forked from Github/acme.sh
neil
5 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 1000 additions and 6 deletions
-
8acme.sh
-
139deploy/panos.sh
-
152deploy/synology_dsm.sh
-
141dnsapi/dns_constellix.sh
-
2dnsapi/dns_ddnss.sh
-
121dnsapi/dns_dynv6.sh
-
168dnsapi/dns_kas.sh
-
2dnsapi/dns_me.sh
-
273dnsapi/dns_opnsense.sh
@ -0,0 +1,139 @@ |
|||
#!/usr/bin/env sh |
|||
|
|||
# Script to deploy certificates to Palo Alto Networks PANOS via API |
|||
# Note PANOS API KEY and IP address needs to be set prior to running. |
|||
# The following variables exported from environment will be used. |
|||
# If not set then values previously saved in domain.conf file are used. |
|||
# |
|||
# Firewall admin with superuser and IP address is required. |
|||
# |
|||
# export PANOS_USER="" # required |
|||
# export PANOS_PASS="" # required |
|||
# export PANOS_HOST="" # required |
|||
|
|||
# This function is to parse the XML |
|||
parse_response() { |
|||
type=$2 |
|||
if [ "$type" = 'keygen' ]; then |
|||
status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g') |
|||
if [ "$status" = "success" ]; then |
|||
panos_key=$(echo "$1" | sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g') |
|||
_panos_key=$panos_key |
|||
else |
|||
message="PAN-OS Key could not be set." |
|||
fi |
|||
else |
|||
status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g') |
|||
message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g') |
|||
fi |
|||
return 0 |
|||
} |
|||
|
|||
deployer() { |
|||
content="" |
|||
type=$1 # Types are keygen, cert, key, commit |
|||
_debug "**** Deploying $type *****" |
|||
panos_url="https://$_panos_host/api/" |
|||
if [ "$type" = 'keygen' ]; then |
|||
_H1="Content-Type: application/x-www-form-urlencoded" |
|||
content="type=keygen&user=$_panos_user&password=$_panos_pass" |
|||
# content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}" |
|||
fi |
|||
|
|||
if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then |
|||
#Generate DEIM |
|||
delim="-----MultipartDelimiter$(date "+%s%N")" |
|||
nl="\015\012" |
|||
#Set Header |
|||
export _H1="Content-Type: multipart/form-data; boundary=$delim" |
|||
if [ "$type" = 'cert' ]; then |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\ncertificate" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n\r\n$_panos_key" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")" |
|||
fi |
|||
if [ "$type" = 'key' ]; then |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\nprivate-key" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n\r\n$_panos_key" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n\r\n123456" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")" |
|||
fi |
|||
#Close multipart |
|||
content="$content${nl}--$delim--${nl}" |
|||
#Convert CRLF |
|||
content=$(printf %b "$content") |
|||
fi |
|||
|
|||
if [ "$type" = 'commit' ]; then |
|||
export _H1="Content-Type: application/x-www-form-urlencoded" |
|||
cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode) |
|||
content="type=commit&key=$_panos_key&cmd=$cmd" |
|||
fi |
|||
response=$(_post "$content" "$panos_url" "" "POST") |
|||
parse_response "$response" "$type" |
|||
# Saving response to variables |
|||
response_status=$status |
|||
#DEBUG |
|||
_debug response_status "$response_status" |
|||
if [ "$response_status" = "success" ]; then |
|||
_debug "Successfully deployed $type" |
|||
return 0 |
|||
else |
|||
_err "Deploy of type $type failed. Try deploying with --debug to troubleshoot." |
|||
_debug "$message" |
|||
return 1 |
|||
fi |
|||
} |
|||
|
|||
# This is the main function that will call the other functions to deploy everything. |
|||
panos_deploy() { |
|||
_cdomain="$1" |
|||
_ckey="$2" |
|||
_cfullchain="$5" |
|||
# PANOS ENV VAR check |
|||
if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then |
|||
_debug "No ENV variables found lets check for saved variables" |
|||
_getdeployconf PANOS_USER |
|||
_getdeployconf PANOS_PASS |
|||
_getdeployconf PANOS_HOST |
|||
_panos_user=$PANOS_USER |
|||
_panos_pass=$PANOS_PASS |
|||
_panos_host=$PANOS_HOST |
|||
if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then |
|||
_err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs." |
|||
return 1 |
|||
else |
|||
_debug "Using saved env variables." |
