Browse Source

Use allchain instead of ca an cert, add documentation after review

dnsconf
Pål Håland 7 years ago
parent
commit
8d38cf4d1f
  1. 16
      deploy/README.md
  2. 12
      deploy/routeros.sh

16
deploy/README.md

@ -265,6 +265,8 @@ acme.sh --deploy -d ftp.example.com --deploy-hook routeros
Before you can deploy the certificate to router os, you need to add the id_rsa.pub key to the routeros and assign a user to that key. Before you can deploy the certificate to router os, you need to add the id_rsa.pub key to the routeros and assign a user to that key.
The user need to have access to ssh, ftp, read and write. The user need to have access to ssh, ftp, read and write.
There are no need to enable ftp service for the script to work, as they are transmitted over SCP, however ftp is needed to store the files on the router.
Then you need to set the environment variables for the deploy script to work. Then you need to set the environment variables for the deploy script to work.
```sh ```sh
export ROUTER_OS_USERNAME=certuser export ROUTER_OS_USERNAME=certuser
@ -272,3 +274,17 @@ export ROUTER_OS_HOST=router.example.com
acme.sh --deploy -d ftp.example.com --deploy-hook routeros acme.sh --deploy -d ftp.example.com --deploy-hook routeros
``` ```
The deploy script will remove previously deployed certificates, and it does this with an assumption on how RouterOS names imported certificates, adding a "cer_0" suffix at the end. This is true for versions 6.32 -> 6.41.3, but it is not guaranteed that it will be true for future versions when upgrading.
If the router have other certificates with the same name as the one beeing deployed, then this script will remove those certificates.
At the end of the script, the services that use those certificates could be updated. Currently only the www-ssl service is beeing updated, but more services could be added.
For instance:
```
/ip service set www-ssl certificate=$_cdomain.cer_0
/ip service set api-ssl certificate=$_cdomain.cer_0
```
One optional thing to do as well is to create a script that updates all the required services and run that script in a single command.

12
deploy/routeros.sh

@ -32,10 +32,8 @@ routeros_deploy() {
_info "Trying to push key '$_ckey' to router" _info "Trying to push key '$_ckey' to router"
scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key" scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
_info "Trying to push cert '$_ccert' to router"
scp "$_ccert" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
_info "Trying to push ca cert '$_cca' to router"
scp "$_cca" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.ca"
_info "Trying to push cert '$_cfullchain' to router"
scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
# shellcheck disable=SC2029 # shellcheck disable=SC2029
ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" bash -c "' ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" bash -c "'
@ -43,24 +41,18 @@ routeros_deploy() {
/certificate remove $_cdomain.cer_1 /certificate remove $_cdomain.cer_1
/certificate remove $_cdomain.ca_0
delay 1 delay 1
/certificate import file-name=$_cdomain.cer passphrase=\"\" /certificate import file-name=$_cdomain.cer passphrase=\"\"
/certificate import file-name=$_cdomain.key passphrase=\"\" /certificate import file-name=$_cdomain.key passphrase=\"\"
/certificate import file-name=$_cdomain.ca passphrase=\"\"
delay 1 delay 1
/file remove $_cdomain.cer /file remove $_cdomain.cer
/file remove $_cdomain.key /file remove $_cdomain.key
/file remove $_cdomain.ca
delay 2 delay 2
/ip service set www-ssl certificate=$_cdomain.cer_0 /ip service set www-ssl certificate=$_cdomain.cer_0

Loading…
Cancel
Save