate description name)" | |
73 | return 1 | |
74 | fi | |
75 | _debug SYNO_Certificate "$SYNO_Certificate" | |
76 | ||
555e0de9 BH |
77 | _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" |
78 | _debug _base_url "$_base_url" | |
79 | ||
555e0de9 | 80 | # Login, get the token from JSON and session id from cookie |
52a168b9 BH |
81 | _info "Logging into $SYNO_Hostname:$SYNO_Port" |
82 | response=$(_get "$_base_url/webman/login.cgi?username=$SYNO_Username&passwd=$SYNO_Password&enable_syno_token=yes") | |
83 | token=$(echo "$response" | grep "SynoToken" | sed -n 's/.*"SynoToken" *: *"\([^"]*\).*/\1/p') | |
84 | _debug3 response "$response" | |
85 | ||
86 | if [ -z "$token" ]; then | |
555e0de9 BH |
87 | _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme." |
88 | _err "Check your username and password." | |
555e0de9 BH |
89 | return 1 |
90 | fi | |
91 | ||
52a168b9 BH |
92 | _H1="Cookie: $(_syno_get_cookie_data "id"); $(_syno_get_cookie_data "smid")" |
93 | _H2="X-SYNO-TOKEN: $token" | |
94 | export _H1 | |
95 | export _H2 | |
5d3bc95a BH |
96 | _debug2 H1 "${_H1}" |
97 | _debug2 H2 "${_H2}" | |
52a168b9 | 98 | |
555e0de9 | 99 | # Now that we know the username and password are good, save them |
52a168b9 BH |
100 | _savedeployconf SYNO_Username "$SYNO_Username" |
101 | _savedeployconf SYNO_Password "$SYNO_Password" | |
5d3bc95a | 102 | _debug token "$token" |
555e0de9 | 103 | |
52a168b9 BH |
104 | _info "Getting certificates in Synology DSM" |
105 | response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1" "$_base_url/webapi/entry.cgi") | |
555e0de9 | 106 | _debug3 response "$response" |
95769de4 | 107 | id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p") |
52a168b9 | 108 | _debug2 id "$id" |
555e0de9 | 109 | |
de25232a BH |
110 | if [ -z "$id" ] && [ -z "$SYNO_Create" ]; then |
111 | _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set" | |
555e0de9 BH |
112 | return 1 |
113 | fi | |
114 | ||
115 | # we've verified this certificate description is a thing, so save it | |
116 | _savedeployconf SYNO_Certificate "$SYNO_Certificate" | |
117 | ||
52a168b9 | 118 | default=false |
95769de4 BH |
119 | if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -q -- 'is_default":true'; then |
120 | default=true | |
52a168b9 | 121 | fi |
555e0de9 BH |
122 | _debug2 default "$default" |
123 | ||
52a168b9 BH |
124 | _info "Generate form POST request" |
125 | nl="\015\012" | |
126 | delim="--------------------------$(date +%Y%m%d%H%M%S)" | |
127 | content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\012" | |
128 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\012" | |
129 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\012" | |
130 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id" | |
131 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}" | |
132 | content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}" | |
133 | content="$content${nl}--$delim--${nl}" | |
95769de4 BH |
134 | content="$(printf "%b_" "$content")" |
135 | content="${content%_}" # protect trailing \n | |
52a168b9 BH |
136 | |
137 | _info "Upload certificate to the Synology DSM" | |
138 | response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token" "" "POST" "multipart/form-data; boundary=${delim}") | |
555e0de9 | 139 | _debug3 response "$response" |
555e0de9 | 140 | |
95769de4 BH |
141 | if ! echo "$response" | grep -q '"error":'; then |
142 | if echo "$response" | grep -q '"restart_httpd":true'; then | |
6459ccb1 | 143 | _info "http services were restarted" |
555e0de9 | 144 | else |
6459ccb1 | 145 | _info "http services were NOT restarted" |
555e0de9 | 146 | fi |
6459ccb1 | 147 | return 0 |
555e0de9 | 148 | else |
52a168b9 | 149 | _err "Unable to update certificate, error code $response" |
555e0de9 BH |
150 | return 1 |
151 | fi | |
152 | } |