-
Notifications
You must be signed in to change notification settings - Fork 8
/
fortigate.sh
153 lines (141 loc) · 4.44 KB
/
fortigate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#!/usr/bin/expect
#
# script to update LetsEncrypt Certificate on fortigate
# Created by Gerrit Doornenbal
# jan 2017 v0.1 initial release
# jun 2019 v0.2 Updated certificate check with real date comparison
# Option to remove ssh key after update
#
# Dependencies:
# * certificate's created by dehydrated (Let's Encrypt)
# * sending email with sendEmail. (http://caspian.dotconf.net/menu/Software/SendEmail/)
#
# Usage: fortigate.sh <configfile> (if not fortigate.conf)
#Load configuration file
if { [lindex $argv 0] != ""} {
set configfile [lindex $argv 0]
} else {
# default config file
set configfile fortigate.conf
}
if {[file exists $configfile]} {
source $configfile
} else {
send_user "Configfile $configfile does not exist. Script stopped.\n Usage: fortigate.sh <configfile>\n\n"
exit 1
}
# Scripting vars
set prompt "#"
set timeout 2
#Check if certificate is created
if {[file exists certs/$certname/privkey.pem] == 0} {
send_user "Certificate file certs/$certname/privkey.pem not found. script stopped.\n"
exit 1
}
#Read ExpiryDates from certificates and compare them..
set livecertdate [exec echo | openssl s_client -showcerts -connect $host:$sslport 2>/dev/null | openssl x509 -noout -enddate | cut -d = -f 2 ]
set filecertdate [exec echo | openssl x509 -in certs/$certname/cert.pem -noout -dates | grep notAfter | cut -d = -f 2 ]
set livecertUTC [clock scan $livecertdate -format "%b %d %H:%M:%S %Y %Z" ]
set filecertUTC [clock scan $filecertdate -format "%b %d %H:%M:%S %Y %Z" ]
# format Jun 16 04:08:00 2019 GMT
if { [expr {$livecertUTC >= $filecertUTC}] } {
send_user "Certificate EndDate ($livecertdate) is equal or newer than local cert ($filecertdate), certificate not updated.\n"
exit
} else {
send_user "Certificate EndDate ($livecertdate) is older than local cert, certificate will be updated!!\n"
}
#Create hashed private key (stderr info redirected to stdout as openssl outputs informational info to stderr..)
exec openssl rsa -des3 -passout pass:$certpass -in certs/$certname/privkey.pem -out certs/$certname/encrprivkey.pem 2>&1
# Open the new certificates.
set fpk [open "certs/$certname/encrprivkey.pem" r]
set priv_key [read $fpk]
set fcrt [open "certs/$certname/cert.pem" r]
set certificate [read $fcrt]
set fgcertname [clock format [clock seconds] -format {%Y%m}]
send_user "Starting to install new certificate $certname to $host\n\n"
# create log file
if { $logfile != ""} {
send_user "Starting log in $logfile\n"
log_file -noappend $logfile
}
#Login to fortinet host
spawn ssh $username@$host -p $sshport
#test rsa fingerprint
expect "(yes/no)? " { send "yes\r" }
#set timeout 10
expect "password:"
send "$password\r"
#### Start adding certificate
expect $prompt
send "config vpn certificate local\r"
expect $prompt
send "edit $fgcertname\r"
expect $prompt
send_user "set password <---password suppressed--->\r\n"
send "set password $certpass\r"
#do not show/log the password!
log_user 0
#copy private key
expect $prompt
log_user 1
send "set private-key \"$priv_key\"\r"
#copy public certificate
expect $prompt
send "set certificate \""
send -- "$certificate\"\r"
#save new certificate
expect $prompt
send "end\r"
#### set ssl-vpn certificate default
expect $prompt
send "config vpn ssl settings\r"
expect $prompt
send "set servercert $fgcertname\r"
expect $prompt
send "end\r"
#### set admin https server certificate
expect $prompt
send "config system global\r"
expect $prompt
send "unset admin-server-cert\r"
#save input
expect $prompt
send "end\r"
expect $prompt
send "config system global\r"
expect $prompt
send "set admin-server-cert $fgcertname\r"
expect $prompt
send "end\r"
#Logout after update
expect $prompt
send "exit\r"
expect eof
#close my open files
close $fpk
close $fcrt
if { $logfile != "" } {
#disable logging
log_file;
#remove empty lines in logfile.
set tmpfile "tmp$logfile"
set in [open $logfile r]
set out [open $tmpfile w]
set content [read $in]
regsub -all {\n\n} $content "\n" content
regsub -all {\n\n} $content "\n" content
puts $out $content
close $out
close $in
file delete -force $logfile
file rename -force $tmpfile $logfile
#Remove current SSH host key?
if { $removekey == "yes" } {
send_user "Host key fingerprint of $host is removed..\n"
exec ssh-keygen -f "$env(HOME)/.ssh/known_hosts" -R "$host"
}
#Email the logging.
if { $emailto != "" && $emailfrom != "" && $emailserver != ""} {
exec sendEmail -s $emailserver -t $emailto -u Certificate $certname on $host is renewed -o message-file=$logfile -f $emailfrom
}
}