|||
fi |
|||
else |
|||
_debug "Detected ENV variables to be saved to the deploy conf." |
|||
# Encrypt and save user |
|||
_savedeployconf PANOS_USER "$PANOS_USER" 1 |
|||
_savedeployconf PANOS_PASS "$PANOS_PASS" 1 |
|||
_savedeployconf PANOS_HOST "$PANOS_HOST" 1 |
|||
_panos_user="$PANOS_USER" |
|||
_panos_pass="$PANOS_PASS" |
|||
_panos_host="$PANOS_HOST" |
|||
fi |
|||
_debug "Let's use username and pass to generate token." |
|||
if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then |
|||
_err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST" |
|||
return 1 |
|||
else |
|||
_debug "Getting PANOS KEY" |
|||
deployer keygen |
|||
if [ -z "$_panos_key" ]; then |
|||
_err "Missing apikey." |
|||
return 1 |
|||
else |
|||
deployer cert |
|||
deployer key |
|||
deployer commit |
|||
fi |
|||
fi |
|||
} |
@ -0,0 +1,152 @@ |
|||
#!/usr/bin/env sh |
|||
|
|||
# Here is a script to deploy cert to Synology DSM |
|||
# |
|||
# it requires the jq and curl are in the $PATH and the following |
|||
# environment variables must be set: |
|||
# |
|||
# SYNO_Username - Synology Username to login (must be an administrator) |
|||
# SYNO_Password - Synology Password to login |
|||
# SYNO_Certificate - Certificate description to target for replacement |
|||
# |
|||
# The following environmental variables may be set if you don't like their |
|||
# default values: |
|||
# |
|||
# SYNO_Scheme - defaults to http |
|||
# SYNO_Hostname - defaults to localhost |
|||
# SYNO_Port - defaults to 5000 |
|||
# |
|||
#returns 0 means success, otherwise error. |
|||
|
|||
######## Public functions ##################### |
|||
|
|||
_syno_get_cookie_data() { |
|||
grep "\W$1=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';' |
|||
} |
|||
|
|||
#domain keyfile certfile cafile fullchain |
|||
synology_dsm_deploy() { |
|||
|
|||
_cdomain="$1" |
|||
_ckey="$2" |
|||
_ccert="$3" |
|||
_cca="$4" |
|||
|
|||
_debug _cdomain "$_cdomain" |
|||
|
|||
# Get Username and Password, but don't save until we successfully authenticate |
|||
_getdeployconf SYNO_Username |
|||
_getdeployconf SYNO_Password |
|||
_getdeployconf SYNO_Create |
|||
if [ -z "$SYNO_Username" ] || [ -z "$SYNO_Password" ]; then |
|||
SYNO_Username="" |
|||
SYNO_Password="" |
|||
_err "SYNO_Username & SYNO_Password must be set" |
|||
return 1 |
|||
fi |
|||
_debug2 SYNO_Username "$SYNO_Username" |
|||
_secure_debug2 SYNO_Password "$SYNO_Password" |
|||
|
|||
# Optional scheme, hostname, and port for Synology DSM |
|||
_getdeployconf SYNO_Scheme |
|||
_getdeployconf SYNO_Hostname |
|||
_getdeployconf SYNO_Port |
|||
|
|||
# default vaules for scheme, hostname, and port |
|||
# defaulting to localhost and http because it's localhost... |
|||
[ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http" |
|||
[ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost" |
|||
[ -n "${SYNO_Port}" ] || SYNO_Port="5000" |
|||
|
|||
_savedeployconf SYNO_Scheme "$SYNO_Scheme" |
|||
_savedeployconf SYNO_Hostname "$SYNO_Hostname" |
|||
_savedeployconf SYNO_Port "$SYNO_Port" |
|||
|
|||
_debug2 SYNO_Scheme "$SYNO_Scheme" |
|||
_debug2 SYNO_Hostname "$SYNO_Hostname" |
|||
_debug2 SYNO_Port "$SYNO_Port" |
|||
|
|||
# Get the certificate description, but don't save it until we verfiy it's real |
|||
_getdeployconf SYNO_Certificate |
|||
if [ -z "${SYNO_Certificate:?}" ]; then |
|||
_err "SYNO_Certificate needs to be defined (with the Certificate description name)" |
|||
return 1 |
|||
fi |
|||
_debug SYNO_Certificate "$SYNO_Certificate" |
|||
|
|||
_base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port" |
|||
_debug _base_url "$_base_url" |
|||
|
|||
# Login, get the token from JSON and session id from cookie |
|||
_info "Logging into $SYNO_Hostname:$SYNO_Port" |
|||
response=$(_get "$_base_url/webman/login.cgi?username=$SYNO_Username&passwd=$SYNO_Password&enable_syno_token=yes") |
|||
token=$(echo "$response" | grep "SynoToken" | sed -n 's/.*"SynoToken" *: *"\([^"]*\).*/\1/p') |
|||
_debug3 response "$response" |
|||
|
|||
if [ -z "$token" ]; then |
|||
_err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme." |
|||
_err "Check your username and password." |
|||
return 1 |
|||
fi |
|||
|
|||
_H1="Cookie: $(_syno_get_cookie_data "id"); $(_syno_get_cookie_data "smid")" |
|||
_H2="X-SYNO-TOKEN: $token" |
|||
export _H1 |
|||
export _H2 |
|||
_debug2 H1 "${_H1}" |
|||
_debug2 H2 "${_H2}" |
|||
|
|||
# Now that we know the username and password are good, save them |
|||
_savedeployconf SYNO_Username "$SYNO_Username" |
|||
_savedeployconf SYNO_Password "$SYNO_Password" |
|||
_debug token "$token" |
|||
|
|||
_info "Getting certificates in Synology DSM" |
|||
response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1" "$_base_url/webapi/entry.cgi") |
|||
_debug3 response "$response" |
|||
id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p") |
|||
_debug2 id "$id" |
|||
|
|||
if [ -z "$id" ] && [ -z "${SYNO_Create:?}" ]; then |
|||
_err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set" |
|||
return 1 |
|||
fi |
|||
|
|||
# we've verified this certificate description is a thing, so save it |
|||
_savedeployconf SYNO_Certificate "$SYNO_Certificate" |
|||
|
|||
default=false |
|||
if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then |
|||
default=true |
|||
fi |
|||
_debug2 default "$default" |
|||
|
|||
_info "Generate form POST request" |
|||
nl="\015\012" |
|||
delim="--------------------------$(_utc_date | tr -d -- '-: ')" |
|||
content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\012" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\012" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\012" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}" |
|||
content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}" |
|||
content="$content${nl}--$delim--${nl}" |
|||
content="$(printf "%b_" "$content")" |
|||
content="${content%_}" # protect trailing \n |
|||
|
|||
_info "Upload certificate to the Synology DSM" |
|||
response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token" "" "POST" "multipart/form-data; boundary=${delim}") |
|||
_debug3 response "$response" |
|||
|
|||
if ! echo "$response" | grep '"error":' >/dev/null; then |
|||
if echo "$response" | grep '"restart_httpd":true' >/dev/null; then |
|||
_info "http services were restarted" |
|||
else |
|||
_info "http services were NOT restarted" |
|||
fi |
|||
return 0 |
|||
else |
|||
_err "Unable to update certificate, error code $response" |
|||
return 1 |
|||
fi |
|||
} |
@ -0,0 +1,141 @@ |
|||
#!/usr/bin/env sh |
|||
|
|||
# Author: Wout Decre <wout@canodus.be> |
|||
|
|||
CONSTELLIX_Api="https://api.dns.constellix.com/v1" |
|||
#CONSTELLIX_Key="XXX" |
|||
#CONSTELLIX_Secret="XXX" |
|||
|
|||
######## Public functions ##################### |
|||
|
|||
# Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" |
|||
# Used to add txt record |
|||
dns_constellix_add() { |
|||
fulldomain=$1 |
|||
txtvalue=$2 |
|||
|
|||
CONSTELLIX_Key="${CONSTELLIX_Key:-$(_readaccountconf_mutable CONSTELLIX_Key)}" |
|||
CONSTELLIX_Secret="${CONSTELLIX_Secret:-$(_readaccountconf_mutable CONSTELLIX_Secret)}" |
|||
|
|||
if [ -z "$CONSTELLIX_Key" ] || [ -z "$CONSTELLIX_Secret" ]; then |
|||
_err "You did not specify the Contellix API key and secret yet." |
|||
return 1 |
|||
fi |
|||
|
|||
_saveaccountconf_mutable CONSTELLIX_Key "$CONSTELLIX_Key" |
|||
_saveaccountconf_mutable CONSTELLIX_Secret "$CONSTELLIX_Secret" |
|||
|
|||
if ! _get_root "$fulldomain"; then |
|||
_err "Invalid domain" |
|||
return 1 |
|||
fi |
|||
|
|||
_info "Adding TXT record" |
|||
if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":120,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then |
|||
if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then |
|||
_info "Added" |
|||
return 0 |
|||
else |
|||
_err "Error adding TXT record" |
|||
return 1 |
|||
fi |
|||
fi |
|||
} |
|||
|
|||
# Usage: fulldomain txtvalue |
|||
# Used to remove the txt record after validation |
|||
dns_constellix_rm() { |
|||
fulldomain=$1 |
|||
txtvalue=$2 |
|||
|
|||
CONSTELLIX_Key="${CONSTELLIX_Key:-$(_readaccountconf_mutable CONSTELLIX_Key)}" |
|||
CONSTELLIX_Secret="${CONSTELLIX_Secret:-$(_readaccountconf_mutable CONSTELLIX_Secret)}" |
|||
|
|||
if [ -z "$CONSTELLIX_Key" ] || [ -z "$CONSTELLIX_Secret" ]; then |
|||
_err "You did not specify the Contellix API key and secret yet." |
|||
return 1 |
|||
fi |
|||
|
|||
if ! _get_root "$fulldomain"; then |
|||
_err "Invalid domain" |
|||
return 1 |
|||
fi |
