From d05ac212e5d1bc5317b23f551f3472cc423ebadf Mon Sep 17 00:00:00 2001 From: herbetom Date: Mon, 29 Jul 2019 02:22:04 +0200 Subject: [PATCH 1/3] store the env vars within the domainconf The enviroment variables are stored inside the domain configuration file, so that it is not necessary to provide them each time also the option ROUTER_OS_WEB_SERVICE was added for the ability to disable updating the certificate for the www-ssl service, useful for example when a special certificate only for the hotspot server is needed --- deploy/routeros.sh | 119 +++++++++++++++++++++++++++++++++------------ 1 file changed, 88 insertions(+), 31 deletions(-) diff --git a/deploy/routeros.sh b/deploy/routeros.sh index 21c9196f..91b08763 100644 --- a/deploy/routeros.sh +++ b/deploy/routeros.sh @@ -18,7 +18,8 @@ # the files on the router. # # Then you need to set the environment variables for the -# deploy script to work. +# deploy script to work. It will store those in the domainconf. +# So there is no need to set them every time. # # ```sh # export ROUTER_OS_USERNAME=certuser @@ -38,13 +39,22 @@ # # At the end of the script, the services that use those certificates # could be updated. Currently only the www-ssl service is beeing -# updated, but more services could be added. +# updated. You can prevent this by setting the following enviroment +# variable: `export ROUTER_OS_WEB_SERVICE="no"`. + +# You can add more services to +#, but more services could be added. # # For instance: # ```sh # export ROUTER_OS_ADDITIONAL_SERVICES="/ip service set api-ssl certificate=$_cdomain.cer_0" # ``` # +# To set the ssl-certificate for a hotspot profile the following command +# is useful: +# ```sh +# /ip hotspot profile set [find dns-name=hs.example.com] ssl-certificate=hs.example.com.cer_0 +# ``` # One optional thing to do as well is to create a script that updates # all the required services and run that script in a single command. # @@ -66,46 +76,93 @@ routeros_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" - if [ -z "$ROUTER_OS_HOST" ]; then - _debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct." - ROUTER_OS_HOST="$_cdomain" - fi - + # ROUTER_OS_USERNAME is required to login to remote host. if [ -z "$ROUTER_OS_USERNAME" ]; then - _err "Need to set the env variable ROUTER_OS_USERNAME" - return 1 + if [ -z "$Le_router_os_username" ]; then + _err "Need to set the env variable ROUTER_OS_USERNAME" + return 1 + fi + else + _info "saving ROUTER_OS_USERNAME in the domainconf" + Le_router_os_username="$ROUTER_OS_USERNAME" + _savedomainconf Le_router_os_username "$Le_router_os_username" fi - if [ -z "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then - _debug "Not enabling additional services" - ROUTER_OS_ADDITIONAL_SERVICES="" + # ROUTER_OS_HOST is optional. If not provided then use _cdomain + if [ -n "$ROUTER_OS_HOST" ]; then + _info "saving ROUTER_OS_HOST in the domainconf" + Le_router_os_host="$ROUTER_OS_HOST" + _savedomainconf Le_router_os_host "$Le_router_os_host" + elif [ -z "$Le_router_os_host" ]; then + _debug "Using _cdomain as ROUTER_OS_HOST, please set if not correct." + Le_router_os_host="$_cdomain" + fi + + # ROUTER_OS_ADDITIONAL_SERVICES is optional. + if [ -n "$ROUTER_OS_ADDITIONAL_SERVICES" ]; then + _info "saving ROUTER_OS_ADDITIONAL_SERVICES in the domainconf" + Le_router_os_additional_services="$ROUTER_OS_ADDITIONAL_SERVICES" + _savedomainconf Le_router_os_additional_services "$Le_router_os_additional_services" + elif [ -z "$Le_router_os_additional_services" ]; then + _info "saving ROUTER_OS_ADDITIONAL_SERVICES in the domainconf" + Le_router_os_additional_services="" + _savedomainconf Le_router_os_additional_services "$Le_router_os_additional_services" + fi + + # ROUTER_OS_WEB_SERVICE is optional. Default is yes + if [ "$ROUTER_OS_WEB_SERVICE" = "no" ]; then + _debug "don't set the certificate for www-ssl service, saving this in the domainconf." + Le_router_os_web_service="no" + _savedomainconf Le_router_os_web_service "$Le_router_os_web_service" + elif [ "$ROUTER_OS_WEB_SERVICE" = "yes" ] || [ -z "$Le_router_os_web_service" ]; then + _debug "setting the certificate for www-ssl service, saving this in the domainconf." + Le_router_os_web_service="yes" + _savedomainconf Le_router_os_web_service "$Le_router_os_web_service" + fi + + router_os_services="" + + if [ "$Le_router_os_web_service" = "yes" ]; then + router_os_services="$router_os_services \r\n /ip service set www-ssl certificate=$_cdomain.cer_0" + fi + + if [ ! -z "$Le_router_os_additional_services" ]; then + router_os_services="$router_os_services \r\n $Le_router_os_additional_services" fi _info "Trying to push key '$_ckey' to router" - scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key" + scp "$_ckey" "$Le_router_os_username@$Le_router_os_host:$_cdomain.key" + if [ $? -ne 0 ]; then + _err "pushing key '$_ckey' wasn't successull. Stopping here" + return 1 + fi + _info "Trying to push cert '$_cfullchain' to router" - scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer" + scp "$_cfullchain" "$Le_router_os_username@$Le_router_os_host:$_cdomain.cer" + if [ $? -ne 0 ]; then + _err "pushing key '$_ckey' wasn't successull. Stopping here" + return 1 + fi + DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive -source=\"## generated by routeros deploy script in acme.sh -\n/certificate remove [ find name=$_cdomain.cer_0 ] -\n/certificate remove [ find name=$_cdomain.cer_1 ] -\ndelay 1 -\n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\" -\n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\" -\ndelay 1 -\n/file remove $_cdomain.cer -\n/file remove $_cdomain.key -\ndelay 2 -\n/ip service set www-ssl certificate=$_cdomain.cer_0 -\n$ROUTER_OS_ADDITIONAL_SERVICES -\n\" -" +source=\"## generated by routeros deploy script in acme.sh\r\n +\r\n /certificate remove [ find name=$_cdomain.cer_0 ] +\r\n /certificate remove [ find name=$_cdomain.cer_1 ] +\r\n delay 1 +\r\n /certificate import file-name=$_cdomain.cer passphrase=\\\"\\\" +\r\n /certificate import file-name=$_cdomain.key passphrase=\\\"\\\" +\r\n delay 1 +\r\n /file remove $_cdomain.cer +\r\n /file remove $_cdomain.key +\r\n delay 2 +$router_os_services\"" + # shellcheck disable=SC2029 - ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "$DEPLOY_SCRIPT_CMD" + ssh "$Le_router_os_username@$Le_router_os_host" $DEPLOY_SCRIPT_CMD # shellcheck disable=SC2029 - ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script run \"LE Cert Deploy - $_cdomain\"" + ssh "$Le_router_os_username@$Le_router_os_host" "/system script run \"LE Cert Deploy - $_cdomain\"" # shellcheck disable=SC2029 - ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" "/system script remove \"LE Cert Deploy - $_cdomain\"" + ssh "$Le_router_os_username@$Le_router_os_host" "/system script remove \"LE Cert Deploy - $_cdomain\"" return 0 } From faa84a42c3dafb1db764a03756ee24996531866e Mon Sep 17 00:00:00 2001 From: herbetom Date: Mon, 29 Jul 2019 12:00:26 +0200 Subject: [PATCH 2/3] fixed line breaks and quotation marks --- deploy/routeros.sh | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/deploy/routeros.sh b/deploy/routeros.sh index 91b08763..232ccc66 100644 --- a/deploy/routeros.sh +++ b/deploy/routeros.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/bash # Here is a script to deploy cert to routeros router. # Deploy the cert to remote routeros @@ -144,21 +144,21 @@ routeros_deploy() { return 1 fi - DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive -source=\"## generated by routeros deploy script in acme.sh\r\n -\r\n /certificate remove [ find name=$_cdomain.cer_0 ] -\r\n /certificate remove [ find name=$_cdomain.cer_1 ] -\r\n delay 1 -\r\n /certificate import file-name=$_cdomain.cer passphrase=\\\"\\\" -\r\n /certificate import file-name=$_cdomain.key passphrase=\\\"\\\" -\r\n delay 1 -\r\n /file remove $_cdomain.cer -\r\n /file remove $_cdomain.key -\r\n delay 2 + DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=admin policy=ftp,read,write,password,sensitive \ +source=\"## generated by routeros deploy script in acme.sh\r\n\ +\r\n /certificate remove [ find name=$_cdomain.cer_0 ]\ +\r\n /certificate remove [ find name=$_cdomain.cer_1 ]\ +\r\n delay 1\ +\r\n /certificate import file-name=$_cdomain.cer passphrase=\\\"\\\"\ +\r\n /certificate import file-name=$_cdomain.key passphrase=\\\"\\\"\ +\r\n delay 1\ +\r\n /file remove $_cdomain.cer\ +\r\n /file remove $_cdomain.key\ +\r\n delay 2\ $router_os_services\"" # shellcheck disable=SC2029 - ssh "$Le_router_os_username@$Le_router_os_host" $DEPLOY_SCRIPT_CMD + ssh "$Le_router_os_username@$Le_router_os_host" "$DEPLOY_SCRIPT_CMD" # shellcheck disable=SC2029 ssh "$Le_router_os_username@$Le_router_os_host" "/system script run \"LE Cert Deploy - $_cdomain\"" # shellcheck disable=SC2029 From 0d8952dd976a04d68268ae73b71b84eb82100b86 Mon Sep 17 00:00:00 2001 From: herbetom Date: Wed, 26 Feb 2020 16:09:31 +0100 Subject: [PATCH 3/3] add line break --- deploy/routeros.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/routeros.sh b/deploy/routeros.sh index 232ccc66..2fd3bf34 100644 --- a/deploy/routeros.sh +++ b/deploy/routeros.sh @@ -157,6 +157,7 @@ source=\"## generated by routeros deploy script in acme.sh\r\n\ \r\n delay 2\ $router_os_services\"" + # shellcheck disable=SC2029 ssh "$Le_router_os_username@$Le_router_os_host" "$DEPLOY_SCRIPT_CMD" # shellcheck disable=SC2029