stweil/fritzbox-cert-update.sh

## fritzbox-cert-update.sh
#!/bin/bash
## This little Gist copies the Letsencrypt certificate from a Linux machine
## (e.g. Raspberry PI or Synology NAS) to the router (Fritzbox).
## It is useful to be able to speak to the router over DDNS without any certificate issue in the browser.
## thanks to https://gist.github.com/mahowi for the perfect idea
## put it in /etc/letsencrypt/renewal-hooks/post so it gets run after every renewal.
## since Fritz OS 7.25 it is needed to select a Username, from a security point of view
## it is always a good idea to have a non default user name. And as normaly a Fritz Box
## is connected to the Internet, the preferred method should be WITH Username.


# parameters
USERNAME="needed since Fritz OS 7.25"
PASSWORD="fritzbox-password"
CERTPATH="path to cert eg  /etc/letsencrypt/live/domain.tld/"
CERTPASSWORD="cert password if needed"
HOST=http://fritz.box

# make and secure a temporary file
TMP="$(mktemp -t XXXXXX)"
chmod 600 $TMP

# login to the box and get a valid SID
CHALLENGE=`wget -q -O - $HOST/login_sid.lua | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//'`
HASH="`echo -n $CHALLENGE-$PASSWORD | iconv -f ASCII -t UTF-16LE |md5sum|awk '{print $1}'`"
SID=`wget -q -O - "$HOST/login_sid.lua?sid=0000000000000000&username=$USERNAME&response=$CHALLENGE-$HASH"| sed -e 's/^.*<SID>//' -e 's/<\/SID>.*$//'`

# generate our upload request
BOUNDARY="---------------------------"`date +%Y%m%d%H%M%S`
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n$SID\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n$CERTPASSWORD\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n" >> $TMP
printf "Content-Type: application/octet-stream\r\n\r\n" >> $TMP
cat $CERTPATH/privkey.pem >> $TMP
cat $CERTPATH/fullchain.pem >> $TMP
printf "\r\n" >> $TMP
printf -- "--$BOUNDARY--" >> $TMP

# upload the certificate to the box
wget -q -O - $HOST/cgi-bin/firmwarecfg --header="Content-type: multipart/form-data boundary=$BOUNDARY" --post-file $TMP | grep SSL

# clean up
rm -f $TMP
	#!/bin/bash
	## This little Gist copies the Letsencrypt certificate from a Linux machine
	## (e.g. Raspberry PI or Synology NAS) to the router (Fritzbox).
	## It is useful to be able to speak to the router over DDNS without any certificate issue in the browser.
	## thanks to https://gist.github.com/mahowi for the perfect idea
	## put it in /etc/letsencrypt/renewal-hooks/post so it gets run after every renewal.
	## since Fritz OS 7.25 it is needed to select a Username, from a security point of view
	## it is always a good idea to have a non default user name. And as normaly a Fritz Box
	## is connected to the Internet, the preferred method should be WITH Username.


	# parameters
	USERNAME="needed since Fritz OS 7.25"
	PASSWORD="fritzbox-password"
	CERTPATH="path to cert eg /etc/letsencrypt/live/domain.tld/"
	CERTPASSWORD="cert password if needed"
	HOST=http://fritz.box

	# make and secure a temporary file
	TMP="$(mktemp -t XXXXXX)"
	chmod 600 $TMP

	# login to the box and get a valid SID
	CHALLENGE=`wget -q -O - $HOST/login_sid.lua \| sed -e 's/^.<Challenge>//' -e 's/<\/Challenge>.$//'`
	HASH="`echo -n $CHALLENGE-$PASSWORD \| iconv -f ASCII -t UTF-16LE \|md5sum\|awk '{print $1}'`"
	SID=`wget -q -O - "$HOST/login_sid.lua?sid=0000000000000000&username=$USERNAME&response=$CHALLENGE-$HASH"\| sed -e 's/^.<SID>//' -e 's/<\/SID>.$//'`

	# generate our upload request
	BOUNDARY="---------------------------"`date +%Y%m%d%H%M%S`
	printf -- "--$BOUNDARY\r\n" >> $TMP
	printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n$SID\r\n" >> $TMP
	printf -- "--$BOUNDARY\r\n" >> $TMP
	printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n$CERTPASSWORD\r\n" >> $TMP
	printf -- "--$BOUNDARY\r\n" >> $TMP
	printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n" >> $TMP
	printf "Content-Type: application/octet-stream\r\n\r\n" >> $TMP
	cat $CERTPATH/privkey.pem >> $TMP
	cat $CERTPATH/fullchain.pem >> $TMP
	printf "\r\n" >> $TMP
	printf -- "--$BOUNDARY--" >> $TMP

	# upload the certificate to the box
	wget -q -O - $HOST/cgi-bin/firmwarecfg --header="Content-type: multipart/form-data boundary=$BOUNDARY" --post-file $TMP \| grep SSL

	# clean up
	rm -f $TMP