|||
|
|||
_info "Removing TXT record" |
|||
if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then |
|||
if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then |
|||
_info "Removed" |
|||
return 0 |
|||
else |
|||
_err "Error removing TXT record" |
|||
return 1 |
|||
fi |
|||
fi |
|||
} |
|||
|
|||
#################### Private functions below ################################## |
|||
|
|||
_get_root() { |
|||
domain=$1 |
|||
i=2 |
|||
p=1 |
|||
_debug "Detecting root zone" |
|||
while true; do |
|||
h=$(printf "%s" "$domain" | cut -d . -f $i-100) |
|||
if [ -z "$h" ]; then |
|||
return 1 |
|||
fi |
|||
|
|||
if ! _constellix_rest GET "domains"; then |
|||
return 1 |
|||
fi |
|||
|
|||
if _contains "$response" "\"name\":\"$h\""; then |
|||
_domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*" | head -n 1 | cut -d ':' -f 2 | tr -d '}') |
|||
if [ "$_domain_id" ]; then |
|||
_sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p) |
|||
_domain="$h" |
|||
|
|||
_debug _domain_id "$_domain_id" |
|||
_debug _sub_domain "$_sub_domain" |
|||
_debug _domain "$_domain" |
|||
return 0 |
|||
fi |
|||
return 1 |
|||
fi |
|||
p=$i |
|||
i=$(_math "$i" + 1) |
|||
done |
|||
return 1 |
|||
} |
|||
|
|||
_constellix_rest() { |
|||
m=$1 |
|||
ep="$2" |
|||
data="$3" |
|||
_debug "$ep" |
|||
|
|||
rdate=$(date +"%s")"000" |
|||
hmac=$(printf "%s" "$rdate" | _hmac sha1 "$(printf "%s" "$CONSTELLIX_Secret" | _hex_dump | tr -d ' ')" | _base64) |
|||
|
|||
export _H1="x-cnsdns-apiKey: $CONSTELLIX_Key" |
|||
export _H2="x-cnsdns-requestDate: $rdate" |
|||
export _H3="x-cnsdns-hmac: $hmac" |
|||
export _H4="Accept: application/json" |
|||
export _H5="Content-Type: application/json" |
|||
|
|||
if [ "$m" != "GET" ]; then |
|||
_debug data "$data" |
|||
response="$(_post "$data" "$CONSTELLIX_Api/$ep" "" "$m")" |
|||
else |
|||
response="$(_get "$CONSTELLIX_Api/$ep")" |
|||
fi |
|||
|
|||
if [ "$?" != "0" ]; then |
|||
_err "Error $ep" |
|||
return 1 |
|||
fi |
|||
|
|||
_debug response "$response" |
|||
return 0 |
|||
} |
@ -0,0 +1,121 @@ |
|||
#!/usr/bin/env sh |
|||
#Author StefanAbl |
|||
#Usage specify a private keyfile to use with dynv6 'export KEY="path/to/keyfile"' |
|||
#if no keyfile is specified, you will be asked if you want to create one in /home/$USER/.ssh/dynv6 and /home/$USER/.ssh/dynv6.pub |
|||
######## Public functions ##################### |
|||
# Please Read this guide first: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide |
|||
#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" |
|||
dns_dynv6_add() { |
|||
fulldomain=$1 |
|||
txtvalue=$2 |
|||
_info "Using dynv6 api" |
|||
_debug fulldomain "$fulldomain" |
|||
_debug txtvalue "$txtvalue" |
|||
_get_keyfile |
|||
_info "using keyfile $dynv6_keyfile" |
|||
_get_domain "$fulldomain" |
|||
_your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)" |
|||
if ! _contains "$_your_hosts" "$_host"; then |
|||
_debug "The host is $_host and the record $_record" |
|||
_debug "Dynv6 returned $_your_hosts" |
|||
_err "The host $_host does not exists on your dynv6 account" |
|||
return 1 |
|||
fi |
|||
_debug "found host on your account" |
|||
returnval="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts \""$_host"\" records set \""$_record"\" txt data \""$txtvalue"\")" |
|||
_debug "Dynv6 returend this after record was added: $returnval" |
|||
if _contains "$returnval" "created"; then |
|||
return 0 |
|||
elif _contains "$returnval" "updated"; then |
|||
return 0 |
|||
else |
|||
_err "Something went wrong! it does not seem like the record was added succesfully" |
|||
return 1 |
|||
fi |
|||
return 1 |
|||
} |
|||
#Usage: fulldomain txtvalue |
|||
#Remove the txt record after validation. |
|||
dns_dynv6_rm() { |
|||
fulldomain=$1 |
|||
txtvalue=$2 |
|||
_info "Using dynv6 api" |
|||
_debug fulldomain "$fulldomain" |
|||
_debug txtvalue "$txtvalue" |
|||
_get_keyfile |
|||
_info "using keyfile $dynv6_keyfile" |
|||
_get_domain "$fulldomain" |
|||
_your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)" |
|||
if ! _contains "$_your_hosts" "$_host"; then |
|||
_debug "The host is $_host and the record $_record" |
|||
_debug "Dynv6 returned $_your_hosts" |
|||
_err "The host $_host does not exists on your dynv6 account" |
|||
return 1 |
|||
fi |
|||
_debug "found host on your account" |
|||
_info "$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts "\"$_host\"" records del "\"$_record\"" txt)" |
|||
return 0 |
|||
|
|||
} |
|||
#################### Private functions below ################################## |
|||
#Usage: No Input required |
|||
#returns |
|||
#dynv6_keyfile the path to the new keyfile that has been generated |
|||
_generate_new_key() { |
|||
dynv6_keyfile="$(eval echo ~"$USER")/.ssh/dynv6" |
|||
_info "Path to key file used: $dynv6_keyfile" |
|||
if [ ! -f "$dynv6_keyfile" ] && [ ! -f "$dynv6_keyfile.pub" ]; then |
|||
_debug "generating key in $dynv6_keyfile and $dynv6_keyfile.pub" |
|||
ssh-keygen -f "$dynv6_keyfile" -t ssh-ed25519 -N '' |
|||
else |
|||
_err "There is already a file in $dynv6_keyfile or $dynv6_keyfile.pub" |
|||
return 1 |
|||
fi |
|||
} |
|||
#Usage: _acme-challenge.www.example.dynv6.net |
|||
#returns |
|||
#_host= example.dynv6.net |
|||
#_record=_acme-challenge.www |
|||
#aborts if not a valid domain |
|||
_get_domain() { |
|||
_full_domain="$1" |
|||
_debug "getting domain for $_full_domain" |
|||
if ! _contains "$_full_domain" 'dynv6.net' && ! _contains "$_full_domain" 'dns.army' && ! _contains "$_full_domain" 'dns.navy'; then |
|||
_err "The hosts does not seem to be a dynv6 host" |
|||
return 1 |
|||
fi |
|||
_record="${_full_domain%.*}" |
|||
_record="${_record%.*}" |
|||
_record="${_record%.*}" |
|||
_debug "The record we are ging to use is $_record" |
|||
_host="$_full_domain" |
|||
while [ "$(echo "$_host" | grep -o '\.' | wc -l)" != "2" ]; do |
|||
_host="${_host#*.}" |
|||
done |
|||
_debug "And the host is $_host" |
|||
return 0 |
|||
|
|||
} |
|||
|
|||
# Usage: No input required |
|||
#returns |
|||
#dynv6_keyfile path to the key that will be used |
|||
_get_keyfile() { |
|||
_debug "get keyfile method called" |
|||
dynv6_keyfile="${dynv6_keyfile:-$(_readaccountconf_mutable dynv6_keyfile)}" |
|||
_debug Your key is "$dynv6_keyfile" |
|||
if [ -z "$dynv6_keyfile" ]; then |
|||
if [ -z "$KEY" ]; then |
|||
_err "You did not specify a key to use with dynv6" |
|||
_info "Creating new dynv6 api key to add to dynv6.com" |
|||
_generate_new_key |
|||
_info "Please add this key to dynv6.com $(cat "$dynv6_keyfile.pub")" |
|||
_info "Hit Enter to contiue" |
|||
read -r _ |
|||
#save the credentials to the account conf file. |
|||
else |
|||
dynv6_keyfile="$KEY" |
|||
fi |
|||
_saveaccountconf_mutable dynv6_keyfile "$dynv6_keyfile" |
|||
fi |
|||
} |
@ -0,0 +1,168 @@ |
|||
#!/usr/bin/env sh |
|||
######################################################################## |
|||
# All-inkl Kasserver hook script for acme.sh |
|||
# |
|||
# Environment variables: |
|||
# |
|||
# - $KAS_Login (Kasserver API login name) |
|||
# - $KAS_Authtype (Kasserver API auth type. Default: sha1) |
|||
# - $KAS_Authdata (Kasserver API auth data.) |
|||
# |
|||
# Author: Martin Kammerlander, Phlegx Systems OG <martin.kammerlander@phlegx.com> |
|||
# Updated by: Marc-Oliver Lange <git@die-lang.es> |
|||
# Credits: Inspired by dns_he.sh. Thanks a lot man! |
|||
# Git repo: https://github.com/phlegx/acme.sh |
|||
# TODO: Better Error handling |
|||
######################################################################## |
|||
KAS_Api="https://kasapi.kasserver.com/dokumentation/formular.php" |
|||
######## Public functions ##################### |
|||
dns_kas_add() { |
|||
_fulldomain=$1 |
|||
_txtvalue=$2 |
|||
_info "Using DNS-01 All-inkl/Kasserver hook" |
|||
_info "Adding $_fulldomain DNS TXT entry on All-inkl/Kasserver" |
|||
_info "Check and Save Props" |
|||
_check_and_save |
|||
_info "Checking Zone and Record_Name" |
|||
_get_zone_and_record_name "$_fulldomain" |
|||
_info "Getting Record ID" |
|||
_get_record_id |
|||
|
|||
_info "Creating TXT DNS record" |
|||
params="?kas_login=$KAS_Login" |
|||
params="$params&kas_auth_type=$KAS_Authtype" |
|||
params="$params&kas_auth_data=$KAS_Authdata" |
|||
params="$params&var1=record_name" |
|||
params="$params&wert1=$_record_name" |
|||
params="$params&var2=record_type" |
|||
params="$params&wert2=TXT" |
|||
params="$params&var3=record_data" |
|||
params="$params&wert3=$_txtvalue" |
|||
params="$params&var4=record_aux" |
|||
params="$params&wert4=0" |
