Merge branch 'release/1.0.0'

Author: Limych

.gitignore

@@ -1 +1,3 @@
 deploy_config
+acme.sh
+http.header

README.md

@@ -1,12 +1,22 @@
-# deploy-freenas
+# deploy-freenas.sh
 
-deploy-freenas.py is a Python script to deploy TLS certificates to a FreeNAS server using the FreeNAS API.  This should ensure that the certificate data is properly stored in the configuration database, and that all appropriate services use this certificate.  It's intended to be called from a Let's Encrypt client like [acme.sh](https://github.com/Neilpang/acme.sh) after the certificate is issued, so that the entire process of issuance (or renewal) and deployment can be automated.
+deploy-freenas.sh is a shell script to deploy TLS certificates to a FreeNAS server using the FreeNAS API.  This should ensure that the certificate data is properly stored in the configuration database, and that all appropriate services use this certificate.  It's intended to be called from a Let's Encrypt client like [acme.sh](https://github.com/Neilpang/acme.sh) after the certificate is issued, so that the entire process of issuance (or renewal) and deployment can be automated.
+
+This project was remade from project deploy-freenas.py by danb35 due to the impossibility of using Python in the closed structure of the OPNsense system.
 
 # Installation
-This script can run on any machine running Python 3 that has network access to your FreeNAS server, but in most cases it's best to run it directly on the FreeNAS box.  Change to a convenient directory and run `git clone https://github.com/danb35/deploy-freenas`.
+This script can run on any machine running Bourne shell (all *nix systems, macOS; for Windows you need to install additional package, like [CygWin](https://www.cygwin.com/)) that has network access to your FreeNAS server, but in most cases it's best to run it directly on the FreeNAS box.  Change to a convenient directory and run `git clone https://github.com/Limych/deploy-freenas`
+
+<p align="center">* * *</p>
+I put a lot of work into making this repo available and updated to inspire and help others! I will be glad to receive thanks from you — it will give me new strength and add enthusiasm:
+<p align="center"><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=UAGFL5L6M8RN2&item_name=[deploy-freenas]+Donation+for+a+big+barrel+of+coffee+:)&currency_code=EUR&source=url"><img alt="Buy Me a Coffe" src="https://raw.githubusercontent.com/Limych/HomeAssistantConfiguration/master/docs/images/donate-with-paypal.png"></a></p>
 
 # Usage
 
+There are now two ways to usage of this script:
+
+## Usage as independent script
+
 The relevant configuration takes place in the `deploy_config` file.  You can create this file either by copying `depoy_config.example` from this repository, or directly using your preferred text editor.  Its format is as follows:
 
 ```
@@ -23,10 +33,21 @@ port = 443
 
 Everything but the password is optional, and the defaults are documented in `depoy_config.example`.
 
-Once you've prepared `deploy_config`, you can run `deploy_freenas.py`.  The intended use is that it would be called by your ACME client after issuing a certificate.  With acme.sh, for example, you'd add `--deploy-hook "/path/to/deploy_freenas.py"` to your command.
+Once you've prepared `deploy_config`, you can run `deploy_freenas.sh`.  The intended use is that it would be called by your ACME client after issuing a certificate.  With acme.sh, for example, you'd add `--deploy-hook "/path/to/deploy_freenas.sh"` to your command.
 
-There is an optional paramter, `-c` or `--config`, that lets you specify the path to your configuration file. By default the script will try to use `deploy_config` in the script working directoy:
+There is an optional parameter, `-c` or `--config`, that lets you specify the path to your configuration file. By default the script will try to use `deploy_config` in the script working directoy:
 
 ```
-/path/to/deploy_freenas.py --config /somewhere/else/deploy_config
+/path/to/deploy_freenas.sh --config /somewhere/else/deploy_config
+```
+
+## Usage as part of acme.sh
+
+Install deployer to existing acme.sh installation by `install2acme.sh` script.
+
+Then you can deploy certificates like with other [deploy hooks](https://github.com/Neilpang/acme.sh/wiki/deployhooks):
+```bash
+export FREENAS_PASSWORD="xxxxxxx"   # Required
+export FREENAS_HOST="https://example.com:443"   # Optional. Default: "http://localhost:80"
+acme.sh --deploy -d example.com --deploy-hook freenas
 ```

deploy/freenas.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to a FreeNAS server
+
+# The following variables exported from environment will be used.
+# If not set then values previously saved in domain.conf file are used.
+
+# Required variables:
+# export FREENAS_PASSWORD="xxxxxxx"
+#
+# Optional variables (default values described):
+# export FREENAS_HOST="http://localhost:80"
+# export FREENAS_VERIFY=false
+
+#domain keyfile certfile cafile fullchain
+freenas_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  _fullchain=$(tr '\n\r' '@#' <"$_cfullchain" | sed 's/@/\\n/g;s/#/\\r/g')
+  _key=$(tr '\n\r' '@#' <"$_ckey" | sed 's/@/\\n/g;s/#/\\r/g')
+
+  _debug _fullchain "$_fullchain"
+  _debug _key "$_key"
+
+  if [ -z "$FREENAS_PASSWORD" ]; then
+    if [ -z "$Le_Deploy_FreeNAS_password" ]; then
+      _err "FREENAS_PASSWORD not defined."
+      return 1
+    fi
+  else
+    Le_Deploy_FreeNAS_password="$FREENAS_PASSWORD"
+    _savedomainconf Le_Deploy_FreeNAS_password "$Le_Deploy_FreeNAS_password"
+  fi
+
+  if [ -z "$FREENAS_HOST" ]; then
+    if [ -z "$Le_Deploy_FreeNAS_host" ]; then
+      Le_Deploy_FreeNAS_host="http://localhost:80"
+      _savedomainconf Le_Deploy_freenas_host "$Le_Deploy_FreeNAS_host"
+    fi
+  else
+    Le_Deploy_FreeNAS_host="$FREENAS_HOST"
+    _savedomainconf Le_Deploy_freenas_host "$Le_Deploy_FreeNAS_host"
+  fi
+
+  if [ -z "$FREENAS_VERIFY" ]; then
+    if [ -z "$Le_Deploy_FreeNAS_verify" ]; then
+      Le_Deploy_FreeNAS_verify=false
+      _savedomainconf Le_Deploy_FreeNAS_verify "$Le_Deploy_FreeNAS_verify"
+    fi
+  else
+    Le_Deploy_FreeNAS_verify="$FREENAS_VERIFY"
+    _savedomainconf Le_Deploy_FreeNAS_verify "$Le_Deploy_FreeNAS_verify"
+  fi
+
+  _api_base="${Le_Deploy_FreeNAS_host}/api/v1.0"
+#  _cert=$(date +letsencrypt-%Y-%m-%d-%H%M%S)
+  _cert=$(date +letsencrypt-%Y-%m-%d)
+  _realm=$(printf "%s:%s" "root" "$Le_Deploy_FreeNAS_password" | _base64)
+
+  _debug _api_base "$_api_base"
+  _debug _cert "$_cert"
+  _debug _realm "$_realm"
+
+  _info "Update or create SSL certificate"
+  export _H1="Authorization: Basic $_realm"
+  export _H2="Content-Type: application/json"
+  _request="{\"cert_name\":\"$_cert\",\"cert_certificate\":\"$_fullchain\",\"cert_privatekey\":\"$_key\"}"
+  _debug _request "$_request"
+  _response="$(_post "$_request" "$_api_base/system/certificate/import/")"
+  _debug _response "$_response"
+
+  if echo "$_response" | grep -q "certificate with this name already exists"; then
+    _err "SSL certificate with name '$_cert' are already exists. Stop deploying"
+    return 0
+  elif [ "$_response" != "Certificate imported." ]; then
+    _err "Error SSL certificate import"
+    return 1
+  fi
+
+  _info "Download certificate list and parse it to find the ID that matches our cert name"
+  _response=$(_get "$_api_base/system/certificate/?limit=0")
+  _debug _response "$_response"
+  _regex="^.*\"cert_name\": *\"$_cert\".*$"
+  _debug _regex "$_regex"
+  _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+  _debug _resource "$_resource"
+  _regex="^.*\"cert_name\": \"$_cert\".*$"
+  _debug _regex "$_regex"
+  _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+  _debug _resource "$_resource"
+  _regex=".*\"id\": *\([0-9]*\).*$"
+  _debug _regex "$_regex"
+  _cert_id=$(echo "$_resource" | sed -n "s/$_regex/\1/p")
+  _debug _resourceId "$_cert_id"
+
+  _info "Set our cert as active"
+  _request="{\"stg_guicertificate\":\"$_cert_id\"}"
+  _response=$(_post "$_request" "$_api_base/system/settings/" '' "PUT")
+  _debug _response "$_response"
+
+  _info "Reload nginx with new cert"
+  _response="$(_post "" "$_api_base/system/settings/restart-httpd-all/")"
+  _debug _response "$_response"
+
+  # Make time for httpd for reloading
+  sleep 3
+
+  _info "Set our cert as active for FTP plugin"
+  _request="{\"ftp_ssltls_certfile\":\"$_cert\"}"
+  _response=$(_post "$_request" "$_api_base/services/ftp/" '' "PUT")
+  _debug _response "$_response"
+
+  _info "Certificate successfully deployed"
+  return 0
+}

deploy_config.example

@@ -17,7 +17,7 @@ password = YourSuperSecurePassword#@#$*
 # verify sets whether the script will attempt to verify the server's certificate with a HTTPS
 # connection.  Set to true if you're using a HTTPS connection to a remote host.  If connect_host
 # is set to localhost (or is unset), set to false.  Default is false.
-# verify = false
+# verify = true
 
 # privkey_path is the path to the certificate private key on your system.  Default
 # assumes you're using acme.sh: