Mirror
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Use allchain instead of ca an cert, add documentation after review

pull/706/head
Pål Håland 7 years ago
parent
d698c1093a
commit
8d38cf4d1f
2 changed files with 18 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      deploy/README.md
  2. 12
      deploy/routeros.sh

16
deploy/README.md
View File

@ -265,6 +265,8 @@ acme.sh --deploy -d ftp.example.com --deploy-hook routeros
Before you can deploy the certificate to router os, you need to add the id_rsa.pub key to the routeros and assign a user to that key. Before you can deploy the certificate to router os, you need to add the id_rsa.pub key to the routeros and assign a user to that key.
The user need to have access to ssh, ftp, read and write. The user need to have access to ssh, ftp, read and write.
There are no need to enable ftp service for the script to work, as they are transmitted over SCP, however ftp is needed to store the files on the router.
Then you need to set the environment variables for the deploy script to work. Then you need to set the environment variables for the deploy script to work.
```sh ```sh
export ROUTER_OS_USERNAME=certuser export ROUTER_OS_USERNAME=certuser
@ -272,3 +274,17 @@ export ROUTER_OS_HOST=router.example.com
acme.sh --deploy -d ftp.example.com --deploy-hook routeros acme.sh --deploy -d ftp.example.com --deploy-hook routeros
``` ```
The deploy script will remove previously deployed certificates, and it does this with an assumption on how RouterOS names imported certificates, adding a "cer_0" suffix at the end. This is true for versions 6.32 -> 6.41.3, but it is not guaranteed that it will be true for future versions when upgrading.
If the router have other certificates with the same name as the one beeing deployed, then this script will remove those certificates.
At the end of the script, the services that use those certificates could be updated. Currently only the www-ssl service is beeing updated, but more services could be added.
For instance:
```
/ip service set www-ssl certificate=$_cdomain.cer_0
/ip service set api-ssl certificate=$_cdomain.cer_0
```
One optional thing to do as well is to create a script that updates all the required services and run that script in a single command.

12
deploy/routeros.sh
View File

@ -32,10 +32,8 @@ routeros_deploy() {
_info "Trying to push key '$_ckey' to router" _info "Trying to push key '$_ckey' to router"
scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key" scp "$_ckey" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.key"
_info "Trying to push cert '$_ccert' to router"
scp "$_ccert" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
_info "Trying to push ca cert '$_cca' to router"
scp "$_cca" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.ca"
_info "Trying to push cert '$_cfullchain' to router"
scp "$_cfullchain" "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST:$_cdomain.cer"
# shellcheck disable=SC2029 # shellcheck disable=SC2029
ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" bash -c "' ssh "$ROUTER_OS_USERNAME@$ROUTER_OS_HOST" bash -c "'
@ -43,24 +41,18 @@ routeros_deploy() {
/certificate remove $_cdomain.cer_1 /certificate remove $_cdomain.cer_1
/certificate remove $_cdomain.ca_0
delay 1 delay 1
/certificate import file-name=$_cdomain.cer passphrase=\"\" /certificate import file-name=$_cdomain.cer passphrase=\"\"
/certificate import file-name=$_cdomain.key passphrase=\"\" /certificate import file-name=$_cdomain.key passphrase=\"\"
/certificate import file-name=$_cdomain.ca passphrase=\"\"
delay 1 delay 1
/file remove $_cdomain.cer /file remove $_cdomain.cer
/file remove $_cdomain.key /file remove $_cdomain.key
/file remove $_cdomain.ca
delay 2 delay 2
/ip service set www-ssl certificate=$_cdomain.cer_0 /ip service set www-ssl certificate=$_cdomain.cer_0

Write Preview
Loading…
Cancel
Save