|||
params="$params&kas_action=add_dns_settings" |
|||
params="$params&var5=zone_host" |
|||
params="$params&wert5=$_zone" |
|||
_debug2 "Wait for 10 seconds by default before calling KAS API." |
|||
_sleep 10 |
|||
response="$(_get "$KAS_Api$params")" |
|||
_debug2 "response" "$response" |
|||
|
|||
if ! _contains "$response" "TRUE"; then |
|||
_err "An unkown error occurred, please check manually." |
|||
return 1 |
|||
fi |
|||
return 0 |
|||
} |
|||
|
|||
dns_kas_rm() { |
|||
_fulldomain=$1 |
|||
_txtvalue=$2 |
|||
_info "Using DNS-01 All-inkl/Kasserver hook" |
|||
_info "Cleaning up after All-inkl/Kasserver hook" |
|||
_info "Removing $_fulldomain DNS TXT entry on All-inkl/Kasserver" |
|||
|
|||
_info "Check and Save Props" |
|||
_check_and_save |
|||
_info "Checking Zone and Record_Name" |
|||
_get_zone_and_record_name "$_fulldomain" |
|||
_info "Getting Record ID" |
|||
_get_record_id |
|||
|
|||
# If there is a record_id, delete the entry |
|||
if [ -n "$_record_id" ]; then |
|||
params="?kas_login=$KAS_Login" |
|||
params="$params&kas_auth_type=$KAS_Authtype" |
|||
params="$params&kas_auth_data=$KAS_Authdata" |
|||
params="$params&kas_action=delete_dns_settings" |
|||
|
|||
for i in $_record_id; do |
|||
params2="$params&var1=record_id" |
|||
params2="$params2&wert1=$i" |
|||
_debug2 "Wait for 10 seconds by default before calling KAS API." |
|||
_sleep 10 |
|||
response="$(_get "$KAS_Api$params2")" |
|||
_debug2 "response" "$response" |
|||
if ! _contains "$response" "TRUE"; then |
|||
_err "Either the txt record is not found or another error occurred, please check manually." |
|||
return 1 |
|||
fi |
|||
done |
|||
else # Cannot delete or unkown error |
|||
_err "No record_id found that can be deleted. Please check manually." |
|||
return 1 |
|||
fi |
|||
return 0 |
|||
} |
|||
|
|||
########################## PRIVATE FUNCTIONS ########################### |
|||
|
|||
# Checks for the ENV variables and saves them |
|||
_check_and_save() { |
|||
KAS_Login="${KAS_Login:-$(_readaccountconf_mutable KAS_Login)}" |
|||
KAS_Authtype="${KAS_Authtype:-$(_readaccountconf_mutable KAS_Authtype)}" |
|||
KAS_Authdata="${KAS_Authdata:-$(_readaccountconf_mutable KAS_Authdata)}" |
|||
|
|||
if [ -z "$KAS_Login" ] || [ -z "$KAS_Authtype" ] || [ -z "$KAS_Authdata" ]; then |
|||
KAS_Login= |
|||
KAS_Authtype= |
|||
KAS_Authdata= |
|||
_err "No auth details provided. Please set user credentials using the \$KAS_Login, \$KAS_Authtype, and \$KAS_Authdata environment variables." |
|||
return 1 |
|||
fi |
|||
_saveaccountconf_mutable KAS_Login "$KAS_Login" |
|||
_saveaccountconf_mutable KAS_Authtype "$KAS_Authtype" |
|||
_saveaccountconf_mutable KAS_Authdata "$KAS_Authdata" |
|||
return 0 |
|||
} |
|||
|
|||
# Gets back the base domain/zone and record name. |
|||
# See: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide |
|||
_get_zone_and_record_name() { |
|||
params="?kas_login=$KAS_Login" |
|||
params="?kas_login=$KAS_Login" |
|||
params="$params&kas_auth_type=$KAS_Authtype" |
|||
params="$params&kas_auth_data=$KAS_Authdata" |
|||
params="$params&kas_action=get_domains" |
|||
|
|||
_debug2 "Wait for 10 seconds by default before calling KAS API." |
|||
_sleep 10 |
|||
response="$(_get "$KAS_Api$params")" |
|||
_debug2 "response" "$response" |
|||
_zonen="$(echo "$response" | tr -d "\n\r" | tr -d " " | tr '[]' '<>' | sed "s/=>Array/\n=> Array/g" | tr ' ' '\n' | grep "domain_name" | tr '<' '\n' | grep "domain_name" | sed "s/domain_name>=>//g")" |
|||
_domain="$1" |
|||
_temp_domain="$(echo "$1" | sed 's/\.$//')" |
|||
_rootzone="$_domain" |
|||
for i in $_zonen; do |
|||
l1=${#_rootzone} |
|||
l2=${#i} |
|||
if _endswith "$_domain" "$i" && [ "$l1" -ge "$l2" ]; then |
|||
_rootzone="$i" |
|||
fi |
|||
done |
|||
_zone="${_rootzone}." |
|||
_temp_record_name="$(echo "$_temp_domain" | sed "s/$_rootzone//g")" |
|||
_record_name="$(echo "$_temp_record_name" | sed 's/\.$//')" |
|||
_debug2 "Zone:" "$_zone" |
|||
_debug2 "Domain:" "$_domain" |
|||
_debug2 "Record_Name:" "$_record_name" |
|||
return 0 |
|||
} |
|||
|
|||
# Retrieve the DNS record ID |
|||
_get_record_id() { |
|||
params="?kas_login=$KAS_Login" |
|||
params="$params&kas_auth_type=$KAS_Authtype" |
|||
params="$params&kas_auth_data=$KAS_Authdata" |
