@ -9,26 +9,33 @@
# Issues: https://github.com/acmesh-official/acme.sh/issues/2727
# Issues: https://github.com/acmesh-official/acme.sh/issues/2727
################################################################################
################################################################################
# Usage:
# Usage:
# 1. Set required environment variables (two ways):
# - Create temp admin user automatically
# `export SYNO_UseTempAdmin=1`
# - Or provide your own admin user credential by:
# 1. Set required environment variables:
# - use automatically created temp admin user to authenticate
# 1. disable "enfore 2FA-OTP for admins" via control panel
# 2. `export SYNO_UseTempAdmin=1`
# - or provide your own admin user credential to authenticate
# 1. `export SYNO_Username="adminUser"`
# 1. `export SYNO_Username="adminUser"`
# 2. `export SYNO_Password="adminPassword"`
# 2. `export SYNO_Password="adminPassword"`
# 2. Set optional environment variables (shown values are the defaults)
# 2. Set optional environment variables (shown values are the defaults)
# - `export SYNO_Scheme="http"`
# - `export SYNO_Hostname="localhost"`
# - `export SYNO_Port="5000"`
# - `export SYNO_Create=1` - to allow creating the cert if it doesn't exist
# - `export SYNO_Certificate=""` - to replace a specific cert by its description
# - `export SYNO_DeviceName=""` - required for 2FA-OTP
# - `export SYNO_DeviceID=""` - required for omitting 2FA-OTP (only pro
# users may set)
# - common optional variables
# - `export SYNO_Scheme="http"`
# - `export SYNO_Hostname="localhost"`
# - `export SYNO_Port="5000"`
# - `export SYNO_Create=1` - to allow creating the cert if it doesn't exist
# - `export SYNO_Certificate=""` - to replace a specific cert by its
# description
# - 2FA-OTP optional variables (with your own admin user)
# - `export SYNO_DeviceName=""` - required for 2FA-OTP, script won't require
# interactive input the device name if set.
# - `export SYNO_OTPCode=""` - required for 2FA-OTP, script won't require
# interactive input the code if set.
# - `export SYNO_DeviceID=""` - required for omitting 2FA-OTP (might be
# deprecated, auth with OTP code instead)
# 3. Run command:
# 3. Run command:
# acme.sh --deploy --deploy-hook synology_dsm -d example.com
# acme.sh --deploy --deploy-hook synology_dsm -d example.com
################################################################################
################################################################################
# Dependencies:
# Dependencies:
# - jq & curl
# - curl
# - synouser & synogroup (When available and SYNO_UseTempAdmin is set)
# - synouser & synogroup (When available and SYNO_UseTempAdmin is set)
################################################################################
################################################################################
# Return value:
# Return value:
@ -48,44 +55,48 @@ synology_dsm_deploy() {
# Get username and password, but don't save until we authenticated successfully
# Get username and password, but don't save until we authenticated successfully
_getdeployconf SYNO_Username
_getdeployconf SYNO_Username
_getdeployconf SYNO_Password
_getdeployconf SYNO_Password
_getdeployconf SYNO_DeviceName
_getdeployconf SYNO_DeviceID
_getdeployconf SYNO_DeviceID
_getdeployconf SYNO_Creat e
_getdeployconf SYNO_DeviceNam e
# ## START ## - DEPRECATED, for backward compatibility
# ## START ## - DEPRECATED, for backward compatibility
_getdeployconf SYNO_Device_ID
_getdeployconf SYNO_Device_ID
_getdeployconf SYNO_Device_Name
_getdeployconf SYNO_Device_Name
[ -n " $SYNO_DeviceID " ] || SYNO_DeviceID = " $ SYNO_Device_ID"
[ -n " $SYNO_DeviceName " ] || SYNO_DeviceName = " $ SYNO_Device_Name"
[ -n " $SYNO_DeviceID " ] || SYNO_DeviceID = " ${ SYNO_Device_ID :- } "
[ -n " $SYNO_DeviceName " ] || SYNO_DeviceName = " ${ SYNO_Device_Name :- } "
# ## END ## - DEPRECATED, for backward compatibility
# ## END ## - DEPRECATED, for backward compatibility
[ -n " $SYNO_Create " ] || SYNO_Create = 1
# Prepare to use temp admin if SYNO_UseTempAdmin is set
# Prepare to use temp admin if SYNO_UseTempAdmin is set
_getdeployconf SYNO_UseTempAdmin
_getdeployconf SYNO_UseTempAdmin
_debug2 SYNO_UseTempAdmin " $SYNO_UseTempAdmin "
_debug2 SYNO_UseTempAdmin " $SYNO_UseTempAdmin "
# Back to use existing admin user if explicitly requested
if [ " $SYNO_UseTempAdmin " -eq 0 ] ; then
_debug2 Back to use existing user rather than temp admin user.
SYNO_UseTempAdmin = ""
fi
_savedeployconf SYNO_UseTempAdmin " $SYNO_UseTempAdmin "
if [ -n " $SYNO_UseTempAdmin " ] ; then
if [ -n " $SYNO_UseTempAdmin " ] ; then
if ! _exists synouser || ! _exists synogroup; then
if ! _exists synouser || ! _exists synogroup; then
_err "Tools are missing for creating temp admin user, please set SYNO_Username and SYNO_Password instead."
_err "Tools are missing for creating temp admin user, please set SYNO_Username and SYNO_Password instead."
return 1
return 1
fi
fi
# Clean up
[ -n " $SYNO_Username " ] || _savedeployconf SYNO_Username ""
[ -n " $SYNO_Username " ] || _savedeployconf SYNO_Username ""
[ -n " $SYNO_Password " ] || _savedeployconf SYNO_Password ""
[ -n " $SYNO_Password " ] || _savedeployconf SYNO_Password ""
synouser --del " $SYNO_Username " >/dev/null 2>/dev/null
_debug "Setting temp admin user credential..."
_debug "Setting temp admin user credential..."
SYNO_Username = sc-acmesh-tmp
SYNO_Username = sc-acmesh-tmp
SYNO_Password = $( head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16)
SYNO_Password = $( head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16)
# Ignore 2FA-OTP settings which won't be needed.
# Set 2FA-OTP settings to empty consider they won't be needed.
SYNO_DeviceID =
SYNO_DeviceID =
SYNO_DeviceName =
SYNO_DeviceName =
_savedeployconf SYNO_UseTempAdmin " $SYNO_UseTempAdmin "
SYNO_OTPCode =
# Pre-delete temp admin user if already exists.
synouser --del " $SYNO_Username " >/dev/null 2>/dev/null
else
else
_debug2 SYNO_Username " $SYNO_Username "
_debug2 SYNO_Username " $SYNO_Username "
_secure_debug2 SYNO_Password " $SYNO_Password "
_secure_debug2 SYNO_Password " $SYNO_Password "
_debug2 SYNO_Create " $SYNO_Create "
_debug2 SYNO_DeviceName " $SYNO_DeviceName "
_debug2 SYNO_DeviceName " $SYNO_DeviceName "
_secure_debug2 SYNO_DeviceID " $SYNO_DeviceID "
_secure_debug2 SYNO_DeviceID " $SYNO_DeviceID "
fi
fi
@ -114,7 +125,7 @@ synology_dsm_deploy() {
# Get the certificate description, but don't save it until we verify it's real
# Get the certificate description, but don't save it until we verify it's real
_getdeployconf SYNO_Certificate
_getdeployconf SYNO_Certificate
_debug SYNO_Certificate " $ SYNO_Certificate"
_debug SYNO_Certificate " ${ SYNO_Certificate :- } "
# shellcheck disable=SC1003 # We are not trying to escape a single quote
# shellcheck disable=SC1003 # We are not trying to escape a single quote
if printf "%s" " $SYNO_Certificate " | grep '\\' ; then
if printf "%s" " $SYNO_Certificate " | grep '\\' ; then
@ -122,20 +133,6 @@ synology_dsm_deploy() {
return 1
return 1
fi
fi
# Create temp admin user
if [ -n " $SYNO_UseTempAdmin " ] ; then
_debug "Creating temp admin user in Synology DSM..."
synouser --add " $SYNO_Username " " $SYNO_Password " "" 0 "scruelt@hotmail.com" 0 >/dev/null
if [ -n " $( synogroup --help | grep '\-\-memberadd' ) " ] ; then
synogroup --memberaddx administrators " $SYNO_Username " >/dev/null
else
# For supporting DSM 6.x which only has `--member` parameter.
cur_admins = $( synogroup --get administrators | awk -F '[][]' '/Group Members/,0{if(NF>1)printf "%s ", $2}' )
_secure_debug3 admin_users " $cur_admins $SYNO_Username "
synogroup --memberx administrators $cur_admins $SYNO_Username >/dev/null
fi
fi
_debug "Getting API version..."
_debug "Getting API version..."
_base_url = " $SYNO_Scheme :// $SYNO_Hostname : $SYNO_Port "
_base_url = " $SYNO_Scheme :// $SYNO_Hostname : $SYNO_Port "
_debug _base_url " $_base_url "
_debug _base_url " $_base_url "
@ -151,7 +148,6 @@ synology_dsm_deploy() {
encoded_username = " $( printf "%s" " $SYNO_Username " | _url_encode) "
encoded_username = " $( printf "%s" " $SYNO_Username " | _url_encode) "
encoded_password = " $( printf "%s" " $SYNO_Password " | _url_encode) "
encoded_password = " $( printf "%s" " $SYNO_Password " | _url_encode) "
otp_code = ""
# ## START ## - DEPRECATED, for backward compatibility
# ## START ## - DEPRECATED, for backward compatibility
_getdeployconf SYNO_TOTP_SECRET
_getdeployconf SYNO_TOTP_SECRET
@ -178,31 +174,85 @@ synology_dsm_deploy() {
response = $( _post " method=login&account= $encoded_username &passwd= $encoded_password &api=SYNO.API.Auth&version= $api_version &enable_syno_token=yes&otp_code= $DEPRECATED_otp_code &device_name=certrenewal&device_id= $SYNO_DeviceID " " $_base_url /webapi/auth.cgi?enable_syno_token=yes " )
response = $( _post " method=login&account= $encoded_username &passwd= $encoded_password &api=SYNO.API.Auth&version= $api_version &enable_syno_token=yes&otp_code= $DEPRECATED_otp_code &device_name=certrenewal&device_id= $SYNO_DeviceID " " $_base_url /webapi/auth.cgi?enable_syno_token=yes " )
_debug3 response " $response "
_debug3 response " $response "
# ## END ## - DEPRECATED, for backward compatibility
# ## END ## - DEPRECATED, for backward compatibility
# If SYNO_Device_ID & SYNO_DeviceName both empty, just log in normally
elif [ -z " ${ SYNO_DeviceID :- } " ] && [ -z " ${ SYNO_DeviceName :- } " ] ; then
response = $( _get " $_base_url /webapi/entry.cgi?api=SYNO.API.Auth&version= $api_version &method=login&format=sid&account= $encoded_username &passwd= $encoded_password &enable_syno_token=yes " )
_debug3 response " $response "
# Get device ID if still empty first, otherwise log in right away
# If SYNO_DeviceName is set, we treat that account enabled two-factor authorization, consider SYNO_DeviceID is not set, so it won't be able to login without requiring the OTP code.
