3 # Here is a script to deploy cert to Synology DSM
5 # It requires following environment variables:
7 # SYNO_Username - Synology Username to login (must be an administrator)
8 # SYNO_Password - Synology Password to login
9 # SYNO_Certificate - Certificate description to target for replacement
11 # The following environmental variables may be set if you don't like their
14 # SYNO_Scheme - defaults to http
15 # SYNO_Hostname - defaults to localhost
16 # SYNO_Port - defaults to 5000
17 # SYNO_DID - device ID to skip OTP - defaults to empty
18 # SYNO_TOTP_SECRET - TOTP secret to generate OTP - defaults to empty
23 # - oathtool (When using 2 Factor Authentication and SYNO_TOTP_SECRET is set)
25 #returns 0 means success, otherwise error.
27 ######## Public functions #####################
29 #domain keyfile certfile cafile fullchain
30 synology_dsm_deploy
() {
37 _debug _cdomain
"$_cdomain"
39 # Get Username and Password, but don't save until we successfully authenticate
40 _getdeployconf SYNO_Username
41 _getdeployconf SYNO_Password
42 _getdeployconf SYNO_Create
43 _getdeployconf SYNO_DID
44 _getdeployconf SYNO_TOTP_SECRET
45 if [ -z "${SYNO_Username:-}" ] ||
[ -z "${SYNO_Password:-}" ]; then
46 _err
"SYNO_Username & SYNO_Password must be set"
49 _debug2 SYNO_Username
"$SYNO_Username"
50 _secure_debug2 SYNO_Password
"$SYNO_Password"
52 # Optional scheme, hostname, and port for Synology DSM
53 _getdeployconf SYNO_Scheme
54 _getdeployconf SYNO_Hostname
55 _getdeployconf SYNO_Port
57 # default vaules for scheme, hostname, and port
58 # defaulting to localhost and http because it's localhost...
59 [ -n "${SYNO_Scheme}" ] || SYNO_Scheme
="http"
60 [ -n "${SYNO_Hostname}" ] || SYNO_Hostname
="localhost"
61 [ -n "${SYNO_Port}" ] || SYNO_Port
="5000"
63 _savedeployconf SYNO_Scheme
"$SYNO_Scheme"
64 _savedeployconf SYNO_Hostname
"$SYNO_Hostname"
65 _savedeployconf SYNO_Port
"$SYNO_Port"
67 _debug2 SYNO_Scheme
"$SYNO_Scheme"
68 _debug2 SYNO_Hostname
"$SYNO_Hostname"
69 _debug2 SYNO_Port
"$SYNO_Port"
71 # Get the certificate description, but don't save it until we verfiy it's real
72 _getdeployconf SYNO_Certificate
73 _debug SYNO_Certificate
"${SYNO_Certificate:-}"
75 # shellcheck disable=SC1003 # We are not trying to escape a single quote
76 if printf "%s" "$SYNO_Certificate" |
grep '\\'; then
77 _err
"Do not use a backslash (\) in your certificate description"
81 _base_url
="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
82 _debug _base_url
"$_base_url"
84 _debug
"Getting API version"
85 response
=$
(_get
"$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth")
86 api_version
=$
(echo "$response" |
grep "SYNO.API.Auth" |
sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p')
87 _debug3 response
"$response"
88 _debug3 api_version
"$api_version"
90 # Login, get the token from JSON and session id from cookie
91 _info
"Logging into $SYNO_Hostname:$SYNO_Port"
92 encoded_username
="$(printf "%s
" "$SYNO_Username" | _url_encode)"
93 encoded_password
="$(printf "%s
" "$SYNO_Password" | _url_encode)"
96 if [ -n "$SYNO_TOTP_SECRET" ]; then
97 if _exists oathtool
; then
98 otp_code
="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
100 _err
"oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET"
105 if [ -n "$SYNO_DID" ]; then
106 _H1
="Cookie: did=$SYNO_DID"
111 response
=$
(_post
"method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
112 token
=$
(echo "$response" |
grep "synotoken" |
sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
113 _debug3 response
"$response"
114 _debug token
"$token"
116 if [ -z "$token" ]; then
117 _err
"Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
118 _err
"Check your username and password."
119 _err
"If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET."
122 sid
=$
(echo "$response" |
grep "sid" |
sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
124 _H1
="X-SYNO-TOKEN: $token"
128 # Now that we know the username and password are good, save them
129 _savedeployconf SYNO_Username
"$SYNO_Username"
130 _savedeployconf SYNO_Password
"$SYNO_Password"
131 _savedeployconf SYNO_DID
"$SYNO_DID"
132 _savedeployconf SYNO_TOTP_SECRET
"$SYNO_TOTP_SECRET"
134 _info
"Getting certificates in Synology DSM"
135 response
=$
(_post
"api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
136 _debug3 response
"$response"
137 escaped_certificate
="$(printf "%s
" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
138 _debug escaped_certificate
"$escaped_certificate"
139 id
=$
(echo "$response" |
sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
142 if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
143 _err
"Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set"
147 # we've verified this certificate description is a thing, so save it
148 _savedeployconf SYNO_Certificate
"$SYNO_Certificate" "base64"
150 _info
"Generate form POST request"
152 delim
="--------------------------$(_utc_date | tr -d -- '-: ')"
153 content
="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\0012"
154 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\0012"
155 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
156 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
157 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
158 if echo "$response" |
sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" |
grep -- 'is_default":true' >/dev
/null
; then
159 _debug2 default
"this is the default certificate"
160 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
162 _debug2 default
"this is NOT the default certificate"
164 content
="$content${nl}--$delim--${nl}"
165 content
="$(printf "%b_
" "$content")"
166 content
="${content%_}" # protect trailing \n
168 _info
"Upload certificate to the Synology DSM"
169 response
=$
(_post
"$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token&_sid=$sid" "" "POST" "multipart/form-data; boundary=${delim}")
170 _debug3 response
"$response"
172 if ! echo "$response" |
grep '"error":' >/dev
/null
; then
173 if echo "$response" |
grep '"restart_httpd":true' >/dev
/null
; then
174 _info
"http services were restarted"
176 _info
"http services were NOT restarted"
180 _err
"Unable to update certificate, error code $response"