From 26febd844b3cdb8d239fe1ddbb763e45d8805205 Mon Sep 17 00:00:00 2001 From: threeplanetssoftware Date: Thu, 11 Jul 2019 21:26:17 -0400 Subject: [PATCH 1/2] Updated README and settings file to reflect the use of RSA private keys, vice DSA. RSA private keys require manual intervention from the user to add a PubkeyAcceptedKeyTypes setting to their SSH config file in OpenSSH 7+ and users may not be aware. --- README.md | 18 +++++++++--------- letsencrypt-routeros.settings | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 0a770b2..0cdd0e6 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ ### How it works: * Dedicated Linux renew and push certificates to RouterOS / Mikrotik * After CertBot renew your certificates -* The script connects to RouterOS / Mikrotik using DSA Key (without password or user input) +* The script connects to RouterOS / Mikrotik using RSA Key (without password or user input) * Delete previous certificate files * Delete the previous certificate * Upload two new files: **Certificate** and **Key** @@ -35,7 +35,7 @@ vim /opt/letsencrypt-routeros/letsencrypt-routeros.settings | ROUTEROS_USER | admin | user with admin rights to connect to RouterOS | | ROUTEROS_HOST | 10.0.254.254 | RouterOS\Mikrotik IP | | ROUTEROS_SSH_PORT | 22 | RouterOS\Mikrotik PORT | -| ROUTEROS_PRIVATE_KEY | /opt/letsencrypt-routeros/id_dsa | Private Key to connecto to RouterOS | +| ROUTEROS_PRIVATE_KEY | /opt/letsencrypt-routeros/id_rsa | Private RSA Key to connecto to RouterOS | | DOMAIN | mydomain.com | Use main domain for wildcard certificate or subdomain for subdomain certificate | @@ -43,18 +43,18 @@ Change permissions: ```sh chmod +x /opt/letsencrypt-routeros/letsencrypt-routeros.sh ``` -Generate DSA Key for RouterOS +Generate RSA Key for RouterOS *Make sure to leave the passphrase blank (-N "")* ```sh -ssh-keygen -t dsa -f /opt/letsencrypt-routeros/id_dsa -N "" +ssh-keygen -t rsa -f /opt/letsencrypt-routeros/id_rsa -N "" ``` -Send Generated DSA Key to RouterOS / Mikrotik +Send Generated RSA Key to RouterOS / Mikrotik ```sh source /opt/letsencrypt-routeros/letsencrypt-routeros.settings -scp -P $ROUTEROS_SSH_PORT /opt/letsencrypt-routeros/id_dsa.pub "$ROUTEROS_USER"@"$ROUTEROS_HOST":"id_dsa.pub" +scp -P $ROUTEROS_SSH_PORT /opt/letsencrypt-routeros/id_rsa.pub "$ROUTEROS_USER"@"$ROUTEROS_HOST":"id_rsa.pub" ``` ### Setup RouterOS / Mikrotik side @@ -67,8 +67,8 @@ scp -P $ROUTEROS_SSH_PORT /opt/letsencrypt-routeros/id_dsa.pub "$ROUTEROS_USER"@ :put "Enable SSH" /ip service enable ssh -:put "Add to the user DSA Public Key" -/user ssh-keys import user=admin public-key-file=id_dsa.pub +:put "Add to the user RSA Public Key" +/user ssh-keys import user=admin public-key-file=id_rsa.pub ``` ### CertBot Let's Encrypt @@ -92,7 +92,7 @@ certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public- ``` ### Usage of the script -*To use settings form the settings file:* +*To use settings from the settings file:* ```sh ./opt/letsencrypt-routeros/letsencrypt-routeros.sh ``` diff --git a/letsencrypt-routeros.settings b/letsencrypt-routeros.settings index 7b59f7b..5bb344e 100644 --- a/letsencrypt-routeros.settings +++ b/letsencrypt-routeros.settings @@ -5,5 +5,5 @@ ROUTEROS_USER=admin ROUTEROS_HOST=10.0.254.254 ROUTEROS_SSH_PORT=22 -ROUTEROS_PRIVATE_KEY=/opt/letsencrypt-routeros/id_dsa +ROUTEROS_PRIVATE_KEY=/opt/letsencrypt-routeros/id_rsa DOMAIN=vpnserver.yourdomain.com From 763ca6e066ac65e8dfde1d1df2e52abac59be23d Mon Sep 17 00:00:00 2001 From: threeplanetssoftware Date: Thu, 11 Jul 2019 22:04:24 -0400 Subject: [PATCH 2/2] Updated script to add in auto-setting of api-ssl, www-ssl services, as well as additional debugging information for the user. Added variables for key phrases that are repeated to cut down on typo options and ease of changing in the future. --- letsencrypt-routeros.sh | 56 +++++++++++++++++++++++++++++++++-------- 1 file changed, 46 insertions(+), 10 deletions(-) mode change 100644 => 100755 letsencrypt-routeros.sh diff --git a/letsencrypt-routeros.sh b/letsencrypt-routeros.sh old mode 100644 new mode 100755 index a654821..d4642ed --- a/letsencrypt-routeros.sh +++ b/letsencrypt-routeros.sh @@ -21,9 +21,17 @@ fi CERTIFICATE=/etc/letsencrypt/live/$DOMAIN/cert.pem KEY=/etc/letsencrypt/live/$DOMAIN/privkey.pem +echo "" +echo "Updating certificate for $DOMAIN" +echo " Using certificate $CERTIFICATE" +echo " User private key $KEY" + #Create alias for RouterOS command routeros="ssh -i $ROUTEROS_PRIVATE_KEY $ROUTEROS_USER@$ROUTEROS_HOST -p $ROUTEROS_SSH_PORT" +echo "" +echo "Checking connection to RouterOS" + #Check connection to RouterOS $routeros /system resource print RESULT=$? @@ -48,32 +56,60 @@ if [ ! -f $CERTIFICATE ] && [ ! -f $KEY ]; then exit 1 fi +# Set up variables to remove erros +DOMAIN_INSTALLED_CERT_FILE=$DOMAIN.pem_0 +DOMAIN_CERT_FILE=$DOMAIN.pem +DOMAIN_KEY_FILE=$DOMAIN.key + # Remove previous certificate -$routeros /certificate remove [find name=$DOMAIN.pem_0] +echo "Removing old certificate from installed certificates: $DOMAIN_INSTALLED_CERT_FILE" +$routeros /certificate remove [find name=$DOMAIN_INSTALLED_CERT_FILE] +echo "" +echo "Handling new certificate file" # Create Certificate # Delete Certificate file if the file exist on RouterOS -$routeros /file remove $DOMAIN.pem > /dev/null +echo " Deleting any old copy of certificate file from disk: $DOMAIN_CERT_FILE" +$routeros /file remove $DOMAIN_CERT_FILE > /dev/null # Upload Certificate to RouterOS -scp -q -P $ROUTEROS_SSH_PORT -i "$ROUTEROS_PRIVATE_KEY" "$CERTIFICATE" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN.pem" +echo " Uploading new domain certificate file to router: $CERTIFICATE" +scp -q -P $ROUTEROS_SSH_PORT -i "$ROUTEROS_PRIVATE_KEY" "$CERTIFICATE" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN_CERT_FILE" sleep 2 # Import Certificate file -$routeros /certificate import file-name=$DOMAIN.pem passphrase=\"\" +echo " Importing new certificate file to router certificates" +$routeros /certificate import file-name=$DOMAIN_CERT_FILE passphrase=\"\" # Delete Certificate file after import -$routeros /file remove $DOMAIN.pem +echo " Deleting any new copy of certificate file from disk: $DOMAIN_CERT_FILE" +$routeros /file remove $DOMAIN_CERT_FILE +echo "" +echo "Handling new key file" # Create Key # Delete Certificate file if the file exist on RouterOS -$routeros /file remove $KEY.key > /dev/null +echo " Deleting any old copy of key file from disk: $DOMAIN_KEY_FILE" +$routeros /file remove $DOMAIN_KEY_FILE > /dev/null # Upload Key to RouterOS -scp -q -P $ROUTEROS_SSH_PORT -i "$ROUTEROS_PRIVATE_KEY" "$KEY" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN.key" +echo " Uploading new domain key file to router: $KEY" +scp -q -P $ROUTEROS_SSH_PORT -i "$ROUTEROS_PRIVATE_KEY" "$KEY" "$ROUTEROS_USER"@"$ROUTEROS_HOST":"$DOMAIN_KEY_FILE" sleep 2 # Import Key file -$routeros /certificate import file-name=$DOMAIN.key passphrase=\"\" +echo " Importing new key file to router certificates" +$routeros /certificate import file-name=$DOMAIN_KEY_FILE passphrase=\"\" # Delete Certificate file after import -$routeros /file remove $DOMAIN.key +echo " Deleting any new copy of key file from disk: $DOMAIN_KEY_FILE" +$routeros /file remove $DOMAIN_KEY_FILE + +echo "" # Setup Certificate to SSTP Server -$routeros /interface sstp-server server set certificate=$DOMAIN.pem_0 +echo "Updating SSTP Server to use $DOMAIN_INSTALLED_CERT_FILE" +$routeros /interface sstp-server server set certificate=$DOMAIN_INSTALLED_CERT_FILE + +# Setup Certificate to SSL +echo "Updating HTTPS Server to use $DOMAIN_INSTALLED_CERT_FILE" +$routeros /ip service set www-ssl certificate=$DOMAIN_INSTALLED_CERT_FILE + +echo "Updating API SSL Server to use $DOMAIN_INSTALLED_CERT_FILE" +$routeros /ip service set api-ssl certificate=$DOMAIN_INSTALLED_CERT_FILE exit 0