Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Fritzbox Fritz!Box AVM SSL Letsencrypt automatically update
#!/bin/bash
# parameters
USERNAME="maybe empty"
PASSWORD="fritzbox-password"
CERTPATH="path to cert eg /etc/letsencrypt/live/domain.tld/"
CERTPASSWORD="cert password if needed"
HOST=http://fritz.box
# make and secure a temporary file
TMP="$(mktemp -t XXXXXX)"
chmod 600 $TMP
# login to the box and get a valid SID
CHALLENGE=`wget -q -O - $HOST/login_sid.lua | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//'`
HASH="`echo -n $CHALLENGE-$PASSWORD | iconv -f ASCII -t UTF16LE |md5sum|awk '{print $1}'`"
SID=`wget -q -O - "$HOST/login_sid.lua?sid=0000000000000000&username=$USERNAME&response=$CHALLENGE-$HASH"| sed -e 's/^.*<SID>//' -e 's/<\/SID>.*$//'`
# generate our upload request
BOUNDARY="---------------------------"`date +%Y%m%d%H%M%S`
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n$SID\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n$CERTPASSWORD\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n" >> $TMP
printf "Content-Type: application/octet-stream\r\n\r\n" >> $TMP
cat $CERTPATH/privkey.pem >> $TMP
cat $CERTPATH/fullchain.pem >> $TMP
printf "\r\n" >> $TMP
printf -- "--$BOUNDARY--" >> $TMP
# upload the certificate to the box
wget -q -O - $HOST/cgi-bin/firmwarecfg --header="Content-type: multipart/form-data boundary=$BOUNDARY" --post-file $TMP | grep SSL
# clean up
rm -f $TMP
@heikoh81

This comment has been minimized.

Copy link

heikoh81 commented Aug 11, 2017

Thanks for your script, works like charm!

One question: Is there any chance to fork this script to activate/deactivate call forwards?
Or does it only work for submitting the upload form?

Unfortunately, I don't have advanced programming skills, but I think your script already does the most complicated part by getting the SID.
On my German Fritzbox 7580 running firmware 6.83, it is found at: Telefonie -> Rufbehandlung -> Rufumleitung
There I have 1 call forward, and I'd like to switch on/off the checkbox "Aktiv".
If on/off is not possible, then at least I'd like to toggle this checkbox.

Thanks for your answer,
Heiko (Germany)

@wikrie

This comment has been minimized.

Copy link
Owner Author

wikrie commented Sep 12, 2017

Hi Heikh81,

your right this script is only for uploading a new Cert to Fritzbox. But I duckduck your request and here is what I found:

http://guido.vonrudorff.de/fritzbox-rufumleitung-kommandozeile/

the most important fact is
fritz.box/cgi-bin/webcm
this where we should send the request to and we can activate and/or deactivate it with
telcfg%3Asettings%2FCallerIDActions0%2FActive=STATUS&sid=SID

you now how to transfer this to my wget command and it should work.

@palto42

This comment has been minimized.

Copy link

palto42 commented Jul 25, 2018

Thanks for this script, I added it as a renew-hook to my let's encrypt cron job on my local server so that it get's automatically updated.
/usr/local/bin/certbot-auto renew --renew-hook /path-to/fritz_lets_encrypt.sh

@rikroe

This comment has been minimized.

Copy link

rikroe commented Oct 2, 2018

Amazing script! I run it of my Synology Diskstation NAS.
Just had to change iconv to uconv in line 16 as the Synology Linux flavour doesn't support it out of the box.

@FvdLaar

This comment has been minimized.

Copy link

FvdLaar commented Nov 8, 2018

Working like charm! But ....
... only when I run the script using internal IP-addresses.

It didn't work using https://example.com as HOST although this URL does let me login to my Fritz!BOX.

Why? Well, because the certificate wasn't valid any more !!!!

TIP: make sure you run this script using HTTP:// to connect to your Fritz!BOX or make sure your run the script before your certificate becomes invalid.

The response for succesfull processing is : "Import of the SSL certificate was successful."
Non succesfull processing doesn't give you any response.

@anoxi

This comment has been minimized.

Copy link

anoxi commented Mar 6, 2019

Thanks, im using this with certbot (0.28) as post hook:
certbot renew --post-hook "fritzbox-cert-update.sh"

@ychromosome

This comment has been minimized.

Copy link

ychromosome commented Jun 6, 2019

@FvdLaar
do you really want to send your private cert through an unencrypted connection?
Please DON'T listen to that "TIP" and upload the certificate manually for the first time.

@wikrie

This comment has been minimized.

Copy link
Owner Author

wikrie commented Jun 6, 2019

Working like charm! But ....
... only when I run the script using internal IP-addresses.

It didn't work using https://example.com as HOST although this URL does let me login to my Fritz!BOX.

Why? Well, because the certificate wasn't valid any more !!!!

TIP: make sure you run this script using HTTP:// to connect to your Fritz!BOX or make sure your run the script before your certificate becomes invalid.

The response for succesfull processing is : "Import of the SSL certificate was successful."
Non succesfull processing doesn't give you any response.

Thats not the design, the script should only be used in 1 network.
Its not designed for transmittion over the world wide web.

mfg
wikrie

@FvdLaar

This comment has been minimized.

Copy link

FvdLaar commented Jun 8, 2019

do you really want to send your private cert through an unencrypted connection?
Please DON'T listen to that "TIP" and upload the certificate manually for the first time.

I full agree with @ychromosome : DO NOT send private keys or certificates over unsecured connection except is it is in your own DMZ / private (home) network

@FvdLaar

This comment has been minimized.

Copy link

FvdLaar commented Jun 8, 2019

That's not the design, the script should only be used in 1 network.
Its not designed for transmittion over the world wide web.

I fully agree with @wikrie

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.