Skip to content

Instantly share code, notes, and snippets.

@wikrie
Last active October 17, 2024 17:39
Show Gist options
  • Save wikrie/f1d5747a714e0a34d0582981f7cb4cfb to your computer and use it in GitHub Desktop.
Save wikrie/f1d5747a714e0a34d0582981f7cb4cfb to your computer and use it in GitHub Desktop.
Fritzbox Fritz!Box AVM SSL Letsencrypt automatically update
#!/bin/bash
## this little Gist is for Copy the Letsencrypt Cert from an Linux machine (e.g. Raspberry PI or Synology NAS)
## to the router (Fritzbox).
## It is usefull to be able to speak to the Router over DDNS without any Cert issue in the Browser.
## thanks to https://gist.github.com/mahowi for the perfect Idea
## put it in /etc/letsencrypt/renewal-hooks/post so it gets run after every renewal.
## since Fritz OS 7.25 it is needed to select a Username, from a security point of view
## it is always a good idea to have a non default user name. And as normaly a Fritz Box
## is connected to the Internet, the prefered method should be WITH Username.
# parameters
USERNAME="needed since Fritz OS 7.25"
PASSWORD="fritzbox-password"
CERTPATH="path to cert eg /etc/letsencrypt/live/domain.tld/"
CERTPASSWORD="cert password if needed"
HOST=http://fritz.box
# make and secure a temporary file
TMP="$(mktemp -t XXXXXX)"
chmod 600 $TMP
# login to the box and get a valid SID
CHALLENGE=`wget -q -O - $HOST/login_sid.lua | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//'`
HASH="`echo -n $CHALLENGE-$PASSWORD | iconv -f ASCII -t UTF16LE |md5sum|awk '{print $1}'`"
SID=`wget -q -O - "$HOST/login_sid.lua?sid=0000000000000000&username=$USERNAME&response=$CHALLENGE-$HASH"| sed -e 's/^.*<SID>//' -e 's/<\/SID>.*$//'`
# generate our upload request
BOUNDARY="---------------------------"`date +%Y%m%d%H%M%S`
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"sid\"\r\n\r\n$SID\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertPassword\"\r\n\r\n$CERTPASSWORD\r\n" >> $TMP
printf -- "--$BOUNDARY\r\n" >> $TMP
printf "Content-Disposition: form-data; name=\"BoxCertImportFile\"; filename=\"BoxCert.pem\"\r\n" >> $TMP
printf "Content-Type: application/octet-stream\r\n\r\n" >> $TMP
cat $CERTPATH/privkey.pem >> $TMP
cat $CERTPATH/fullchain.pem >> $TMP
printf "\r\n" >> $TMP
printf -- "--$BOUNDARY--" >> $TMP
# upload the certificate to the box
wget -q -O - $HOST/cgi-bin/firmwarecfg --header="Content-type: multipart/form-data boundary=$BOUNDARY" --post-file $TMP | grep SSL
# clean up
rm -f $TMP
@mbo77
Copy link

mbo77 commented Sep 19, 2023

No luck..

Die Funktion für den Import der Zertifikate war für unsere Repeater nie geplant und über die Benutzeroberfläche auch nicht möglich.
Durch aktuelle FRITZ!OS-Änderungen im Unterbau ist es nun bei Repeatern auch komplett entfernt worden.

Gerne gebe ich Ihr Anliegen aber als Verbesserungsvorschlag an unsere Produktentwicklung weiter.

@franzs
Copy link

franzs commented Sep 19, 2023

@mbo77 What a pity. But thanks for sharing the answer. At least I'll list the Fritz!Repeater 1200 AX with 7.57 as unsupported. Unfortunately there is no easy way to get the product name and the OS version from a fritzbox to check it.

@xraver
Copy link

xraver commented Dec 28, 2023

Hello,
I want to share my experience.
The script worked well. At a certain point it looks not working properly: no error prompted and no certificate imported.
After troubleshooting it I've discovered the issue was related to letsencrypt that changed from rsa to ecdsa. I replaced in the letsencrypt configuration file as below
#key_type = ecdsa
key_type = rsa
And now is working well back.
hope my experience will help you.

(tested with fritz7590 and 7530ax both version 7.57)

@draddy82
Copy link

Hi,
this worked for me for years. now my boxtogo app say something like verification chain error ... after some testing i see the box don't have the cert anymore and don't get it with the script ...

maybe its the same like xraver say - but ... how to change? i use letsencrypt in a docker.

thx ;)

@xraver
Copy link

xraver commented Jul 15, 2024

In my installation (standard debian) there is a file in /etc/letsencrypt/renewal with the name of your domain.
Inside there is a key: key_type. you have to change it as described above and request new certificate.

@wikrie
Copy link
Author

wikrie commented Jul 15, 2024

Hi Folks,

I do not maintain this script anymore as I use a complete solution for all of my Cert Issues.

https://github.com/NginxProxyManager/nginx-proxy-manager

so there you can also add and create a Cert for the FritzBox and all your services. So no need to create this and transfer it anymore.

@draddy82
Copy link

hi xraver,
i found this file and changed it, but i'm not able to certbot renew --force-renewal ... it say something will use port 80 (what the nginx proxy is) -.-

@wikrie
Copy link
Author

wikrie commented Jul 15, 2024

@draddy82 With my Script you do not create any Cert it just upload the existing Letsencrypt Cert to a AVM FirtBox.

see the first 2 Lines in my Script Description

this little Gist is for Copy the Letsencrypt Cert from an Linux machine (e.g. Raspberry PI or Synology NAS)

to the router (Fritzbox).

@draddy82
Copy link

draddy82 commented Jul 15, 2024

yeah is ok wikrie

problem seems to be that the actual cert is not rsa ... but the fritzbox only accept rsa.

@Kornelius777
Copy link

Nice! Thank you for this little script!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment