maska/letsencrypt-routeros
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from miroslav-suvada/master

Browse Source 
Add arguments and handling of custom configs and services
This commit is contained in:
Three Planets Software 2024-12-06 12:49:58 -05:00 committed by GitHub
commit ff63f1c325
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 95 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -39,8 +39,10 @@ vim /opt/letsencrypt-routeros/letsencrypt-routeros.settings
| ROUTEROS_USER | admin | user with admin rights to connect to RouterOS | | ROUTEROS_USER | admin | user with admin rights to connect to RouterOS |
| ROUTEROS_HOST | 10.0.254.254 | RouterOS\Mikrotik IP | | ROUTEROS_HOST | 10.0.254.254 | RouterOS\Mikrotik IP |
| ROUTEROS_SSH_PORT | 22 | RouterOS\Mikrotik PORT | | ROUTEROS_SSH_PORT | 22 | RouterOS\Mikrotik PORT |
| ROUTEROS_PRIVATE_KEY | /opt/letsencrypt-routeros/id_rsa | Private RSA Key to connecto to RouterOS | | ROUTEROS_PRIVATE_KEY | /opt/letsencrypt-routeros/id_rsa | Private RSA Key to connect to RouterOS |
| DOMAIN | mydomain.com | Use main domain for wildcard certificate or subdomain for subdomain certificate | | DOMAIN | mydomain.com | Use main domain for wildcard certificate or subdomain for subdomain certificate |
| SETUP_SERVICES | (SSTP WWW API) | Array of services for which certificate will be installed |
| SSH_STRICT_KEY_CHECKING | yes | Allows to override SSH option StrictHostKeyChecking |
Change permissions: Change permissions:
@ -98,12 +100,12 @@ certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-
### Usage of the script ### Usage of the script
*To use settings from the settings file:* *To use settings from the settings file:*
```sh ```sh
./opt/letsencrypt-routeros/letsencrypt-routeros.sh /opt/letsencrypt-routeros/letsencrypt-routeros.sh -c letsencrypt-routeros.settings
``` ```
*To use script without settings file:* *To use script without settings file:*
```sh ```sh
./opt/letsencrypt-routeros/letsencrypt-routeros.sh [RouterOS User] [RouterOS Host] [SSH Port] [SSH Private Key] [Domain] /opt/letsencrypt-routeros/letsencrypt-routeros.sh -u [RouterOS User] -h [RouterOS Host] -p [SSH Port] -k [SSH Private Key] -d [Domain]
``` ```
*To use script with CertBot hooks for wildcard domain:* *To use script with CertBot hooks for wildcard domain:*
```sh ```sh
@ -115,7 +117,7 @@ certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-
``` ```
--- ---
### Licence MIT ### License MIT
Copyright 2018 Konstantin Gimpel Copyright 2018 Konstantin Gimpel
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

5
letsencrypt-routeros.settings
View File

@ -7,3 +7,8 @@ ROUTEROS_HOST=10.0.254.254
ROUTEROS_SSH_PORT=22 ROUTEROS_SSH_PORT=22
ROUTEROS_PRIVATE_KEY=/opt/letsencrypt-routeros/id_rsa ROUTEROS_PRIVATE_KEY=/opt/letsencrypt-routeros/id_rsa
DOMAIN=vpnserver.yourdomain.com DOMAIN=vpnserver.yourdomain.com
## Uncomment this to specify array of services that will be setup
## If not specified certificate is installed to (SSTP WWW API)
#SETUP_SERVICES=(WWW API)
## Uncomment this to disable StrictHostKeyChecking (default yes)
#SSH_STRICT_KEY_CHECKING=no

136
letsencrypt-routeros.sh
View File

@ -1,25 +1,47 @@
#!/bin/bash #!/bin/bash
CONFIG_FILE=letsencrypt-routeros.settings
if [[ -z $1 ]] || [[ -z $2 ]] || [[ -z $3 ]] || [[ -z $4 ]] || [[ -z $5 ]]; then while getopts 'u:h:p:k:d:f:' OPTION; do
echo -e "Usage: $0 or $0 [RouterOS User] [RouterOS Host] [SSH Port] [SSH Private Key] [Domain]\n" case "$OPTION" in
source $CONFIG_FILE u)
else ROUTEROS_USER=$OPTARG
ROUTEROS_USER=$1 ;;
ROUTEROS_HOST=$2 h)
ROUTEROS_SSH_PORT=$3 ROUTEROS_HOST=$OPTARG
ROUTEROS_PRIVATE_KEY=$4 ;;
DOMAIN=$5 p)
ROUTEROS_SSH_PORT=$OPTARG
;;
k)
ROUTEROS_PRIVATE_KEY=$OPTARG
;;
d)
DOMAIN=$OPTARG
;;
f)
CONFIG=$OPTARG
;;
*)
echo "Unknown option '$OPTION'"
;;
esac
done
shift "$((OPTIND - 1))"
if [[ -n $CONFIG ]]; then
source "$CONFIG"
elif [[ -z $ROUTEROS_USER ]] || [[ -z $ROUTEROS_HOST ]] || [[ -z $ROUTEROS_SSH_PORT ]] || [[ -z $ROUTEROS_PRIVATE_KEY ]] || [[ -z $DOMAIN ]]; then
echo -e "Usage:\n$0 -c /path/to/config\nOR\n$0 -u [RouterOS User] -h [RouterOS Host] -p [SSH Port] -k [SSH Private Key] -d [Domain]"
exit 1
fi fi
if [[ -z $ROUTEROS_USER ]] || [[ -z $ROUTEROS_HOST ]] || [[ -z $ROUTEROS_SSH_PORT ]] || [[ -z $ROUTEROS_PRIVATE_KEY ]] || [[ -z $DOMAIN ]]; then if [[ -z $ROUTEROS_USER ]] || [[ -z $ROUTEROS_HOST ]] || [[ -z $ROUTEROS_SSH_PORT ]] || [[ -z $ROUTEROS_PRIVATE_KEY ]] || [[ -z $DOMAIN ]]; then
echo "Check the config file $CONFIG_FILE or start with params: $0 [RouterOS User] [RouterOS Host] [SSH Port] [SSH Private Key] [Domain]" echo "Check the config file $CONFIG_FILE or start with params: $0 -u [RouterOS User] -h [RouterOS Host] -p [SSH Port] -k [SSH Private Key] -d [Domain]"
echo "Please avoid spaces" echo "Please avoid spaces"
exit 1 exit 1
fi fi
CERTIFICATE=/etc/letsencrypt/live/$DOMAIN/cert.pem CERTIFICATE=/etc/letsencrypt/live/${DOMAIN}/cert.pem
KEY=/etc/letsencrypt/live/$DOMAIN/privkey.pem KEY=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
echo "" echo ""
echo "Updating certificate for $DOMAIN" echo "Updating certificate for $DOMAIN"
@ -27,7 +49,10 @@ echo " Using certificate $CERTIFICATE"
echo " User private key $KEY" echo " User private key $KEY"
#Create alias for RouterOS command #Create alias for RouterOS command
routeros="ssh -i $ROUTEROS_PRIVATE_KEY $ROUTEROS_USER@$ROUTEROS_HOST -p $ROUTEROS_SSH_PORT" routeros="ssh -o PubkeyAcceptedKeyTypes=+ssh-dss -o StrictHostKeyChecking=${SSH_STRICT_KEY_CHECKING:-yes} -i $ROUTEROS_PRIVATE_KEY ${ROUTEROS_USER}@${ROUTEROS_HOST} -p $ROUTEROS_SSH_PORT"
#Create alias for scp command
scp="scp -q -o PubkeyAcceptedKeyTypes=+ssh-dss -o StrictHostKeyChecking=${SSH_STRICT_KEY_CHECKING:-yes} -P $ROUTEROS_SSH_PORT -i $ROUTEROS_PRIVATE_KEY"
echo "" echo ""
echo "Checking connection to RouterOS" echo "Checking connection to RouterOS"
@ -36,80 +61,87 @@ echo "Checking connection to RouterOS"
$routeros /system resource print $routeros /system resource print
RESULT=$? RESULT=$?
if [[ ! $RESULT == 0 ]]; then if [[ ! ${RESULT} == 0 ]]; then
echo -e "\nError in: $routeros" echo -e "\nError in: $routeros"
echo "More info: https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)" echo "More info: https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)"
exit 1 exit 1
else else
echo -e "\nConnection to RouterOS Successful!\n" echo -e "\nConnection to RouterOS Successful!\n"
fi fi
if [ ! -f $CERTIFICATE ] && [ ! -f $KEY ]; then if [ ! -f "$CERTIFICATE" ] && [ ! -f "$KEY" ]; then
echo -e "\nFile(s) not found:\n$CERTIFICATE\n$KEY\n" echo -e "\nFile(s) not found:\n${CERTIFICATE}\n${KEY}\n"
echo -e "Please use CertBot Let'sEncrypt:" echo -e "Please use CertBot Let'sEncrypt:"
echo "============================" echo "============================"
echo "certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok" echo "certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok"
echo "or (for wildcard certificate):" echo "or (for wildcard certificate):"
echo "certbot certonly --preferred-challenges=dns --manual -d *.$DOMAIN --manual-public-ip-logging-ok --server https://acme-v02.api.letsencrypt.org/directory" echo "certbot certonly --preferred-challenges=dns --manual -d *.$DOMAIN --manual-public-ip-logging-ok --server https://acme-v02.api.letsencrypt.org/directory"
echo "===========================" echo "==========================="
echo -e "and follow instructions from CertBot\n" echo -e "and follow instructions from CertBot\n"
exit 1 exit 1
fi fi
# Set up variables to remove errors # Set up variables to remove errors
DOMAIN_INSTALLED_CERT_FILE=$DOMAIN.pem_0 DOMAIN_INSTALLED_CERT_FILE=${DOMAIN}.pem_0
DOMAIN_CERT_FILE=$DOMAIN.pem DOMAIN_CERT_FILE=${DOMAIN}.pem
DOMAIN_KEY_FILE=$DOMAIN.key DOMAIN_KEY_FILE=${DOMAIN}.key
# Remove previous certificate # Remove previous certificate
echo "Removing old certificate from installed certificates: $DOMAIN_INSTALLED_CERT_FILE" echo "Removing old certificate from installed certificates: $DOMAIN_INSTALLED_CERT_FILE"
$routeros /certificate remove [find name=$DOMAIN_INSTALLED_CERT_FILE] $routeros /certificate remove [find name="$DOMAIN_INSTALLED_CERT_FILE"]
echo "" echo ""
echo "Handling new certificate file" echo "Handling new certificate file"
# Create Certificate # Create Certificate
# Delete Certificate file if the file exist on RouterOS # Delete Certificate file if the file exist on RouterOS
echo " Deleting any old copy of certificate file from disk: $DOMAIN_CERT_FILE" echo " Deleting any old copy of certificate file from disk: $DOMAIN_CERT_FILE"
$routeros /file remove $DOMAIN_CERT_FILE > /dev/null $routeros /file remove "$DOMAIN_CERT_FILE" >/dev/null
# Upload Certificate to RouterOS # Upload Certificate to RouterOS
echo " Uploading new domain certificate file to router: $CERTIFICATE" echo " Uploading new domain certificate file to router: $CERTIFICATE"
scp -q -P $ROUTEROS_SSH_PORT -i "$ROUTEROS_PRIVATE_KEY" "$CERTIFICATE" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN_CERT_FILE" $scp "$CERTIFICATE" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN_CERT_FILE"
sleep 2 sleep 2
# Import Certificate file # Import Certificate file
echo " Importing new certificate file to router certificates" echo " Importing new certificate file to router certificates"
$routeros /certificate import file-name=$DOMAIN_CERT_FILE passphrase=\"\" $routeros /certificate import file-name="$DOMAIN_CERT_FILE" passphrase=\"\"
# Delete Certificate file after import # Delete Certificate file after import
echo " Deleting any new copy of certificate file from disk: $DOMAIN_CERT_FILE" echo " Deleting any new copy of certificate file from disk: $DOMAIN_CERT_FILE"
$routeros /file remove $DOMAIN_CERT_FILE $routeros /file remove "$DOMAIN_CERT_FILE"
echo "" echo ""
echo "Handling new key file" echo "Handling new key file"
# Create Key # Create Key
# Delete Certificate file if the file exist on RouterOS # Delete Certificate file if the file exist on RouterOS
echo " Deleting any old copy of key file from disk: $DOMAIN_KEY_FILE" echo " Deleting any old copy of key file from disk: ${DOMAIN_KEY_FILE}"
$routeros /file remove $DOMAIN_KEY_FILE > /dev/null $routeros /file remove "$DOMAIN_KEY_FILE" >/dev/null
# Upload Key to RouterOS # Upload Key to RouterOS
echo " Uploading new domain key file to router: $KEY" echo " Uploading new domain key file to router: $KEY"
scp -q -P $ROUTEROS_SSH_PORT -i "$ROUTEROS_PRIVATE_KEY" "$KEY" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN_KEY_FILE" $scp "$KEY" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN_KEY_FILE"
sleep 2 sleep 2
# Import Key file # Import Key file
echo " Importing new key file to router certificates" echo " Importing new key file to router certificates"
$routeros /certificate import file-name=$DOMAIN_KEY_FILE passphrase=\"\" $routeros /certificate import file-name="$DOMAIN_KEY_FILE" passphrase=\"\"
# Delete Certificate file after import # Delete Certificate file after import
echo " Deleting any new copy of key file from disk: $DOMAIN_KEY_FILE" echo " Deleting any new copy of key file from disk: $DOMAIN_KEY_FILE"
$routeros /file remove $DOMAIN_KEY_FILE $routeros /file remove "$DOMAIN_KEY_FILE"
echo "" echo ""
# Setup Certificate to SSTP Server # Setup Certificate to SSTP Service
echo "Updating SSTP Server to use $DOMAIN_INSTALLED_CERT_FILE" if [[ "${SETUP_SERVICES[*]:-SSTP}" =~ "SSTP" ]]; then
$routeros /interface sstp-server server set certificate=$DOMAIN_INSTALLED_CERT_FILE echo "Updating SSTP Server to use $DOMAIN_INSTALLED_CERT_FILE"
$routeros /interface sstp-server server set certificate="$DOMAIN_INSTALLED_CERT_FILE"
fi
# Setup Certificate to SSL # Setup Certificate to WWW Service
echo "Updating HTTPS Server to use $DOMAIN_INSTALLED_CERT_FILE" if [[ "${SETUP_SERVICES[*]:-WWW}" =~ "WWW" ]]; then
$routeros /ip service set www-ssl certificate=$DOMAIN_INSTALLED_CERT_FILE echo "Updating HTTPS Server to use $DOMAIN_INSTALLED_CERT_FILE"
$routeros /ip service set www-ssl certificate="$DOMAIN_INSTALLED_CERT_FILE"
fi
echo "Updating API SSL Server to use $DOMAIN_INSTALLED_CERT_FILE" # Setup Certificate to API Service
$routeros /ip service set api-ssl certificate=$DOMAIN_INSTALLED_CERT_FILE if [[ "${SETUP_SERVICES[*]:-API}" =~ "API" ]]; then
echo "Updating API SSL Server to use $DOMAIN_INSTALLED_CERT_FILE"
$routeros /ip service set api-ssl certificate="$DOMAIN_INSTALLED_CERT_FILE"
fi
exit 0 exit 0