]> git.proxmox.com Git - mirror_acme.sh.git/blob - dnsapi/dns_opnsense.sh
projects / mirror_acme.sh.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2690 from nstepa/dns_yandex
[mirror_acme.sh.git] / dnsapi / dns_opnsense.sh
1 #!/usr/bin/env sh
2
3 #OPNsense Bind API
4 #https://docs.opnsense.org/development/api.html
5 #
6 #OPNs_Host="opnsense.example.com"
7 #OPNs_Port="443"
8 # optional, defaults to 443 if unset
9 #OPNs_Key="qocfU9RSbt8vTIBcnW8bPqCrpfAHMDvj5OzadE7Str+rbjyCyk7u6yMrSCHtBXabgDDXx/dY0POUp7ZA"
10 #OPNs_Token="pZEQ+3ce8dDlfBBdg3N8EpqpF5I1MhFqdxX06le6Gl8YzyQvYCfCzNaFX9O9+IOSyAs7X71fwdRiZ+Lv"
11 #OPNs_Api_Insecure=0
12 # optional, defaults to 0 if unset
13 # Set 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1)
14
15 ######## Public functions #####################
16 #Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000"
17 #fulldomain
18 #txtvalue
19 OPNs_DefaultPort=443
20 OPNs_DefaultApi_Insecure=0
21
22 dns_opnsense_add() {
23 fulldomain=$1
24 txtvalue=$2
25
26 _opns_check_auth || return 1
27
28 if ! set_record "$fulldomain" "$txtvalue"; then
29 return 1
30 fi
31
32 return 0
33 }
34
35 #fulldomain
36 dns_opnsense_rm() {
37 fulldomain=$1
38 txtvalue=$2
39
40 _opns_check_auth || return 1
41
42 if ! rm_record "$fulldomain" "$txtvalue"; then
43 return 1
44 fi
45
46 return 0
47 }
48
49 set_record() {
50 fulldomain=$1
51 new_challenge=$2
52 _info "Adding record $fulldomain with challenge: $new_challenge"
53
54 _debug "Detect root zone"
55 if ! _get_root "$fulldomain"; then
56 _err "invalid domain"
57 return 1
58 fi
59
60 _debug _domain "$_domain"
61 _debug _host "$_host"
62 _debug _domainid "$_domainid"
63 _return_str=""
64 _record_string=""
65 _build_record_string "$_domainid" "$_host" "$new_challenge"
66 _uuid=""
67 if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
68 # Update
69 if _opns_rest "POST" "/record/setRecord/${_uuid}" "$_record_string"; then
70 _return_str="$response"
71 else
72 return 1
73 fi
74
75 else
76 #create
77 if _opns_rest "POST" "/record/addRecord" "$_record_string"; then
78 _return_str="$response"
79 else
80 return 1
81 fi
82 fi
83
84 if echo "$_return_str" | _egrep_o "\"result\":\"saved\"" >/dev/null; then
85 _opns_rest "POST" "/service/reconfigure" "{}"
86 _debug "Record created"
87 else
88 _err "Error creating record $_record_string"
89 return 1
90 fi
91
92 return 0
93 }
94
95 rm_record() {
96 fulldomain=$1
97 new_challenge="$2"
98 _info "Remove record $fulldomain with challenge: $new_challenge"
99
100 _debug "Detect root zone"
101 if ! _get_root "$fulldomain"; then
102 _err "invalid domain"
103 return 1
104 fi
105
106 _debug _domain "$_domain"
107 _debug _host "$_host"
108 _debug _domainid "$_domainid"
109 _uuid=""
110 if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
111 # Delete
112 if _opns_rest "POST" "/record/delRecord/${_uuid}" "\{\}"; then
113 if echo "$_return_str" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then
114 _opns_rest "POST" "/service/reconfigure" "{}"
115 _debug "Record deleted"
116 else
117 _err "Error deleting record $_host from domain $fulldomain"
118 return 1
119 fi
120 else
121 _err "Error deleting record $_host from domain $fulldomain"
122 return 1
123 fi
124 else
125 _info "Record not found, nothing to remove"
126 fi
127
128 return 0
129 }
130
131 #################### Private functions below ##################################
132 #_acme-challenge.www.domain.com
133 #returns
134 # _domainid=domid
135 #_domain=domain.com
136 _get_root() {
137 domain=$1
138 i=2
139 p=1
140 if _opns_rest "GET" "/domain/get"; then
141 _domain_response="$response"
142 else
143 return 1
144 fi
145
146 while true; do
147 h=$(printf "%s" "$domain" | cut -d . -f $i-100)
148 if [ -z "$h" ]; then
