3 # Here is a script to deploy cert to Synology DSM
5 # it requires the jq and curl are in the $PATH and the following
6 # environment variables must be set:
8 # SYNO_Username - Synology Username to login (must be an administrator)
9 # SYNO_Password - Synology Password to login
10 # SYNO_Certificate - Certificate description to target for replacement
12 # The following environmental variables may be set if you don't like their
15 # SYNO_Scheme - defaults to http
16 # SYNO_Hostname - defaults to localhost
17 # SYNO_Port - defaults to 5000
18 # SYNO_DID - device ID to skip OTP - defaults to empty
20 #returns 0 means success, otherwise error.
22 ######## Public functions #####################
24 _syno_get_cookie_data
() {
25 grep -i "\W$1=" |
grep -i "^Set-Cookie:" | _tail_n
1 | _egrep_o
"$1=[^;]*;" |
tr -d ';'
28 #domain keyfile certfile cafile fullchain
29 synology_dsm_deploy
() {
36 _debug _cdomain
"$_cdomain"
38 # Get Username and Password, but don't save until we successfully authenticate
39 _getdeployconf SYNO_Username
40 _getdeployconf SYNO_Password
41 _getdeployconf SYNO_Create
42 _getdeployconf SYNO_DID
43 if [ -z "${SYNO_Username:-}" ] ||
[ -z "${SYNO_Password:-}" ]; then
44 _err
"SYNO_Username & SYNO_Password must be set"
47 _debug2 SYNO_Username
"$SYNO_Username"
48 _secure_debug2 SYNO_Password
"$SYNO_Password"
50 # Optional scheme, hostname, and port for Synology DSM
51 _getdeployconf SYNO_Scheme
52 _getdeployconf SYNO_Hostname
53 _getdeployconf SYNO_Port
55 # default vaules for scheme, hostname, and port
56 # defaulting to localhost and http because it's localhost...
57 [ -n "${SYNO_Scheme}" ] || SYNO_Scheme
="http"
58 [ -n "${SYNO_Hostname}" ] || SYNO_Hostname
="localhost"
59 [ -n "${SYNO_Port}" ] || SYNO_Port
="5000"
61 _savedeployconf SYNO_Scheme
"$SYNO_Scheme"
62 _savedeployconf SYNO_Hostname
"$SYNO_Hostname"
63 _savedeployconf SYNO_Port
"$SYNO_Port"
65 _debug2 SYNO_Scheme
"$SYNO_Scheme"
66 _debug2 SYNO_Hostname
"$SYNO_Hostname"
67 _debug2 SYNO_Port
"$SYNO_Port"
69 # Get the certificate description, but don't save it until we verfiy it's real
70 _getdeployconf SYNO_Certificate
71 _debug SYNO_Certificate
"${SYNO_Certificate:-}"
73 _base_url
="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
74 _debug _base_url
"$_base_url"
76 # Login, get the token from JSON and session id from cookie
77 _info
"Logging into $SYNO_Hostname:$SYNO_Port"
78 encoded_username
="$(printf "%s
" "$SYNO_Username" | _url_encode)"
79 encoded_password
="$(printf "%s
" "$SYNO_Password" | _url_encode)"
80 encoded_did
="$(printf "%s
" "$SYNO_DID" | _url_encode)"
81 response
=$
(_get
"$_base_url/webman/login.cgi?username=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_id=$encoded_did" 1)
82 token
=$
(echo "$response" |
grep -i "X-SYNO-TOKEN:" |
sed -n 's/^X-SYNO-TOKEN: \(.*\)$/\1/pI' |
tr -d "\r\n")
83 _debug3 response
"$response"
86 if [ -z "$token" ]; then
87 _err
"Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
88 _err
"Check your username and password."
92 _H1
="Cookie: $(echo "$response" | _syno_get_cookie_data "id
"); $(echo "$response" | _syno_get_cookie_data "smid
")"
93 _H2
="X-SYNO-TOKEN: $token"
99 # Now that we know the username and password are good, save them
100 _savedeployconf SYNO_Username
"$SYNO_Username"
101 _savedeployconf SYNO_Password
"$SYNO_Password"
102 _savedeployconf SYNO_DID
"$SYNO_DID"
104 _info
"Getting certificates in Synology DSM"
105 response
=$
(_post
"api=SYNO.Core.Certificate.CRT&method=list&version=1" "$_base_url/webapi/entry.cgi")
106 _debug3 response
"$response"
107 id
=$
(echo "$response" |
sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
110 if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
111 _err
"Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set"
115 # we've verified this certificate description is a thing, so save it
116 _savedeployconf SYNO_Certificate
"$SYNO_Certificate"
119 if echo "$response" |
sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" |
grep -- 'is_default":true' >/dev
/null
; then
122 _debug2 default
"$default"
124 _info
"Generate form POST request"
126 delim
="--------------------------$(_utc_date | tr -d -- '-: ')"
127 content
="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\0012"
128 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\0012"
129 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
130 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
131 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
132 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}"
133 content
="$content${nl}--$delim--${nl}"
134 content
="$(printf "%b_
" "$content")"
135 content
="${content%_}" # protect trailing \n
137 _info
"Upload certificate to the Synology DSM"
138 response
=$
(_post
"$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token" "" "POST" "multipart/form-data; boundary=${delim}")
139 _debug3 response
"$response"
141 if ! echo "$response" |
grep '"error":' >/dev
/null
; then
142 if echo "$response" |
grep '"restart_httpd":true' >/dev
/null
; then
143 _info
"http services were restarted"
145 _info
"http services were NOT restarted"
149 _err
"Unable to update certificate, error code $response"