Fritzbox Fritz!Box AVM SSL Letsencrypt automatically update

synology-fb-cert-transfer.sh

#!/bin/bash

# parameters
USERNAME=""
PASSWORD="fritzbox-password"
CERTPATH="/usr/syno/etc/certificate/system/default/" ##this is the default Path for Synology Cert
CERTPASSWORD=""
HOST=http://192.168.178.1 ## I use IP instead of fritz.box for synology updates

# make and secure a temporary file
TMP="$(mktemp -t XXXXXX)"
chmod 600 $TMP

# login to the box and get a valid SID
CHALLENGE=`wget -q -O - $HOST/login_sid.lua | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//'`
if [ -z $CHALLENGE ]
  then
    RESPONSE="Is HOST-name pointing to a Fritz!BOX?"
  else
    # continue with the script on success
  
    HASH="`echo -n $CHALLENGE-$PASSWORD | uconv -f ASCII -t UTF16LE |md5sum|awk '{print $1}'`"
    SID=`wget -q -O - "$HOST/login_sid.lua?sid=0000000000000000&username=$USERNAME&response=$CHALLENGE-$HASH"| sed -e 's/^.*<SID>//' -e 's/<\/SID>.*$//'`

    if [[ $SID == "0000000000000000" ]]
     then
       RESPONSE="Failed to authenticate."
     else
       # continue with the script on success

      # generate our upload request
      BOUNDARY="---------------------------"`date +%Y%m%d%H%M%S`
      printf -- "--$BOUNDARY\r\n" >> $TMP
      printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n$SID\r\n" >> $TMP
      printf -- "--$BOUNDARY\r\n" >> $TMP
      printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n$CERTPASSWORD\r\n" >> $TMP
      printf -- "--$BOUNDARY\r\n" >> $TMP
      printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n" >> $TMP
      printf "Content-Type: application/octet-stream\r\n\r\n" >> $TMP
      cat $CERTPATH/privkey.pem >> $TMP
      cat $CERTPATH/fullchain.pem >> $TMP
      printf "\r\n" >> $TMP
      printf -- "--$BOUNDARY--" >> $TMP

      # upload the certificate to the box
      RESPONSE=`wget -q -O - $HOST/cgi-bin/firmwarecfg --header="Content-type: multipart/form-data boundary=$BOUNDARY" --post-file $TMP | grep SSL`
  fi
fi

# clean up
rm -f $TMP

if [ -z "$RESPONSE" ]
  then
    echo $HOST ": Certificate import failed."
  else
    echo $HOST ": " $RESPONSE
fi

o yes there was an issue with permissions in /usr/syno/etc/certificate/system/default.
I've issued sudo chmod 777 -R /usr/syno/etc/certificate/system/default to solve that issue but maybe it is a bit too open now..
Any advice to keep this as secure as possible?

I use always 644 and only if this is not working I change the access. Mit freundlichen Grüßen Christian Dietze

…

Am 30.10.2021 um 08:56 schrieb jdvmanen ***@***.***>: ***@***.*** commented on this gist. o yes there was an issue with permissions in /usr/syno/etc/certificate/system/default. I've issued sudo chmod 777 -R /usr/syno/etc/certificate/system/default to solve that issue but maybe it is a bit too open now.. Any advice to keep this as secure as possible? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

Hello I have resolved issue with letsencrypt "http challenge" but now the script don't work.
I have new file as image

Hi Bomale, What is your issue and what do you solved?
My script only transfer existing Certs from somewhere to a Router from AVM (Fritzbox), so its just a simple copy routine to get a Fritzbox up and running with a valid cert.

Hi Bomale, What is your issue and what do you solved?

After renewal letsencrypt certificate fullchain.pem and privkey.pem are missing.
the script give error on:
cat $CERTPATH/privkey.pem >> $TMP
cat $CERTPATH/fullchain.pem >> $TMP

I had to change lines 41 and 42 to RSA-privkey.pem and RSA-fullchain.pem respectively

chmod 600 for the temp file and the certificate files was insufficient. What is recommended instead of 755 ?
EDIT: changed to 644

general remark for using Notepad++:
make sure, that line ends are formatted as UNIX