Added deployer installation script

Author: Limych

deploy/freenas.sh

@@ -26,6 +26,12 @@ freenas_deploy() {
   _debug _cca "$_cca"
   _debug _cfullchain "$_cfullchain"
 
+  _fullchain=$(tr '\n\r' '@#' <"$_cfullchain" | sed 's/@/\\n/g;s/#/\\r/g')
+  _key=$(tr '\n\r' '@#' <"$_ckey" | sed 's/@/\\n/g;s/#/\\r/g')
+
+  _debug _fullchain "$_fullchain"
+  _debug _key "$_key"
+
   if [ -z "$FREENAS_PASSWORD" ]; then
     if [ -z "$Le_Deploy_FreeNAS_password" ]; then
       _err "FREENAS_PASSWORD not defined."
@@ -56,10 +62,64 @@ freenas_deploy() {
     _savedomainconf Le_Deploy_FreeNAS_verify "$Le_Deploy_FreeNAS_verify"
   fi
 
-  api_base="${Le_Deploy_FreeNAS_host}/api/v1.0"
-  cert=$(date +letsencrypt-%Y-%m-%d-%H%M%S)
-  credentials=$(printf "%s:%s" "root" "$Le_Deploy_FreeNAS_password" | _base64)
+  _api_base="${Le_Deploy_FreeNAS_host}/api/v1.0"
+#  _cert=$(date +letsencrypt-%Y-%m-%d-%H%M%S)
+  _cert=$(date +letsencrypt-%Y-%m-%d)
+  _realm=$(printf "%s:%s" "root" "$Le_Deploy_FreeNAS_password" | _base64)
+
+  _debug _api_base "$_api_base"
+  _debug _cert "$_cert"
+  _debug _realm "$_realm"
+
+  _info "Update or create SSL certificate"
+  export _H1="Authorization: Basic $_realm"
+  export _H2="Content-Type: application/json"
+  _request="{\"cert_name\":\"$_cert\",\"cert_certificate\":\"$_fullchain\",\"cert_privatekey\":\"$_key\"}"
+  _debug _request "$_request"
+  _response="$(_post "$_request" "$_api_base/system/certificate/import/")"
+  _debug _response "$_response"
+
+  if echo "$_response" | grep -q "certificate with this name already exists"; then
+    _err "SSL certificate with name '$_cert' are already exists. Stop deploying"
+    return 0
+  elif [ "$_response" != "Certificate imported." ]; then
+    _err "Error SSL certificate import"
+    return 1
+  fi
+
+  _info "Download certificate list and parse it to find the ID that matches our cert name"
+  _response=$(_get "$_api_base/system/certificate/?limit=0")
+  _debug _response "$_response"
+  _regex="^.*\"cert_name\": *\"$_cert\".*$"
+  _debug _regex "$_regex"
+  _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+  _debug _resource "$_resource"
+  _regex="^.*\"cert_name\": \"$_cert\".*$"
+  _debug _regex "$_regex"
+  _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+  _debug _resource "$_resource"
+  _regex=".*\"id\": *\([0-9]*\).*$"
+  _debug _regex "$_regex"
+  _cert_id=$(echo "$_resource" | sed -n "s/$_regex/\1/p")
+  _debug _resourceId "$_cert_id"
+
+  _info "Set our cert as active"
+  _request="{\"stg_guicertificate\":\"$_cert_id\"}"
+  _response=$(_post "$_request" "$_api_base/system/settings/" '' "PUT")
+  _debug _response "$_response"
+
+  _info "Reload nginx with new cert"
+  _response="$(_post "" "$_api_base/system/settings/restart-httpd-all/")"
+  _debug _response "$_response"
+
+  # Make time for httpd for reloading
+  sleep 3
+
+  _info "Set our cert as active for FTP plugin"
+  _request="{\"ftp_ssltls_certfile\":\"$_cert\"}"
+  _response=$(_post "$_request" "$_api_base/services/ftp/" '' "PUT")
+  _debug _response "$_response"
 
-  _err "Not implemented yet"
-  return 1
-}
+  _info "Certificate successfully deployed"
+  return 0
+}

deploy_freenas.py

@@ -1,7 +1,5 @@
 #!/usr/bin/env sh
 
-DEBUG=3
-
 
 
 _locate() {
@@ -26,7 +24,7 @@ IS_OPNSENSE=$([ -d "/usr/local/opnsense/" ] && echo 1)
 # Locate acme.sh and load it as a library
 ACME=$(_locate acme.sh /root/.acme.sh /usr/local/sbin "$WDIR")
 
-if [ -z "$ACME" ] || [ `find "$ACME" -mtime +30` ]; then
+if [ -z "$ACME" ] || [ ! -z "$(find "$WDIR/acme.sh" -mtime +30 2>/dev/null)" ]; then
   if [ ! -z "$FETCH" ]; then
     "$FETCH" https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
   elif [ ! -z "$CURL" ]; then
@@ -39,7 +37,8 @@ fi
 if [ -z "$ACME" ]; then echo "ERROR: Can't locate acme.sh"; exit 1; fi
 
 if [ "$IS_OPNSENSE" == "1" ]; then
-  LE_WORKING_DIR="$WDIR"
+  LE_WORKING_DIR="/var/etc/acme-client/home"
+  _SCRIPT_HOME="$WDIR"
 else
   LE_WORKING_DIR=`dirname $ACME`
 fi
@@ -82,13 +81,19 @@ eval $(_parse_ini ${CONFIG})
 if [ -z "${ini__deploy__password}" ]; then _err "ERROR: Root password not defined!"; exit 1; fi
 
 DOMAIN_NAME=${ini__deploy__cert_fqdn:-$(hostname)}
+CERT_KEY_PATH=${ini__deploy__privkey_path:-"/root/.acme.sh/${DOMAIN_NAME}/${DOMAIN_NAME}.key"}
+CERT_FULLCHAIN_PATH=${ini__deploy__fullchain_path:-"/root/.acme.sh/${DOMAIN_NAME}/fullchain.cer"}
 export FREENAS_PASSWORD=${ini__deploy__password}
 export FREENAS_HOST="${ini__deploy__protocol:-"http://"}${ini__deploy__connect_host:-"localhost"}:${ini__deploy__port:-"80"}"
 export FREENAS_VERIFY=${ini__deploy__verify:-"true"}
 
-_debug DOMAIN_NAME ${DOMAIN_NAME}
-_debug FREENAS_PASSWORD ${FREENAS_PASSWORD}
-_debug FREENAS_HOST ${FREENAS_HOST}
-_debug FREENAS_VERIFY ${FREENAS_VERIFY}
+_debug DOMAIN_NAME "$DOMAIN_NAME"
+_debug CERT_KEY_PATH "$CERT_KEY_PATH"
+_debug CERT_FULLCHAIN_PATH "$CERT_FULLCHAIN_PATH"
+_debug FREENAS_PASSWORD "$FREENAS_PASSWORD"
+_debug FREENAS_HOST "$FREENAS_HOST"
+_debug FREENAS_VERIFY "$FREENAS_VERIFY"
+
+. "$WDIR/deploy/freenas.sh"
 
-_deploy ${DOMAIN_NAME} "freenas"
+freenas_deploy "$DOMAIN_NAME" "$CERT_KEY_PATH" "" "" "$CERT_FULLCHAIN_PATH"

deploy_freenas.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env sh
+
+WDIR=$(cd `dirname $0` && pwd)
+ACME="/root/.acme.sh"
+
+if [ ! -r "$ACME/acme.sh" ]; then echo "ERROR: Can't locate ACME directory"; exit 1; fi
+
+cp -R "$WDIR/deploy/" "$ACME/deploy/"
+
+echo "The SSL certificate deployer for FreeNAS are successfully installed to ACME."

install.sh

@@ -1,15 +1,9 @@
 #!/usr/bin/env sh
 
-DIR=$(cd `dirname $0` && pwd)
-
-# Make service links
-ln -Fs /var/etc/acme-client/home/ /root/.acme.sh
-
-# Install required packages
-#pkg install -y bash
+WDIR=$(cd `dirname $0` && pwd)
 
 # Install cron action
-ln -Fs ${DIR}/actions_deploy_freenas.conf /usr/local/opnsense/service/conf/actions.d/actions_deploy_freenas.conf
+ln -Fs ${WDIR}/actions_deploy_freenas.conf /usr/local/opnsense/service/conf/actions.d/actions_deploy_freenas.conf
 
 # Reload config daemon
 service configd restart