149 #not valid
150 return 1
151 fi
152 _debug h "$h"
153 id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":\"[^\"]*\",\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2)
154
155 if [ -n "$id" ]; then
156 _debug id "$id"
157 _host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
158 _domain="${h}"
159 _domainid="${id}"
160 return 0
161 fi
162 p=$i
163 i=$(_math $i + 1)
164 done
165 _debug "$domain not found"
166
167 return 1
168 }
169
170 _opns_rest() {
171 method=$1
172 ep=$2
173 data=$3
174 #Percent encode user and token
175 key=$(echo "$OPNs_Key" | tr -d "\n\r" | _url_encode)
176 token=$(echo "$OPNs_Token" | tr -d "\n\r" | _url_encode)
177
178 opnsense_url="https://${key}:${token}@${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}"
179 export _H1="Content-Type: application/json"
180 _debug2 "Try to call api: https://${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}"
181 if [ ! "$method" = "GET" ]; then
182 _debug data "$data"
183 export _H1="Content-Type: application/json"
184 response="$(_post "$data" "$opnsense_url" "" "$method")"
185 else
186 export _H1=""
187 response="$(_get "$opnsense_url")"
188 fi
189
190 if [ "$?" != "0" ]; then
191 _err "error $ep"
192 return 1
193 fi
194 _debug2 response "$response"
195
196 return 0
197 }
198
199 _build_record_string() {
200 _record_string="{\"record\":{\"enabled\":\"1\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"}}"
201 }
202
203 _existingchallenge() {
204 if _opns_rest "GET" "/record/searchRecord"; then
205 _record_response="$response"
206 else
207 return 1
208 fi
209 _uuid=""
210 _uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[^\"]*\",\"enabled\":\"[01]\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
211
212 if [ -n "$_uuid" ]; then
213 _debug uuid "$_uuid"
214 return 0
215 fi
216 _debug "${2}.$1{1} record not found"
217
218 return 1
219 }
220
221 _opns_check_auth() {
222 OPNs_Host="${OPNs_Host:-$(_readaccountconf_mutable OPNs_Host)}"
223 OPNs_Port="${OPNs_Port:-$(_readaccountconf_mutable OPNs_Port)}"
224 OPNs_Key="${OPNs_Key:-$(_readaccountconf_mutable OPNs_Key)}"
225 OPNs_Token="${OPNs_Token:-$(_readaccountconf_mutable OPNs_Token)}"
226 OPNs_Api_Insecure="${OPNs_Api_Insecure:-$(_readaccountconf_mutable OPNs_Api_Insecure)}"
227
228 if [ -z "$OPNs_Host" ]; then
229 _err "You don't specify OPNsense address."
230 return 1
231 else
232 _saveaccountconf_mutable OPNs_Host "$OPNs_Host"
233 fi
234
235 if ! printf '%s' "$OPNs_Port" | grep '^[0-9]*$' >/dev/null; then
236 _err 'OPNs_Port specified but not numeric value'
237 return 1
238 elif [ -z "$OPNs_Port" ]; then
239 _info "OPNSense port not specified. Defaulting to using port $OPNs_DefaultPort"
240 else
241 _saveaccountconf_mutable OPNs_Port "$OPNs_Port"
242 fi
243
244 if ! printf '%s' "$OPNs_Api_Insecure" | grep '^[01]$' >/dev/null; then
245 _err 'OPNs_Api_Insecure specified but not 0/1 value'
246 return 1
247 elif [ -n "$OPNs_Api_Insecure" ]; then
248 _saveaccountconf_mutable OPNs_Api_Insecure "$OPNs_Api_Insecure"
249 fi
250 export HTTPS_INSECURE="${OPNs_Api_Insecure:-$OPNs_DefaultApi_Insecure}"
251
252 if [ -z "$OPNs_Key" ]; then
253 _err "you have not specified your OPNsense api key id."
254 _err "Please set OPNs_Key and try again."
255 return 1
256 else
257 _saveaccountconf_mutable OPNs_Key "$OPNs_Key"
258 fi
259
260 if [ -z "$OPNs_Token" ]; then
261 _err "you have not specified your OPNsense token."
262 _err "Please create OPNs_Token and try again."
263 return 1
264 else
265 _saveaccountconf_mutable OPNs_Token "$OPNs_Token"
266 fi
267
268 if ! _opns_rest "GET" "/general/get"; then
269 _err "Call to OPNsense API interface failed. Unable to access OPNsense API."
270 return 1
271 fi
272 return 0
273 }
acme.sh DNS challenge mirror