Commit a7566c84 authored by Frank Schubert's avatar Frank Schubert

Added Let's encrypt Scripts for rproxy and fortigate

parent 1465e4f9
#!/usr/bin/python3
import os
import sys
import requests
import json
import base64
import time
from datetime import datetime
# ignore invalid certificates in HTTPS requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
host = "<ip or hostname>"
port = "444"
certurl = "/api/v2/cmdb/certificate/local"
vpncerturl = "/api/v2/cmdb/vpn.certificate/local"
importurl = "/api/v2/monitor/vpn-certificate/local/import"
apitoken = "<token of api user on fortigate"
certname = "lecrypt"
certHostname = "<certificate hostname>"
lePath = "/etc/letsencrypt/live/%s/" % (certHostname)
hostname = host + ":" + port
# add intermediate CA certificate
# note: Brute-forcing an upload here. API won't accept duplicates. There's no way to check for it's existence without downloading all CA certificates and checking DN or fingerprints
caPath = lePath + "chain.pem"
# get new certificate and private key
certPath = lePath + "fullchain.pem"
keyPath = lePath + "privkey.pem"
certContent = base64.b64encode(open(certPath, "r").read().encode("utf-8"))
privkeyContent = base64.b64encode(open(keyPath, "r").read().encode("utf-8"))
# upload new certificate
nowStr = datetime.now().strftime("%Y-%m-%d.%H%M%S")
newCertname = certname + "-" + nowStr
postData = {
'type': "regular",
'certname': newCertname,
'password': "",
'key_file_content': privkeyContent,
'file_content': certContent
}
url = "https://" + hostname + importurl
resp = requests.post(url, params={'access_token': apitoken}, json=postData, verify=False)
if resp.ok:
data = json.loads(resp.content)
print (json.dumps(data, sort_keys=True, indent=2))
else:
#resp.raise_for_status()
print("\ncertificate was not uploaded firewall. The request was:")
print("POST %s" % (url))
sys.exit()
print("certificate uploaded successfully.")
# enable new certificate via SSH
scriptContent = """config system global
unset admin-server-cert
end
config system global
set admin-server-cert "%s"
end
config vpn ssl setting
set servercert "%s"
end
""" % (newCertname, newCertname)
print()
print("running script: ")
print("===========================================")
print(scriptContent)
print("===========================================")
os.system("ssh admin@" + host + " -i /root/.ssh/forti-certbot-key '" + scriptContent + "' >/dev/null 2>&1")
#!/bin/sh
certname="owa.domain"
cd /etc/letsencrypt/live/$certname
cat fullchain.pem privkey.pem > /etc/haproxy/certs/$certname.pem
service haproxy reload
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment