jwm/push-acme-cert-to-aruba-iap.exp

## push-acme-cert-to-aruba-iap.exp
#!/usr/bin/expect

# Deploy an ACME (Let's Encrypt) certificate to a HP Aruba Instant Access
# Point (IAP)
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Based on:
# https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=15231
# https://gist.github.com/abelbeck/09078d360b361ceeacf08ccaa136e166
#
# To use, add:
#
#   --deploy-hook /usr/local/sbin/push-cert-to-aruba-iap.exp
#
# to your certbot invocation, or add:
#
#   renew_hook = /usr/local/sbin/push-cert-to-aruba-iap.exp
#
# to your certificate's [renewalparams] blocks in /etc/letsencrypt/renewal/

set password some-password
set login admin
set wap_hostname wap0

set tftp_server 1.2.3.4
set tftp_root /srv/tftp
set tftp_group tftp
set pem_relpath "$wap_hostname.pem"

set domain [lindex $argv 0]
set key [lindex $argv 1]
set cert [lindex $argv 2]
set ca [lindex $argv 3]
set fullchain [lindex $argv 4]

set pem_path "$tftp_root/$pem_relpath"
exit -onexit {file delete $pem_path}

set pem_fp [open $pem_path w]
file attributes $pem_path -group $tftp_group
file attributes $pem_path -permissions 0640

set key_pass [exec openssl rand -base64 24]
exec openssl rsa -aes256 -in $key -out $pem_path -passout stdin >/dev/null 2>/dev/null << "$key_pass\n"

if { [file exists $fullchain] == 1 } {
	set pem_addl_fp [open $fullchain r]
} else {
	set pem_addl_fp [open $cert r]
}

seek $pem_fp 0 end
while { [gets $pem_addl_fp data] >= 0 } {
	puts $pem_fp $data
}
close $pem_addl_fp
close $pem_fp

log_user 0

spawn ssh -o StrictHostKeyChecking=accept-new $login@$wap_hostname
expect "assword\\: "
send "$password\n"

expect {
	-re "$wap_hostname# $" {
		send "copy tftp $tftp_server $pem_relpath ui cert $key_pass format pem\n"
		expect -re "$wap_hostname# $"
		send "exit\n"
	}
	timeout {
		close -i $spawn_id
		wait -i $spawn_id
		send_error "timeout: \$timeout seconds - $wap_hostname.\n";
	}
	eof {
		exit
	}
}
	#!/usr/bin/expect

	# Deploy an ACME (Let's Encrypt) certificate to a HP Aruba Instant Access
	# Point (IAP)
	#
	# This program is distributed in the hope that it will be useful, but
	# WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
	#
	# Based on:
	# https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=15231
	# https://gist.github.com/abelbeck/09078d360b361ceeacf08ccaa136e166
	#
	# To use, add:
	#
	# --deploy-hook /usr/local/sbin/push-cert-to-aruba-iap.exp
	#
	# to your certbot invocation, or add:
	#
	# renew_hook = /usr/local/sbin/push-cert-to-aruba-iap.exp
	#
	# to your certificate's [renewalparams] blocks in /etc/letsencrypt/renewal/

	set password some-password
	set login admin
	set wap_hostname wap0

	set tftp_server 1.2.3.4
	set tftp_root /srv/tftp
	set tftp_group tftp
	set pem_relpath "$wap_hostname.pem"

	set domain [lindex $argv 0]
	set key [lindex $argv 1]
	set cert [lindex $argv 2]
	set ca [lindex $argv 3]
	set fullchain [lindex $argv 4]

	set pem_path "$tftp_root/$pem_relpath"
	exit -onexit {file delete $pem_path}

	set pem_fp [open $pem_path w]
	file attributes $pem_path -group $tftp_group
	file attributes $pem_path -permissions 0640

	set key_pass [exec openssl rand -base64 24]
	exec openssl rsa -aes256 -in $key -out $pem_path -passout stdin >/dev/null 2>/dev/null << "$key_pass\n"

	if { [file exists $fullchain] == 1 } {
	set pem_addl_fp [open $fullchain r]
	} else {
	set pem_addl_fp [open $cert r]
	}

	seek $pem_fp 0 end
	while { [gets $pem_addl_fp data] >= 0 } {
	puts $pem_fp $data
	}
	close $pem_addl_fp
	close $pem_fp

	log_user 0

	spawn ssh -o StrictHostKeyChecking=accept-new $login@$wap_hostname
	expect "assword\\: "
	send "$password\n"

	expect {
	-re "$wap_hostname# $" {
	send "copy tftp $tftp_server $pem_relpath ui cert $key_pass format pem\n"
	expect -re "$wap_hostname# $"
	send "exit\n"
	}
	timeout {
	close -i $spawn_id
	wait -i $spawn_id
	send_error "timeout: \$timeout seconds - $wap_hostname.\n";
	}
	eof {
	exit
	}
	}