]> git.proxmox.com Git - mirror_acme.sh.git/blob - deploy/panos.sh
projects / mirror_acme.sh.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #4334 from sasburg/patch-1
[mirror_acme.sh.git] / deploy / panos.sh
1 #!/usr/bin/env sh
2
3 # Script to deploy certificates to Palo Alto Networks PANOS via API
4 # Note PANOS API KEY and IP address needs to be set prior to running.
5 # The following variables exported from environment will be used.
6 # If not set then values previously saved in domain.conf file are used.
7 #
8 # Firewall admin with superuser and IP address is required.
9 #
10 # export PANOS_USER="" # required
11 # export PANOS_PASS="" # required
12 # export PANOS_HOST="" # required
13
14 # This function is to parse the XML
15 parse_response() {
16 type=$2
17 if [ "$type" = 'keygen' ]; then
18 status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g')
19 if [ "$status" = "success" ]; then
20 panos_key=$(echo "$1" | sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g')
21 _panos_key=$panos_key
22 else
23 message="PAN-OS Key could not be set."
24 fi
25 else
26 status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
27 message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
28 fi
29 return 0
30 }
31
32 deployer() {
33 content=""
34 type=$1 # Types are keygen, cert, key, commit
35 _debug "**** Deploying $type *****"
36 panos_url="https://$_panos_host/api/"
37 if [ "$type" = 'keygen' ]; then
38 _H1="Content-Type: application/x-www-form-urlencoded"
39 content="type=keygen&user=$_panos_user&password=$_panos_pass"
40 # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
41 fi
42
43 if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then
44 #Generate DEIM
45 delim="-----MultipartDelimiter$(date "+%s%N")"
46 nl="\015\012"
47 #Set Header
48 export _H1="Content-Type: multipart/form-data; boundary=$delim"
49 if [ "$type" = 'cert' ]; then
50 panos_url="${panos_url}?type=import"
51 content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate"
52 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
53 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
54 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
55 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
56 fi
57 if [ "$type" = 'key' ]; then
58 panos_url="${panos_url}?type=import"
59 content="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key"
60 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
61 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
62 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
63 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
64 content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
65 fi
66 #Close multipart
67 content="$content${nl}--$delim--${nl}${nl}"
68 #Convert CRLF
69 content=$(printf %b "$content")
70 fi
71
72 if [ "$type" = 'commit' ]; then
73 export _H1="Content-Type: application/x-www-form-urlencoded"
74 cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode)
75 content="type=commit&key=$_panos_key&cmd=$cmd"
76 fi
77 response=$(_post "$content" "$panos_url" "" "POST")
78 parse_response "$response" "$type"
79 # Saving response to variables
80 response_status=$status
81 #DEBUG
82 _debug response_status "$response_status"
83 if [ "$response_status" = "success" ]; then
84 _debug "Successfully deployed $type"
85 return 0
86 else
87 _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot."
88 _debug "$message"
89 return 1
90 fi
91 }
92
93 # This is the main function that will call the other functions to deploy everything.
94 panos_deploy() {
95 _cdomain="$1"
96 _ckey="$2"
97 _cfullchain="$5"
98 # PANOS ENV VAR check
99 if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then
100 _debug "No ENV variables found lets check for saved variables"
101 _getdeployconf PANOS_USER
102 _getdeployconf PANOS_PASS
103 _getdeployconf PANOS_HOST
104 _panos_user=$PANOS_USER
105 _panos_pass=$PANOS_PASS
106 _panos_host=$PANOS_HOST
107 if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then
108 _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs."
109 return 1
110 else
111 _debug "Using saved env variables."
112 fi
113 else
114 _debug "Detected ENV variables to be saved to the deploy conf."
115 # Encrypt and save user
116 _savedeployconf PANOS_USER "$PANOS_USER" 1
117 _savedeployconf PANOS_PASS "$PANOS_PASS" 1
118 _savedeployconf PANOS_HOST "$PANOS_HOST" 1
119 _panos_user="$PANOS_USER"
120 _panos_pass="$PANOS_PASS"
121 _panos_host="$PANOS_HOST"
122 fi
123 _debug "Let's use username and pass to generate token."
124 if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then
125 _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
126 return 1
127 else
128 _debug "Getting PANOS KEY"
129 deployer keygen
130 if [ -z "$_panos_key" ]; then
131 _err "Missing apikey."
132 return 1
133 else
134 deployer cert
135 deployer key
136 deployer commit
137 fi
138 fi
139 }
acme.sh DNS challenge mirror