elif [ -n " ${ SYNO_DeviceName :- } " ] && [ -z " ${ SYNO_DeviceID :- } " ] ; then
# If SYNO_DeviceID or SYNO_OTPCode is set, we treat current account enabled 2FA-OTP.
# Notice that if SYNO_UseTempAdmin=1, both variables will be unset
else
if [ -n " $SYNO_UseTempAdmin " ] ; then
_debug "Creating temp admin user in Synology DSM..."
synouser --add " $SYNO_Username " " $SYNO_Password " "" 0 "scruelt@hotmail.com" 0 >/dev/null
if synogroup --help | grep -q '\-\-memberadd' ; then
synogroup --memberadd administrators " $SYNO_Username " >/dev/null
else
# For supporting DSM 6.x which only has `--member` parameter.
cur_admins = $( synogroup --get administrators | awk -F '[][]' '/Group Members/,0{if(NF>1)printf "%s ", $2}' )
_secure_debug3 admin_users " $cur_admins $SYNO_Username "
# shellcheck disable=SC2086
synogroup --member administrators $cur_admins $SYNO_Username >/dev/null
fi
fi
if [ -n " $SYNO_DeviceID " ] || [ -n " $SYNO_OTPCode " ] ; then
response = '{"error":{"code":403}}'
# Assume the current account disabled 2FA-OTP, try to log in right away.
else
response = $( _get " $_base_url /webapi/entry.cgi?api=SYNO.API.Auth&version= $api_version &method=login&format=sid&account= $encoded_username &passwd= $encoded_password &enable_syno_token=yes " )
_debug3 response " $response "
fi
fi
error_code = $( echo " $response " | grep '"error"' | grep -oP '(?<="code":)\d+' )
# Account has 2FA-OTP enabled, since error 403 reported.
if [ " ${ error_code :- 0 } " -eq 403 ] ; then
if [ -z " $SYNO_DeviceName " ] ; then
printf "Enter device name or leave empty for default (CertRenewal): "
read -r SYNO_DeviceName
[ -n " $SYNO_DeviceName " ] || SYNO_DeviceName = "CertRenewal"
fi
if [ -n " $SYNO_DeviceID " ] ; then
# Omit OTP code with SYNO_DeviceID.
response = $( _get " $_base_url /webapi/ $api_path ?api=SYNO.API.Auth&version= $api_version &method=login&format=sid&account= $encoded_username &passwd= $encoded_password &enable_syno_token=yes&device_name= $SYNO_DeviceName &device_id= $SYNO_DeviceID " )
_secure_debug3 response " $response "
else
# Require the OTP code if still unset.
if [ -z " $SYNO_OTPCode " ] ; then
printf "Enter OTP code for user '%s': " " $SYNO_Username "
printf "Enter OTP code for user '%s': " " $SYNO_Username "
read -r otp_code
response = $( _get " $_base_url /webapi/ $api_path ?api=SYNO.API.Auth&version= $api_version &method=login&format=sid&account= $encoded_username &passwd= $encoded_password &otp_code= $otp_code &enable_syno_token=yes&enable_device_token=yes&device_name= $SYNO_DeviceName " )
read -r SYNO_OTPCode
fi
if [ -z " $SYNO_OTPCode " ] ; then
response = '{"error":{"code":404}}'
else
response = $( _get " $_base_url /webapi/ $api_path ?api=SYNO.API.Auth&version= $api_version &method=login&format=sid&account= $encoded_username &passwd= $encoded_password &enable_syno_token=yes&enable_device_token=yes&device_name= $SYNO_DeviceName &otp_code= $SYNO_OTPCode " )
_secure_debug3 response " $response "
_secure_debug3 response " $response "
id_property = 'device_id'
id_property = 'device_id'
[ " ${ api_version } " -gt '6' ] || id_property = 'did'
[ " ${ api_version } " -gt '6' ] || id_property = 'did'
SYNO_DeviceID = $( echo " $response " | grep " $id_property " | sed -n 's/.*"' $id_property '" *: *"\([^"]*\).*/\1/p' )
SYNO_DeviceID = $( echo " $response " | grep " $id_property " | sed -n 's/.*"' $id_property '" *: *"\([^"]*\).*/\1/p' )
_secure_debug2 SYNO_DeviceID " $SYNO_DeviceID "
_secure_debug2 SYNO_DeviceID " $SYNO_DeviceID "
# Otherwise, if SYNO_DeviceID is set, we can just use it to login.
else
if [ -z " ${ SYNO_DeviceName :- } " ] ; then
printf "Enter device name or leave empty for default (CertRenewal): "
read -r SYNO_DeviceName
[ -n " ${ SYNO_DeviceName } " ] || SYNO_DeviceName = "CertRenewal"
fi
fi
fi
response = $( _get " $_base_url /webapi/ $api_path ?api=SYNO.API.Auth&version= $api_version &method=login&format=sid&account= $encoded_username &passwd= $encoded_password &enable_syno_token=yes&device_name= $SYNO_DeviceName &device_id= $SYNO_DeviceID " )
_secure_debug3 response " $response "
error_code = $( echo " $response " | grep '"error"' | grep -oP '(?<="code":)\d+' )
fi
if [ -n " $error_code " ] ; then
if [ " $error_code " -eq 403 ] && [ -n " $SYNO_DeviceID " ] ; then
_savedeployconf SYNO_DeviceID ""
_err "Failed to authenticate with SYNO_DeviceID (may expired or invalid), please try again in a new terminal window."
elif [ " $error_code " -eq 404 ] ; then
_err "Failed to authenticate with provided 2FA-OTP code, please try again in a new terminal window."
elif [ " $error_code " -eq 406 ] ; then
if [ -n " $SYNO_UseTempAdmin " ] ; then
_err "SYNO_UseTempAdmin=1 is not supported if enforce auth with 2FA-OTP is enabled."
else
_err "Enforce auth with 2FA-OTP enabled, please configure the user to enable 2FA-OTP to continue."
fi
elif [ " $error_code " -eq 400 ] || [ " $error_code " -eq 401 ] || [ " $error_code " -eq 408 ] || [ " $error_code " -eq 409 ] || [ " $error_code " -eq 410 ] ; then
_err "Failed to authenticate with a non-existent or disabled account, or the account password is incorrect or has expired."
else
_err " Failed to authenticate with error: $error_code . "
fi
_temp_admin_cleanup " $SYNO_UseTempAdmin " " $SYNO_Username "
return 1
fi
fi
sid = $( echo " $response " | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p' )
sid = $( echo " $response " | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p' )
@ -210,11 +260,9 @@ synology_dsm_deploy() {
_debug "Session ID" " $sid "
_debug "Session ID" " $sid "
_debug SynoToken " $token "
_debug SynoToken " $token "
if [ -z " $sid " ] || [ -z " $token " ] ; then
if [ -z " $sid " ] || [ -z " $token " ] ; then
_err " Unable to authenticate to $_base_url - check your username & password. "
_err "If two-factor authentication is enabled for the user:"
_err "- set SYNO_DeviceName then input *correct* OTP-code manually"
_err "- get & set SYNO_DeviceID via your browser cookies"
_remove_temp_admin " $SYNO_USE_TEMP_ADMIN " " $SYNO_Username "
# Still can't get necessary info even got no errors, may Synology have API updated?
_err " Unable to authenticate to $_base_url , you may report the full log to the community. "
_temp_admin_cleanup " $SYNO_UseTempAdmin " " $SYNO_Username "
return 1
return 1
fi
fi
@ -223,12 +271,15 @@ synology_dsm_deploy() {
_debug2 H1 " ${ _H1 } "
_debug2 H1 " ${ _H1 } "
# Now that we know the username and password are good, save them if not in temp admin mode.
# Now that we know the username and password are good, save them if not in temp admin mode.
if [ -z " $SYNO_UseTempAdmin " ] ; then
if [ -n " $SYNO_UseTempAdmin " ] ; then
_savedeployconf SYNO_Username ""
_savedeployconf SYNO_Password ""
else
_savedeployconf SYNO_Username " $SYNO_Username "
_savedeployconf SYNO_Username " $SYNO_Username "
_savedeployconf SYNO_Password " $SYNO_Password "
_savedeployconf SYNO_Password " $SYNO_Password "
_savedeployconf SYNO_DeviceID " $SYNO_DeviceID "
_savedeployconf SYNO_DeviceName " $SYNO_DeviceName "
fi
fi
_savedeployconf SYNO_DeviceID " $SYNO_DeviceID "
_savedeployconf SYNO_DeviceName " $SYNO_DeviceName "
_info "Getting certificates in Synology DSM..."
_info "Getting certificates in Synology DSM..."
response = $( _post " api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid= $sid " " $_base_url /webapi/entry.cgi " )
response = $( _post " api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid= $sid " " $_base_url /webapi/entry.cgi " )
@ -238,9 +289,24 @@ synology_dsm_deploy() {
id = $( echo " $response " | sed -n " s/.*\"desc\":\" $escaped_certificate \",\"id\":\"\([^\"]*\).*/\1/p " )
id = $( echo " $response " | sed -n " s/.*\"desc\":\" $escaped_certificate \",\"id\":\"\([^\"]*\).*/\1/p " )
_debug2 id " $id "
_debug2 id " $id "
error_code = $( echo " $response " | grep '"error"' | grep -oP '(?<="code":)\d+' )
if [ -n " $error_code " ] ; then
if [ " $error_code " -eq 105 ] ; then
_err "Current user is not administrator and does not have sufficient permission for deploying."
else
_err " Failed to fetch certificate info with error: $error_code , contact Synology for more info about it. "
fi
_temp_admin_cleanup " $SYNO_UseTempAdmin " " $SYNO_Username "
return 1
fi
_getdeployconf SYNO_Create
_debug2 SYNO_Create " $SYNO_Create "
[ -n " $SYNO_Create " ] || SYNO_Create = 1
if [ -z " $id " ] && [ -z " $SYNO_Create " ] ; then
if [ -z " $id " ] && [ -z " $SYNO_Create " ] ; then
_err " Unable to find certificate: $SYNO_Certificate and $SYNO_Create is not set. "
_err " Unable to find certificate: $SYNO_Certificate and $SYNO_Create is not set. "
_remove_temp_admin " $SYNO_UseTempAdmin " " $SYNO_Username "
_temp_admin_cleanup " $SYNO_UseTempAdmin " " $SYNO_Username "
return 1
return 1
fi
fi
@ -275,11 +341,11 @@ synology_dsm_deploy() {
else
else
_info "Restarting HTTP services failed."
_info "Restarting HTTP services failed."
fi
fi
_remove_ temp_admin " $SYNO_UseTempAdmin " " $SYNO_Username "
_temp_admin_cleanup " $SYNO_UseTempAdmin " " $SYNO_Username "
_logout
_logout
return 0
return 0
else
else
_remove_ temp_admin " $SYNO_UseTempAdmin " " $SYNO_Username "
_temp_admin_cleanup " $SYNO_UseTempAdmin " " $SYNO_Username "
_err " Unable to update certificate, error code $response . "
_err " Unable to update certificate, error code $response . "
_logout
_logout
return 1
return 1
@ -293,12 +359,12 @@ _logout() {
_debug3 response " $response "
_debug3 response " $response "
}
}
_remove _temp_admin( ) {
_temp_admin_cleanup ( ) {
flag = $1
flag = $1
username = $2
username = $2
if [ -n " ${ flag } " ] ; then
if [ -n " ${ flag } " ] ; then
_debug "Removing temp admin user in Synology DSM ..."
_debug "Cleanuping temp admin info ..."
synouser --del " $username " >/dev/null
synouser --del " $username " >/dev/null
fi
fi
}
}