Fritzbox Fritz!Box AVM SSL Letsencrypt automatically update

fritzbox-cert-update.sh

#!/bin/bash

# parameters
USERNAME="maybe empty"
PASSWORD="fritzbox-password"
CERTPATH="path to cert eg  /etc/letsencrypt/live/domain.tld/"
CERTPASSWORD="cert password if needed"
HOST=http://fritz.box

# make and secure a temporary file
TMP="$(mktemp -t XXXXXX)"
chmod 600 $TMP

# login to the box and get a valid SID
CHALLENGE=`wget -q -O - $HOST/login_sid.lua | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//'`
HASH="`echo -n $CHALLENGE-$PASSWORD | iconv -f ASCII -t UTF16LE |md5sum|awk '{print $1}'`"
SID=`wget -q -O - "$HOST/login_sid.lua?sid=0000000000000000&username=$USERNAME&response=$CHALLENGE-$HASH"| sed -e 's/^.*<SID>//' -e 's/<\/SID>.*$//'`

# generate our upload request
BOUNDARY="---------------------------"`date +%Y%m%d%H%M%S`
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n$SID\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n$CERTPASSWORD\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n" >> $TMP
printf "Content-Type: application/octet-stream\r\n\r\n" >> $TMP
cat $CERTPATH/privkey.pem >> $TMP
cat $CERTPATH/fullchain.pem >> $TMP
printf "\r\n" >> $TMP
printf -- "--$BOUNDARY--" >> $TMP

# upload the certificate to the box
wget -q -O - $HOST/cgi-bin/firmwarecfg --header="Content-type: multipart/form-data boundary=$BOUNDARY" --post-file $TMP | grep SSL

# clean up
rm -f $TMP

Thanks for your script, works like charm!

One question: Is there any chance to fork this script to activate/deactivate call forwards?
Or does it only work for submitting the upload form?

Unfortunately, I don't have advanced programming skills, but I think your script already does the most complicated part by getting the SID.
On my German Fritzbox 7580 running firmware 6.83, it is found at: Telefonie -> Rufbehandlung -> Rufumleitung
There I have 1 call forward, and I'd like to switch on/off the checkbox "Aktiv".
If on/off is not possible, then at least I'd like to toggle this checkbox.

Thanks for your answer,
Heiko (Germany)

Hi Heikh81,

your right this script is only for uploading a new Cert to Fritzbox. But I duckduck your request and here is what I found:

http://guido.vonrudorff.de/fritzbox-rufumleitung-kommandozeile/

the most important fact is
fritz.box/cgi-bin/webcm
this where we should send the request to and we can activate and/or deactivate it with
telcfg%3Asettings%2FCallerIDActions0%2FActive=STATUS&sid=SID

you now how to transfer this to my wget command and it should work.

Thanks for this script, I added it as a renew-hook to my let's encrypt cron job on my local server so that it get's automatically updated.
/usr/local/bin/certbot-auto renew --renew-hook /path-to/fritz_lets_encrypt.sh

Amazing script! I run it of my Synology Diskstation NAS.
Just had to change iconv to uconv in line 16 as the Synology Linux flavour doesn't support it out of the box.

Working like charm! But ....
... only when I run the script using internal IP-addresses.

It didn't work using https://example.com as HOST although this URL does let me login to my Fritz!BOX.

Why? Well, because the certificate wasn't valid any more !!!!

TIP: make sure you run this script using HTTP:// to connect to your Fritz!BOX or make sure your run the script before your certificate becomes invalid.

The response for succesfull processing is : "Import of the SSL certificate was successful."
Non succesfull processing doesn't give you any response.

Thanks, im using this with certbot (0.28) as post hook:
certbot renew --post-hook "fritzbox-cert-update.sh"

@FvdLaar
do you really want to send your private cert through an unencrypted connection?
Please DON'T listen to that "TIP" and upload the certificate manually for the first time.

Working like charm! But ....
... only when I run the script using internal IP-addresses.

It didn't work using https://example.com as HOST although this URL does let me login to my Fritz!BOX.

Why? Well, because the certificate wasn't valid any more !!!!

TIP: make sure you run this script using HTTP:// to connect to your Fritz!BOX or make sure your run the script before your certificate becomes invalid.

The response for succesfull processing is : "Import of the SSL certificate was successful."
Non succesfull processing doesn't give you any response.

Thats not the design, the script should only be used in 1 network.
Its not designed for transmittion over the world wide web.

mfg
wikrie

do you really want to send your private cert through an unencrypted connection?
Please DON'T listen to that "TIP" and upload the certificate manually for the first time.

I full agree with @ychromosome : DO NOT send private keys or certificates over unsecured connection except is it is in your own DMZ / private (home) network

That's not the design, the script should only be used in 1 network.
Its not designed for transmittion over the world wide web.

I fully agree with @wikrie