|||
params="$params&kas_action=get_dns_settings" |
|||
params="$params&var1=zone_host" |
|||
params="$params&wert1=$_zone" |
|||
|
|||
_debug2 "Wait for 10 seconds by default before calling KAS API." |
|||
_sleep 10 |
|||
response="$(_get "$KAS_Api$params")" |
|||
_debug2 "response" "$response" |
|||
_record_id="$(echo "$response" | tr -d "\n\r" | tr -d " " | tr '[]' '<>' | sed "s/=>Array/\n=> Array/g" | tr ' ' '\n' | grep "=>$_record_name<" | grep '>TXT<' | tr '<' '\n' | grep record_id | sed "s/record_id>=>//g")" |
|||
_debug2 _record_id "$_record_id" |
|||
return 0 |
|||
} |
@ -0,0 +1,273 @@ |
|||
#!/usr/bin/env sh |
|||
|
|||
#OPNsense Bind API |
|||
#https://docs.opnsense.org/development/api.html |
|||
# |
|||
#OPNs_Host="opnsense.example.com" |
|||
#OPNs_Port="443" |
|||
# optional, defaults to 443 if unset |
|||
#OPNs_Key="qocfU9RSbt8vTIBcnW8bPqCrpfAHMDvj5OzadE7Str+rbjyCyk7u6yMrSCHtBXabgDDXx/dY0POUp7ZA" |
|||
#OPNs_Token="pZEQ+3ce8dDlfBBdg3N8EpqpF5I1MhFqdxX06le6Gl8YzyQvYCfCzNaFX9O9+IOSyAs7X71fwdRiZ+Lv" |
|||
#OPNs_Api_Insecure=0 |
|||
# optional, defaults to 0 if unset |
|||
# Set 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1) |
|||
|
|||
######## Public functions ##################### |
|||
#Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000" |
|||
#fulldomain |
|||
#txtvalue |
|||
OPNs_DefaultPort=443 |
|||
OPNs_DefaultApi_Insecure=0 |
|||
|
|||
dns_opnsense_add() { |
|||
fulldomain=$1 |
|||
txtvalue=$2 |
|||
|
|||
_opns_check_auth || return 1 |
|||
|
|||
if ! set_record "$fulldomain" "$txtvalue"; then |
|||
return 1 |
|||
fi |
|||
|
|||
return 0 |
|||
} |
|||
|
|||
#fulldomain |
|||
dns_opnsense_rm() { |
|||
fulldomain=$1 |
|||
txtvalue=$2 |
|||
|
|||
_opns_check_auth || return 1 |
|||
|
|||
if ! rm_record "$fulldomain" "$txtvalue"; then |
|||
return 1 |
|||
fi |
|||
|
|||
return 0 |
|||
} |
|||
|
|||
set_record() { |
|||
fulldomain=$1 |
|||
new_challenge=$2 |
|||
_info "Adding record $fulldomain with challenge: $new_challenge" |
|||
|
|||
_debug "Detect root zone" |
|||
if ! _get_root "$fulldomain"; then |
|||
_err "invalid domain" |
|||
return 1 |
|||
fi |
|||
|
|||
_debug _domain "$_domain" |
|||
_debug _host "$_host" |
|||
_debug _domainid "$_domainid" |
|||
_return_str="" |
|||
_record_string="" |
|||
_build_record_string "$_domainid" "$_host" "$new_challenge" |
|||
_uuid="" |
|||
if _existingchallenge "$_domain" "$_host" "$new_challenge"; then |
|||
# Update |
|||
if _opns_rest "POST" "/record/setRecord/${_uuid}" "$_record_string"; then |
|||
_return_str="$response" |
|||
else |
|||
return 1 |
|||
fi |
|||
|
|||
else |
|||
#create |
|||
if _opns_rest "POST" "/record/addRecord" "$_record_string"; then |
|||
_return_str="$response" |
|||
else |
|||
return 1 |
|||
fi |
|||
fi |
|||
|
|||
if echo "$_return_str" | _egrep_o "\"result\":\"saved\"" >/dev/null; then |
|||
_opns_rest "POST" "/service/reconfigure" "{}" |
|||
_debug "Record created" |
|||
else |
|||
_err "Error creating record $_record_string" |
|||
return 1 |
|||
fi |
|||
|
|||
return 0 |
|||
} |
|||
|
|||
rm_record() { |
|||
fulldomain=$1 |
|||
new_challenge="$2" |
|||
_info "Remove record $fulldomain with challenge: $new_challenge" |
|||
|
|||
_debug "Detect root zone" |
|||
if ! _get_root "$fulldomain"; then |
|||
_err "invalid domain" |
|||
return 1 |
|||
fi |
|||
|
|||
_debug _domain "$_domain" |
|||
_debug _host "$_host" |
|||
_debug _domainid "$_domainid" |
|||
_uuid="" |
|||
if _existingchallenge "$_domain" "$_host" "$new_challenge"; then |
|||
# Delete |
|||
if _opns_rest "POST" "/record/delRecord/${_uuid}" "\{\}"; then |
|||
if echo "$_return_str" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then |
|||
_opns_rest "POST" "/service/reconfigure" "{}" |
|||
_debug "Record deleted" |
|||
else |
|||
_err "Error deleting record $_host from domain $fulldomain" |
|||
return 1 |
|||
fi |
|||
else |
|||
_err "Error deleting record $_host from domain $fulldomain" |
|||
return 1 |
|||
fi |
|||
else |
|||
_info "Record not found, nothing to remove" |
|||
fi |
|||
|
|||
return 0 |
|||
} |
|||
|
|||
#################### Private functions below ################################## |
|||
#_acme-challenge.www.domain.com |
|||
#returns |
|||
# _domainid=domid |
|||
#_domain=domain.com |
|||
_get_root() { |
|||
domain=$1 |
|||
i=2 |
|||
p=1 |
|||
if _opns_rest "GET" "/domain/get"; then |
|||
_domain_response="$response" |
|||
else |
|||
return 1 |
|||
fi |
|||
|
|||
while true; do |
|||
h=$(printf "%s" "$domain" | cut -d . -f $i-100) |
|||
if [ -z "$h" ]; then |
|||
#not valid |
|||
return 1 |
|||
fi |
|||
_debug h "$h" |
|||
id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":\"[^\"]*\",\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2) |
|||
|
|||
if [ -n "$id" ]; then |
|||
_debug id "$id" |
|||
_host=$(printf "%s" "$domain" | cut -d . -f 1-$p) |
|||
_domain="${h}" |
|||
_domainid="${id}" |
|||
return 0 |
|||
fi |
|||
p=$i |
|||
i=$(_math $i + 1) |
|||
done |
|||
_debug "$domain not found" |
|||
|
|||
return 1 |
|||
} |
|||
|
|||
_opns_rest() { |
|||
method=$1 |
|||
ep=$2 |
|||
data=$3 |
|||
#Percent encode user and token |
|||
key=$(echo "$OPNs_Key" | tr -d "\n\r" | _url_encode) |
|||
token=$(echo "$OPNs_Token" | tr -d "\n\r" | _url_encode) |
|||
|
|||
opnsense_url="https://${key}:${token}@${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}" |
|||
export _H1="Content-Type: application/json" |
|||
_debug2 "Try to call api: https://${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}" |
|||
if [ ! "$method" = "GET" ]; then |
|||
_debug data "$data" |
|||
export _H1="Content-Type: application/json" |
|||
response="$(_post "$data" "$opnsense_url" "" "$method")" |
|||
else |
|||
export _H1="" |
|||
response="$(_get "$opnsense_url")" |
|||
fi |
|||
|
|||
if [ "$?" != "0" ]; then |
|||
_err "error $ep" |
|||
return 1 |
|||
fi |
|||
_debug2 response "$response" |
|||
|
|||
return 0 |
|||
} |
|||
|
|||
_build_record_string() { |
|||
_record_string="{\"record\":{\"enabled\":\"1\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"}}" |
|||
} |
|||
|
|||
_existingchallenge() { |
|||
if _opns_rest "GET" "/record/searchRecord"; then |
|||
_record_response="$response" |
|||
else |
|||
return 1 |
|||
fi |
|||
_uuid="" |
|||
_uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[^\"]*\",\"enabled\":\"[01]\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2) |
|||
|
|||
if [ -n "$_uuid" ]; then |
|||
_debug uuid "$_uuid" |
|||
return 0 |
|||
fi |
|||
_debug "${2}.$1{1} record not found" |
|||
|
|||
return 1 |
|||
} |
|||
|
|||
_opns_check_auth() { |
|||
OPNs_Host="${OPNs_Host:-$(_readaccountconf_mutable OPNs_Host)}" |
|||
OPNs_Port="${OPNs_Port:-$(_readaccountconf_mutable OPNs_Port)}" |
|||
OPNs_Key="${OPNs_Key:-$(_readaccountconf_mutable OPNs_Key)}" |
|||
OPNs_Token="${OPNs_Token:-$(_readaccountconf_mutable OPNs_Token)}" |
|||
OPNs_Api_Insecure="${OPNs_Api_Insecure:-$(_readaccountconf_mutable OPNs_Api_Insecure)}" |
|||
|
|||
if [ -z "$OPNs_Host" ]; then |
|||
_err "You don't specify OPNsense address." |
|||
return 1 |
|||
else |
|||
_saveaccountconf_mutable OPNs_Host "$OPNs_Host" |
|||
fi |
|||
|
|||
if ! printf '%s' "$OPNs_Port" | grep '^[0-9]*$' >/dev/null; then |
|||
_err 'OPNs_Port specified but not numeric value' |
|||
return 1 |
|||
elif [ -z "$OPNs_Port" ]; then |
|||
_info "OPNSense port not specified. Defaulting to using port $OPNs_DefaultPort" |
|||
else |
|||
_saveaccountconf_mutable OPNs_Port "$OPNs_Port" |
|||
fi |
|||
|
|||
if ! printf '%s' "$OPNs_Api_Insecure" | grep '^[01]$' >/dev/null; then |
|||
_err 'OPNs_Api_Insecure specified but not 0/1 value' |
|||
return 1 |
|||
elif [ -n "$OPNs_Api_Insecure" ]; then |
|||
_saveaccountconf_mutable OPNs_Api_Insecure "$OPNs_Api_Insecure" |
|||
fi |
|||
export HTTPS_INSECURE="${OPNs_Api_Insecure:-$OPNs_DefaultApi_Insecure}" |
|||
|
|||
if [ -z "$OPNs_Key" ]; then |
|||
_err "you have not specified your OPNsense api key id." |
|||
_err "Please set OPNs_Key and try again." |
|||
return 1 |
|||
else |
|||
_saveaccountconf_mutable OPNs_Key "$OPNs_Key" |
|||
fi |
|||
|
|||
if [ -z "$OPNs_Token" ]; then |
|||
_err "you have not specified your OPNsense token." |
|||
_err "Please create OPNs_Token and try again." |
|||
return 1 |
|||
else |
|||
_saveaccountconf_mutable OPNs_Token "$OPNs_Token" |
|||
fi |
|||
|
|||
if ! _opns_rest "GET" "/general/get"; then |
|||
_err "Call to OPNsense API interface failed. Unable to access OPNsense API." |
|||
return 1 |
|||
fi |
|||
return 0 |
|||
} |
Write
Preview
Loading…
Cancel
Save
Reference in new issue