3 # Here is a script to deploy cert to routeros router.
4 # Deploy the cert to remote routeros
7 # acme.sh --deploy -d ftp.example.com --deploy-hook routeros
10 # Before you can deploy the certificate to router os, you need
11 # to add the id_rsa.pub key to the routeros and assign a user
14 # The user need to have access to ssh, ftp, read and write.
16 # There are no need to enable ftp service for the script to work,
17 # as they are transmitted over SCP, however ftp is needed to store
18 # the files on the router.
20 # Then you need to set the environment variables for the
21 # deploy script to work.
24 # export ROUTER_OS_USERNAME=certuser
25 # export ROUTER_OS_HOST=router.example.com
26 # export ROUTER_OS_PORT=22
28 # acme.sh --deploy -d ftp.example.com --deploy-hook routeros
31 # The deploy script will remove previously deployed certificates,
32 # and it does this with an assumption on how RouterOS names imported
33 # certificates, adding a "cer_0" suffix at the end. This is true for
34 # versions 6.32 -> 6.41.3, but it is not guaranteed that it will be
35 # true for future versions when upgrading.
37 # If the router have other certificates with the same name as the one
38 # beeing deployed, then this script will remove those certificates.
40 # At the end of the script, the services that use those certificates
41 # could be updated. Currently only the www-ssl service is beeing
42 # updated, but more services could be added.
46 # export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0"
49 # One optional thing to do as well is to create a script that updates
50 # all the required services and run that script in a single command.
52 # To adopt parameters to `scp` and/or `ssh` set the optional
53 # `ROUTER_OS_SSH_CMD` and `ROUTER_OS_SCP_CMD` variables accordingly,
54 # see ssh(1) and scp(1) for parameters to those commands.
58 # export ROUTER_OS_SSH_CMD="ssh -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
59 # export ROUTER_OS_SCP_CMD="scp -i /acme.sh/.ssh/router.example.com -o UserKnownHostsFile=/acme.sh/.ssh/known_hosts"
62 # returns 0 means success, otherwise error.
64 ######## Public functions #####################
66 #domain keyfile certfile cafile fullchain
75 _debug _cdomain
"$_cdomain"
77 _debug _ccert
"$_ccert"
79 _debug _cfullchain
"$_cfullchain"
81 _getdeployconf ROUTER_OS_HOST
83 if [ -z "$ROUTER_OS_HOST" ]; then
84 _debug
"Using _cdomain as ROUTER_OS_HOST, please set if not correct."
85 ROUTER_OS_HOST
="$_cdomain"
88 _getdeployconf ROUTER_OS_USERNAME
90 if [ -z "$ROUTER_OS_USERNAME" ]; then
91 _err
"Need to set the env variable ROUTER_OS_USERNAME"
95 _getdeployconf ROUTER_OS_PORT
97 if [ -z "$ROUTER_OS_PORT" ]; then
98 _debug
"Using default port 22 as ROUTER_OS_PORT, please set if not correct."
102 _getdeployconf ROUTER_OS_SSH_CMD
104 if [ -z "$ROUTER_OS_SSH_CMD" ]; then
105 _debug
"Use default ssh setup."
106 ROUTER_OS_SSH_CMD
="ssh -p $ROUTER_OS_PORT"
109 _getdeployconf ROUTER_OS_SCP_CMD
111 if [ -z "$ROUTER_OS_SCP_CMD" ]; then
112 _debug
"USe default scp setup."
113 ROUTER_OS_SCP_CMD
="scp -P $ROUTER_OS_PORT"
116 _getdeployconf ROUTER_OS_ADDITIONAL_SERVICES
118 if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then
119 _debug
"Not enabling additional services"
120 ROUTER_OS_ADDITIONAL_SERVICES
=""
123 _savedeployconf ROUTER_OS_HOST
"$ROUTER_OS_HOST"
124 _savedeployconf ROUTER_OS_USERNAME
"$ROUTER_OS_USERNAME"
125 _savedeployconf ROUTER_OS_PORT
"$ROUTER_OS_PORT"
126 _savedeployconf ROUTER_OS_SSH_CMD
"$ROUTER_OS_SSH_CMD"
127 _savedeployconf ROUTER_OS_SCP_CMD
"$ROUTER_OS_SCP_CMD"
128 _savedeployconf ROUTER_OS_ADDITIONAL_SERVICES
"$ROUTER_OS_ADDITIONAL_SERVICES"
130 # push key to routeros
131 if ! _scp_certificate
"$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"; then
135 # push certificate chain to routeros
136 if ! _scp_certificate
"$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"; then
140 DEPLOY_SCRIPT_CMD
="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
141 comment=\"generated by routeros deploy script in acme.sh\" \
142 source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
143 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
144 \n/certificate remove [ find name=$_cdomain.cer_2 ];\
146 \n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
147 \n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\
149 \n/file remove $_cdomain.cer;\
150 \n/file remove $_cdomain.key;\
152 \n/ip service set www-ssl certificate=$_cdomain.cer_0;\
153 \n$ROUTER_OS_ADDITIONAL_SERVICES;\
157 if ! _ssh_remote_cmd
"$DEPLOY_SCRIPT_CMD"; then
161 if ! _ssh_remote_cmd
"/system script run \"LE Cert Deploy - $_cdomain\""; then
165 if ! _ssh_remote_cmd
"/system script remove \"LE Cert Deploy - $_cdomain\""; then
172 # inspired by deploy/ssh.sh
175 _secure_debug
"Remote commands to execute: $_cmd"
176 _info
"Submitting sequence of commands to routeros"
177 # quotations in bash cmd below intended. Squash travis spellcheck error
178 # shellcheck disable=SC2029
179 $ROUTER_OS_SSH_CMD "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$_cmd"
182 if [ "$_err_code" != "0" ]; then
183 _err
"Error code $_err_code returned from routeros"
192 _secure_debug
"scp '$_src' to '$_dst'"
193 _info
"Push key '$_src' to routeros"
195 $ROUTER_OS_SCP_CMD "$_src" "$_dst"
198 if [ "$_err_code" != "0" ]; then
199 _err
"Error code $_err_code returned from scp"