Fritzbox Fritz!Box AVM SSL Letsencrypt automatically update

fritzbox-cert-update.sh

#!/bin/bash
## this little Gist is for Copy the Letsencrypt Cert from an Linux machine (e.g. Raspberry PI or Synology NAS)
## to the router (Fritzbox).
## It is usefull to be able to speak to the Router over DDNS without any Cert issue in the Browser.
## thanks to https://gist.github.com/mahowi for the perfect Idea
## put it in /etc/letsencrypt/renewal-hooks/post so it gets run after every renewal.
## since Fritz OS 7.25 it is needed to select a Username, from a security point of view 
## it is always a good idea to have a non default user name. And as normaly a Fritz Box
## is connected to the Internet, the prefered method should be WITH Username.


# parameters
USERNAME="needed since Fritz OS 7.25"
PASSWORD="fritzbox-password"
CERTPATH="path to cert eg  /etc/letsencrypt/live/domain.tld/"
CERTPASSWORD="cert password if needed"
HOST=http://fritz.box

# make and secure a temporary file
TMP="$(mktemp -t XXXXXX)"
chmod 600 $TMP

# login to the box and get a valid SID
CHALLENGE=`wget -q -O - $HOST/login_sid.lua | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//'`
HASH="`echo -n $CHALLENGE-$PASSWORD | iconv -f ASCII -t UTF16LE |md5sum|awk '{print $1}'`"
SID=`wget -q -O - "$HOST/login_sid.lua?sid=0000000000000000&username=$USERNAME&response=$CHALLENGE-$HASH"| sed -e 's/^.*<SID>//' -e 's/<\/SID>.*$//'`

# generate our upload request
BOUNDARY="---------------------------"`date +%Y%m%d%H%M%S`
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n$SID\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n$CERTPASSWORD\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n" >> $TMP
printf "Content-Type: application/octet-stream\r\n\r\n" >> $TMP
cat $CERTPATH/privkey.pem >> $TMP
cat $CERTPATH/fullchain.pem >> $TMP
printf "\r\n" >> $TMP
printf -- "--$BOUNDARY--" >> $TMP

# upload the certificate to the box
wget -q -O - $HOST/cgi-bin/firmwarecfg --header="Content-type: multipart/form-data boundary=$BOUNDARY" --post-file $TMP | grep SSL

# clean up
rm -f $TMP

do you really want to send your private cert through an unencrypted connection?
Please DON'T listen to that "TIP" and upload the certificate manually for the first time.

I full agree with @ychromosome : DO NOT send private keys or certificates over unsecured connection except is it is in your own DMZ / private (home) network

That's not the design, the script should only be used in 1 network.
Its not designed for transmittion over the world wide web.

I fully agree with @wikrie

Thank you for this script. 👍
I have put it in /etc/letsencrypt/renewal-hooks/post so it gets run after every renewal.

Thank you for this script. 👍
I have put it in /etc/letsencrypt/renewal-hooks/post so it gets run after every renewal.

Many thanks I insert your idea into the script that is much bettern than cronjob ...

Amazing script! I run it of my Synology Diskstation NAS.
Just had to change iconv to uconv in line 16 as the Synology Linux flavour doesn't support it out of the box.

Hi,
I also wanna put it onto my DS but am not sure where to put it as the folder /etc/letsencrypt/renewal-hooks/post is not existing (currently).

Thanks for a hint.

I also wanna put it onto my DS but am not sure where to put it as the folder /etc/letsencrypt/renewal-hooks/post is not existing (currently).

On my DS I am calling the script from Task Scheduler on weekly basis, same as the Synology's Let's Encrypt renew script (see /usr/syno/etc/synocron.d/syno-letsencrypt.conf)

I do a small Update to use it with Synology Diskstation directly check out
Synology Fritzbox Cert Transfer

Thanks for your work.
I changed it a bit to

• use curl
• provide parameters via environment or command line
• better error processing

The result can be found at

https://github.com/franzs/fritzbox_upload_certificate

I do a small Update to use it with Synology Diskstation directly check out
Synology Fritzbox Cert Transfer

Awesome! Many thanks for this - works like a charm!

Hi All

i also use this script for a fritzbox 7390, soon i will have a 6590, 7490 or 7590, i don't know which i find used for good price

my question:

the myfritz app on android tries to connect to fritzbox with private IP from private network, i cannot type a DNS name there, even if i have one internal for the fritzbox... the app is kind of no DNS mode only and can only connect to an IP.
So in my LetsEncrypt can i somehow add the private IP of my fritzbox (192.168.1.1) or is that not possible
I was reading and did not find the exact issue online, i think about SAN ALTERNATE NAME or something...

Thanks for ideas...

Hi All

i also use this script for a fritzbox 7390, soon i will have a 6590, 7490 or 7590, i don't know which i find used for good price

my question:

the myfritz app on android tries to connect to fritzbox with private IP from private network, i cannot type a DNS name there, even if i have one internal for the fritzbox... the app is kind of no DNS mode only and can only connect to an IP.
So in my LetsEncrypt can i somehow add the private IP of my fritzbox (192.168.1.1) or is that not possible
I was reading and did not find the exact issue online, i think about SAN ALTERNATE NAME or something...

Thanks for ideas...

Hi @ant0nwax,
No, first of all, Lets Encrypt does not offer Certificates for IP-Adresses (but is is theoretically posible eg. 1.1.1.1) and second a SSL verfification does not make sense for internal IP-Adresses. You could however probably generate a self signed Certificate and add that to the Android Certificate Storage.

PS: I would not recommend to use a Cable Fritzbox if you don't need the Cable. (Modem takes Power etc...)

Hi @wikrie,

just found out that the script doesn't work for my 7590 with FRITZ!OS 07.25 - I am getting blocked when getting the SID in L19.

The reason seems to be that with 07.25, one can choose between a named user and a login without a user. However, logging in without a user still requires a user name.

This username can be extracted when retrieving the CHALLENGE (L17), as on my box the response looks like this:

<?xml version="1.0" encoding="utf-8"?>
<SessionInfo>
    <SID>0000000000000000</SID>
    <Challenge>2127f7cc</Challenge>
    <BlockTime>0</BlockTime>
    <Rights></Rights>
    <Users>
        <User last="1">fritz1416</User>
        <User>my_actual_user</User>
    </Users>
</SessionInfo>

When using fritz1416 as USERNAME, I can login again and update the certificate.

On an 7490 with 07.21 the whole <Users>...</Users> block is not there.

Unfortunately I'm no shell expert so I don't really know if this is something that would be possible to solve automatically.

EDIT: I should try the stuff out. Using fritz1416 as a fixed USERNAME seems to be working on the 7490 with 07.21 as well.

1. you may want to change your default username of your fritzbox now, because of security reasons.
2. indeed AVM changed the login to demand a username in certain cases.
3. why don't you just use the username for now and everything is fine.

Why should I change the default username? It is not allowed for logging in from the internet and when in the LAN it isn't required anyway.

I'll use the default username for now, but maybe could you add this into the gist?

I have the same problem since I updated my 6490 to 7.25 and my 7490 to 7.26. How the script must be changed to work properly?

As already explain but the other people, you must use User AND Password to get it working. As I always uses both I never had this issue. Von meinem iPhone gesendet

…

Am 09.05.2021 um 12:32 schrieb HanSolo72 ***@***.***>: ***@***.*** commented on this gist. I have the same problem since I updated my 6490 to 7.25 and my 7490 to 7.26. How the script must be changed to work properly? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

I will rewrite my script so that a user name would be needed, if you like you can write a version where the user name can be detected as written before. For security reason it is always better to use a own username and Fritzbox without access to internet is not the main purpose of the device. I would say 99 % user it as internet router so they have internet access and then own username is a good idea. Von meinem iPhone gesendet

…

Am 05.04.2021 um 21:00 schrieb rikroe ***@***.***>: ***@***.*** commented on this gist. Why should I change the default username? It is not allowed for logging in from the internet anyway and when in the LAN it isn't required anyway. I'll use the default username for now, but maybe could you add this into the gist? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

Just a question. Could some tell me where I can find /etc/letsencrypt/renewal-hooks/post on the Synology DMS 7.1?
I can't seem to find that folder at all.
If DSM 7.1 doesn't have this folder, how would I be able to automate copying of the key to FritzBox? What trigger would I use or where would I place this script?

Maybe ask Synology? You are their customer so you have a right to get an answer as their client... I think something with cron or scheduling in DSM is broken but sorry this is very off topic ;) Kind Regards From Phoneland

…

On Fri, Dec 16, 2022, 14:26 JeroenTuinstra ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Just a question. Could some tell me where I can find /etc/letsencrypt/renewal-hooks/post on the Synology DMS 7.1? I can't seem to find that folder at all. If DSM 7.1 doesn't have this folder, how would I be able to automate copying of the key to FritzBox? What trigger would I use or where would I place this script? — Reply to this email directly, view it on GitHub <https://gist.github.com/f1d5747a714e0a34d0582981f7cb4cfb#gistcomment-4405019> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AH7N7TBTUCAR4PXHECXGALTWNRUY5BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA2TAOJTG44TIONHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Hey mate,
thanks for your fine script. It works flawless with:

• FRITZ!OS 7.39-101552 BETA on a FRITZ!Box 7530
• FreeBSD 13.1-RELEASE-p1

I have two suggestions though, mabye its valuable for others:

1. Your script runs fine with the standard shell /bin/sh. You might want to consider making that one the default, instead of bash. No need to add unnecessary dependencies in my opinion.
2. This one was kinda tricky: Your script ran successfully as user. But when I called it with doas (similiar to sudo), iconv always returned unsupported encoding of UTF16LE.
   Turned out I have two different versions from iconv installed:
   /usr/bin/iconv (system)
   /usr/local/bin/iconv (installed from libiconv-1.17)

As user /usr/bin/iconv (the correct one) was used. With doas, /usr/local/bin/iconv was used and failed with unsupported encoding.
I have added the the following line to your script (line 18) to run iconv from the correct path:

export PATH=/usr/bin/:$PATH

Thanks again for your efforts. Great work!

Hey there,
thanks so much for the script, it's serving me really well! It works already for multiple Fritzboxes.
However, I have an issue with one single Fritzbox, where I just can't get it to work. Fritzbox 7530, FritzOS 7.29. It did work at some point, I had to replace the server from which the cert was uploaded and now it's playing dump with me...

What i tried so far:

• copied script from the source here on GH
• verified username and password. I can login to the webinterface no problem.
• removed -q from the wget commands to be able to better see whats happening.

In the last step it says: Das eingegebene Kennwort ist nicht gültig. Bitte geben Sie das richtige Kennwort ein.
Which I guarantee, is the right one.
Do you or anyone else have suggestions what it could be or how to better debugg this?

Cheers!

Hi Eldiabolo21,

das sieht doch wieder schwer nach unterschiedliche Netze aus, sind die 2 Geräte Fritzbox und das Gerät welches das Script ausführt auch im selben physikalischen Netzwerk? Wir hatten hier schon den Fall das einer das remote versucht hat. Wenn es das nicht ist dann könnte ich mir noch vorstellen das das Script Probleme hat bei Sonderzeichen im Passwort, das habe ich selbst noch nie probiert.

so meld dich mal wegen den 2 Sachen...

mfg Chris aka wikrie

Hey, danke fuer die schnelle Antwort.

Server der das Script ausfuehrt und Fritzbox sind beide in 192.168.8.0/24. Passwort fuer den dedizierten cert-user der Fritzbox besteht das Passwort nur Zahlen, Gross- und Kleinbuchstaben. Daran kanns auch nicht liegen.

Sonst noch ne Idee?

Gruss!

Hey Eldiabolo21,

ich hab auch die 7530 (zwar neueres OS) und das Skript funktioniert aktuell (auch aus verschiedenen Netzen).
Wie sieht es denn mit den Berechtigungen des cert-user's aus?
Ich sehe hier bei mir in der Box, dass Benutzern auch die Berechtigung für das Lesen und Ändern von Einstellungen gegeben werden kann (bei nur einem User kann dies nicht deaktiviert werden -> Admin).
Prüfe das mal bitte.
Dann könntest du nochmal Testweise einen neuen Benutzer / Passwort anlegen bzw. vergeben.
Vielleicht auch nochmal das Skript prüfen ob du dort aus Versehen (zu viel) Änderungen vorgenommen hast.

Hey, auch vielen Dank auch fuer deine Antwort, leider keine Erfolg.
Berechtigung zum Einstellungen aendern waren gesetzt. Neuen Nutzer angelegt, gleiches Problem. Passwort fuer den aktuellen Cert-user habe ich auch schon x-mal geaendert.

Was ich aber rausgefunden habe, dass wenn ich im Scipt wirklich das falsche Passwort angebe, kommt noch eine ganz andere Meldung vom Script...

Habe zum Testen mal die Einstellung "Zugang aus dem Internet erlaubt" eingeschaltet, aber auch keine Besserung.

Noch mehr Ideen?

Edit:
Ich werde bekloppt.... Ich habe beide Sites mit Wireguard verbunden. Also einmal 192.168.8.0/24 was Probleme macht und 192.168.16.0/24, wo es problemlos geht. Beide Sites koennen einander erreichen.

Ich habe gerade das Script einfach auf den Host in 192.168.16.0/24 kopiert, so wie es auf dem anderen host war, und es geht o.OOOOO
Das laesst mich irgendwie zu dem Schluss kommen, dass eins der Pakete borken ist... Allerdings sind beide Hosts Ubuntu 20.04.5... Ich vergleiche mal Paketversionen...

Edit 2:
the mystery has been solved!!! It was the f****ng certificate. I created a cert with a docker compose command from here: https://stackoverflow.com/a/66638930

Unfortunately that did something super weird with the created certs (I assume it's the --rsa-key-size 4096) and they can't be imported into the Fritzbox. I actually reached that conclusion when I compared the TMP-files the script creates. The private key on the non working machine was much shorter. I don't know what exactly went wrong, it still seemed like a valid cert, but didn't work for the Fritzbox. I ran certbox directly on the host, w/o any further key size args and imported the cert with success.... URGH, glad this is over...

Backup, Factory reset, Restore maybe the Box has run into some issues that causeb this unknown error. Also before you are able to open a support case at AVM, and send them a support case collection of your box. maybe it is still supported. Kind Regards From Phoneland

…

On Fri, Jan 27, 2023, 22:15 Eldiabolo21 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Hey, auch vielen Dank auch fuer deine Antwort, leider keine Erfolg. Berechtigung zum Einstellungen aendern waren gesetzt. Neuen Nutzer angelegt, gleiches Problem. Passwort fuer den aktuellen Cert-user habe ich auch schon x-mal geaendert. Was ich aber rausgefunden habe, dass wenn ich im Scipt wirklich das falsche Passwort angebe, kommt noch eine ganz andere Meldung vom Script... Habe zum Testen mal die Einstellung "Zugang aus dem Internet erlaubt" eingeschaltet, aber auch keine Besserung. Noch mehr Ideen? — Reply to this email directly, view it on GitHub <https://gist.github.com/f1d5747a714e0a34d0582981f7cb4cfb#gistcomment-4451207> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AH7N7TCXRKTBFYGEESTLCKLWUQ3GNBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA2TAOJTG44TIONHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

HiGgf. ein Berechtigungsproblem einfach mal einen Admin Account benutzen. Wenn der dann geht dann fehlt dem dedizierten was. Habe noch nie einen separaten Account dafür benutzt.                                  

Hey, auch vielen Dank auch fuer deine Antwort, leider keine Erfolg. Berechtigung zum Einstellungen aendern waren gesetzt. Neuen Nutzer angelegt, gleiches Problem. Passwort fuer den aktuellen Cert-user habe ich auch schon x-mal geaendert.

Was ich aber rausgefunden habe, dass wenn ich im Scipt wirklich das falsche Passwort angebe, kommt noch eine ganz andere Meldung vom Script...

Habe zum Testen mal die Einstellung "Zugang aus dem Internet erlaubt" eingeschaltet, aber auch keine Besserung.

Noch mehr Ideen?

Edit: Ich werde bekloppt.... Ich habe beide Sites mit Wireguard verbunden. Also einmal 192.168.8.0/24 was Probleme macht und 192.168.16.0/24, wo es problemlos geht. Beide Sites koennen einander erreichen.

Ich habe gerade das Script einfach auf den Host in 192.168.16.0/24 kopiert, so wie es auf dem anderen host war, und es geht o.OOOOO Das laesst mich irgendwie zu dem Schluss kommen, dass eins der Pakete borken ist... Allerdings sind beide Hosts Ubuntu 20.04.5... Ich vergleiche mal Paketversionen...

Edit 2: the mystery has been solved!!! It was the f****ng certificate. I created a cert with a docker compose command from here: https://stackoverflow.com/a/66638930

Unfortunately that did something super weird with the created certs (I assume it's the --rsa-key-size 4096) and they can't be imported into the Fritzbox. I actually reached that conclusion when I compared the TMP-files the script creates. The private key on the non working machine was much shorter. I don't know what exactly went wrong, it still seemed like a valid cert, but didn't work for the Fritzbox. I ran certbox directly on the host, w/o any further key size args and imported the cert with success.... URGH, glad this is over...

Great you managed to make it work.
I use acme.sh to automatically issue / renew a wildcard certificate (single domain certificates are even easier to setup) and automatically install them from my VPS onto my fritzbox via wireguard. If you are interested you can check it out here: https://gion.io/blog/automatic-renewal-of-wildcard-certificates/

Anyhow, I am glad you found the error and made it work.
Have a great weekend!

This sentence comes to my mind:
Security breaking down our nerves (2023)

I had the same problem and it was because the certificate's private key was an ecdsa key.

Changing key_type to rsa in /etc/letsencrypt/renewal/xxx.conf and renewing the certificate (certbot renew --force-renewal) generated a certificate with a rsa private key which could be imported again.