forked from gitpel/letsencrypt-routeros
-
Notifications
You must be signed in to change notification settings - Fork 2
/
letsencrypt-routeros.sh
executable file
·147 lines (127 loc) · 4.99 KB
/
letsencrypt-routeros.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/bash
while getopts 'u:h:p:k:d:f:' OPTION; do
case "$OPTION" in
u)
ROUTEROS_USER=$OPTARG
;;
h)
ROUTEROS_HOST=$OPTARG
;;
p)
ROUTEROS_SSH_PORT=$OPTARG
;;
k)
ROUTEROS_PRIVATE_KEY=$OPTARG
;;
d)
DOMAIN=$OPTARG
;;
f)
CONFIG=$OPTARG
;;
*)
echo "Unknown option '$OPTION'"
;;
esac
done
shift "$((OPTIND - 1))"
if [[ -n $CONFIG ]]; then
source "$CONFIG"
elif [[ -z $ROUTEROS_USER ]] || [[ -z $ROUTEROS_HOST ]] || [[ -z $ROUTEROS_SSH_PORT ]] || [[ -z $ROUTEROS_PRIVATE_KEY ]] || [[ -z $DOMAIN ]]; then
echo -e "Usage:\n$0 -c /path/to/config\nOR\n$0 -u [RouterOS User] -h [RouterOS Host] -p [SSH Port] -k [SSH Private Key] -d [Domain]"
exit 1
fi
if [[ -z $ROUTEROS_USER ]] || [[ -z $ROUTEROS_HOST ]] || [[ -z $ROUTEROS_SSH_PORT ]] || [[ -z $ROUTEROS_PRIVATE_KEY ]] || [[ -z $DOMAIN ]]; then
echo "Check the config file $CONFIG_FILE or start with params: $0 -u [RouterOS User] -h [RouterOS Host] -p [SSH Port] -k [SSH Private Key] -d [Domain]"
echo "Please avoid spaces"
exit 1
fi
CERTIFICATE=/etc/letsencrypt/live/${DOMAIN}/cert.pem
KEY=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
echo ""
echo "Updating certificate for $DOMAIN"
echo " Using certificate $CERTIFICATE"
echo " User private key $KEY"
#Create alias for RouterOS command
routeros="ssh -o PubkeyAcceptedKeyTypes=+ssh-dss -o StrictHostKeyChecking=${SSH_STRICT_KEY_CHECKING:-yes} -i $ROUTEROS_PRIVATE_KEY ${ROUTEROS_USER}@${ROUTEROS_HOST} -p $ROUTEROS_SSH_PORT"
#Create alias for scp command
scp="scp -q -o PubkeyAcceptedKeyTypes=+ssh-dss -o StrictHostKeyChecking=${SSH_STRICT_KEY_CHECKING:-yes} -P $ROUTEROS_SSH_PORT -i $ROUTEROS_PRIVATE_KEY"
echo ""
echo "Checking connection to RouterOS"
#Check connection to RouterOS
$routeros /system resource print
RESULT=$?
if [[ ! ${RESULT} == 0 ]]; then
echo -e "\nError in: $routeros"
echo "More info: https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)"
exit 1
else
echo -e "\nConnection to RouterOS Successful!\n"
fi
if [ ! -f "$CERTIFICATE" ] && [ ! -f "$KEY" ]; then
echo -e "\nFile(s) not found:\n${CERTIFICATE}\n${KEY}\n"
echo -e "Please use CertBot Let'sEncrypt:"
echo "============================"
echo "certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok"
echo "or (for wildcard certificate):"
echo "certbot certonly --preferred-challenges=dns --manual -d *.$DOMAIN --manual-public-ip-logging-ok --server https://acme-v02.api.letsencrypt.org/directory"
echo "==========================="
echo -e "and follow instructions from CertBot\n"
exit 1
fi
# Set up variables to remove errors
DOMAIN_INSTALLED_CERT_FILE=${DOMAIN}.pem_0
DOMAIN_CERT_FILE=${DOMAIN}.pem
DOMAIN_KEY_FILE=${DOMAIN}.key
# Remove previous certificate
echo "Removing old certificate from installed certificates: $DOMAIN_INSTALLED_CERT_FILE"
$routeros /certificate remove [find name="$DOMAIN_INSTALLED_CERT_FILE"]
echo ""
echo "Handling new certificate file"
# Create Certificate
# Delete Certificate file if the file exist on RouterOS
echo " Deleting any old copy of certificate file from disk: $DOMAIN_CERT_FILE"
$routeros /file remove "$DOMAIN_CERT_FILE" >/dev/null
# Upload Certificate to RouterOS
echo " Uploading new domain certificate file to router: $CERTIFICATE"
$scp "$CERTIFICATE" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN_CERT_FILE"
sleep 2
# Import Certificate file
echo " Importing new certificate file to router certificates"
$routeros /certificate import file-name="$DOMAIN_CERT_FILE" passphrase=\"\"
# Delete Certificate file after import
echo " Deleting any new copy of certificate file from disk: $DOMAIN_CERT_FILE"
$routeros /file remove "$DOMAIN_CERT_FILE"
echo ""
echo "Handling new key file"
# Create Key
# Delete Certificate file if the file exist on RouterOS
echo " Deleting any old copy of key file from disk: ${DOMAIN_KEY_FILE}"
$routeros /file remove "$DOMAIN_KEY_FILE" >/dev/null
# Upload Key to RouterOS
echo " Uploading new domain key file to router: $KEY"
$scp "$KEY" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN_KEY_FILE"
sleep 2
# Import Key file
echo " Importing new key file to router certificates"
$routeros /certificate import file-name="$DOMAIN_KEY_FILE" passphrase=\"\"
# Delete Certificate file after import
echo " Deleting any new copy of key file from disk: $DOMAIN_KEY_FILE"
$routeros /file remove "$DOMAIN_KEY_FILE"
echo ""
# Setup Certificate to SSTP Service
if [[ "${SETUP_SERVICES[*]:-SSTP}" =~ "SSTP" ]]; then
echo "Updating SSTP Server to use $DOMAIN_INSTALLED_CERT_FILE"
$routeros /interface sstp-server server set certificate="$DOMAIN_INSTALLED_CERT_FILE"
fi
# Setup Certificate to WWW Service
if [[ "${SETUP_SERVICES[*]:-WWW}" =~ "WWW" ]]; then
echo "Updating HTTPS Server to use $DOMAIN_INSTALLED_CERT_FILE"
$routeros /ip service set www-ssl certificate="$DOMAIN_INSTALLED_CERT_FILE"
fi
# Setup Certificate to API Service
if [[ "${SETUP_SERVICES[*]:-API}" =~ "API" ]]; then
echo "Updating API SSL Server to use $DOMAIN_INSTALLED_CERT_FILE"
$routeros /ip service set api-ssl certificate="$DOMAIN_INSTALLED_CERT_FILE"
fi
exit 0