Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deploy hook for Ruckus ZoneDirector / Unleashed #4832

Merged
merged 13 commits into from
Dec 7, 2024

Conversation

kchiem
Copy link
Contributor

@kchiem kchiem commented Oct 19, 2023

Tested on my Unleashed install, but according to the code it's adapted form, it should work for ZD installs too.

@uberjay
Copy link

uberjay commented Oct 21, 2024

Just stumbled across this and verified it works for deploying certificate updates from OPNsense to my Ruckus Unleashed controller.

Steps:

  1. Place ruckus.sh file in /usr/local/share/examples/acme.sh/deploy/
  2. chmod 555 ruckus.sh
  3. Set up certificate for ruckus (via the OPNsense GUI). let's call the domain name $domain.
  4. Run issue/renew certificate action.
  5. ssh to your OPNsense system as root and drop to a shell
  6. find the corresponding certificate configuration directory under /var/etc/acme-client/certs/
    • in my case it was /var/etc/acme-client/certs/6716ac20201125.16873601.
    • let's call this full directory path $certdir.
  7. edit the cert config file (this will be $certdir/$domain/$domain.conf) to add the three variables:
    • RUCKUS_HOST
    • RUCKUS_USER
    • RUCKUS_PASS
  8. execute the acme.sh deploy action:
/usr/local/sbin/acme.sh --deploy --syslog 7 --debug --server 'letsencrypt' \
  --home '/var/etc/acme-client/home' \
  --cert-home "$certdir/$domain" \
  --certpath "$certdir/$domain/cert.pem" \
  --keypath "$certdir/$domain/private.key" \
  --capath "$certdir/$domain/chain.pem" \
  --fullchainpath "$certdir/$domain/fullchain.pem" \
  --domain "$domain" --deploy-hook ruckus

So, I vote for including this deployment hook. What else is needed to make it happen? It needs to be upstream (here) before OPNsense will add an option to use it, and it'd be really fantastic to have it "just work". ✨

deploy/ruckus.sh Outdated
}
trap cleanup EXIT

LOGIN_URL=$(curl https://$RUCKUS_HOST -ksSLo /dev/null -w '%{url_effective}')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do not use curl, please use _post() or _get() function instead.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My reimplemention using _get() and post() has been pushed to this PR now

@fraenki
Copy link
Contributor

fraenki commented Nov 6, 2024

@uberjay I don't know if the original author is still working on this... Maybe you would be interested to finish the job? I'd suggest to apply the proposed fixes and submit a new PR.

@ms264556
Copy link
Contributor

ms264556 commented Nov 6, 2024

@uberjay I don't know if the original author is still working on this... Maybe you would be interested to finish the job? I'd suggest to apply the proposed fixes and submit a new PR.

I'm the author of the code this is adapted from.

If anyone's already working on a fix then let me know. Otherwise I'm happy to re-implement this correctly: I'm on holiday for a couple more months, so I have the time.

(I had assumed this PR wouldn't be accepted as-is, since it's not idiomatic with the other acme code).

@kchiem
Copy link
Contributor Author

kchiem commented Nov 6, 2024

@ms264556 I was planning on looking into it now, but if you're able to, please do go ahead.

@uberjay
Copy link

uberjay commented Nov 6, 2024

@ms264556 That'd be awesome! I don't know if the original PR author is following along here, and I don't personally have the bandwidth. It'd be very much appreciated!

@ms264556
Copy link
Contributor

ms264556 commented Nov 6, 2024

@ms264556 I was planning on looking into it now, but if you're able to, please do go ahead.

Sure. I'll setup some test APs and have a look this afternoon.

I do remember that the acme code for existing integrations was very low level compared to my lazy 'get curl do all the thinking' code, so I don't think this is a 5 minute job.

@ms264556
Copy link
Contributor

@kchiem my changes are in a PR to your dev branch

ms264556 and others added 2 commits November 10, 2024 22:43
Rewrite deploy/ruckus.sh to use _get() and _post()
deploy/ruckus.sh Outdated

_debug RUCKUS_HOST "$RUCKUS_HOST"
_debug RUCKUS_USER "$RUCKUS_USER"
_debug RUCKUS_PASS "$RUCKUS_PASS"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use _secure_debug for password, so that you won't leak it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

deploy/ruckus.sh Outdated
_debug RUCKUS_USER "$RUCKUS_USER"
_debug RUCKUS_PASS "$RUCKUS_PASS"

export HTTPS_INSECURE=1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need "insecure" here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ruckus devices ship with 1024 bit self-signed server certificates, so curl will fail with error 60 unless I set HTTPS_INSECURE=1.

Copy link

@uberjay uberjay Nov 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overriding HTTPS_INSECURE to always be enabled seems wrong to me -- for initial deployment one can add --insecure: acme.sh --deploy -d your.domain.here --deploy-hook ruckus --insecure. On subsequent cert deploy runs, HTTPS_INSECURE=1 should no longer be necessary.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem. That's fixed now.

deploy/ruckus.sh Outdated
_replace_cert_ajax='<ajax-request action="docmd" comp="system" updater="rid.0.5" xcmd="replace-cert" checkAbility="6" timeout="-1"><xcmd cmd="replace-cert" cn="'$RUCKUS_HOST'"/></ajax-request>'
_post "$_replace_cert_ajax" "$_base_url/_cmdstat.jsp" >/dev/null

info "Rebooting"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use _info

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, and I also fixed the unquoted _info strings

@ms264556
Copy link
Contributor

ms264556 commented Nov 13, 2024

Oops. Would help if I quoted all of my _info() args. One more commit incoming.

And this is fixed now.

@kchiem
Copy link
Contributor Author

kchiem commented Nov 13, 2024

fix acme.sh PR shfmt failure
@ms264556
Copy link
Contributor

@Neilpang
Copy link
Member

please add the usage here:
https://github.com/acmesh-official/acme.sh/wiki/deployhooks

@ms264556
Copy link
Contributor

please add the usage here: Wiki: deployhooks

That's done

@ms264556
Copy link
Contributor

I noticed in the dev docs that we're not supposed to use awk. Our awk usage isn't doing anything useful, so I've given @kchiem a PR to remove this, which should be pushed here soon

Remove awk usage & refuse host redirects
@uberjay
Copy link

uberjay commented Dec 7, 2024

@ms264556 Thanks for taking care of this. Is there anything else that's needed, apart from acme.sh project approval/merge?

I'm excited at the prospect of this being bundled with OPNsense.

@Neilpang Neilpang merged commit 3ccdae0 into acmesh-official:dev Dec 7, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants