Merge branch 'acmesh-official:master' into master

deploy/cachefly.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to CacheFly
+# https://api.cachefly.com/api/2.5/docs#tag/Certificates/paths/~1certificates/post
+
+# This deployment required following variables
+# export CACHEFLY_TOKEN="Your CacheFly API Token"
+
+# returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+CACHEFLY_API_BASE="https://api.cachefly.com/api/2.5"
+
+cachefly_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$CACHEFLY_TOKEN" ]; then
+    _err "CACHEFLY_TOKEN is not defined."
+    return 1
+  else
+    _savedomainconf CACHEFLY_TOKEN "$CACHEFLY_TOKEN"
+  fi
+
+  _info "Deploying certificate to CacheFly..."
+
+  ## upload certificate
+  string_fullchain=$(sed 's/$/\\n/' "$_cfullchain" | tr -d '\n')
+  string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n')
+
+  _request_body="{\"certificate\":\"$string_fullchain\",\"certificateKey\":\"$string_key\"}"
+  _debug _request_body "$_request_body"
+  _debug CACHEFLY_TOKEN "$CACHEFLY_TOKEN"
+  export _H1="Authorization: Bearer $CACHEFLY_TOKEN"
+  _response=$(_post "$_request_body" "$CACHEFLY_API_BASE/certificates" "" "POST" "application/json")
+
+  if _contains "$_response" "message"; then
+    _err "Error in deploying $_cdomain certificate to CacheFly."
+    _err "$_response"
+    return 1
+  fi
+  _debug response "$_response"
+  _info "Domain $_cdomain certificate successfully deployed to CacheFly."
+  return 0
+}

deploy/directadmin.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to DirectAdmin
+# https://docs.directadmin.com/directadmin/customizing-workflow/api-all-about.html#creating-a-login-key
+# https://docs.directadmin.com/changelog/version-1.24.4.html#cmd-api-catch-all-pop-passwords-frontpage-protected-dirs-ssl-certs
+
+# This deployment required following variables
+# export DirectAdmin_SCHEME="https" # Optional, https or http, defaults to https
+# export DirectAdmin_ENDPOINT="example.com:2222"
+# export DirectAdmin_USERNAME="Your DirectAdmin Username"
+# export DirectAdmin_KEY="Your DirectAdmin Login Key or Password"
+# export DirectAdmin_MAIN_DOMAIN="Your DirectAdmin Main Domain, NOT Subdomain"
+
+# returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+directadmin_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$DirectAdmin_ENDPOINT" ]; then
+    _err "DirectAdmin_ENDPOINT is not defined."
+    return 1
+  else
+    _savedomainconf DirectAdmin_ENDPOINT "$DirectAdmin_ENDPOINT"
+  fi
+  if [ -z "$DirectAdmin_USERNAME" ]; then
+    _err "DirectAdmin_USERNAME is not defined."
+    return 1
+  else
+    _savedomainconf DirectAdmin_USERNAME "$DirectAdmin_USERNAME"
+  fi
+  if [ -z "$DirectAdmin_KEY" ]; then
+    _err "DirectAdmin_KEY is not defined."
+    return 1
+  else
+    _savedomainconf DirectAdmin_KEY "$DirectAdmin_KEY"
+  fi
+  if [ -z "$DirectAdmin_MAIN_DOMAIN" ]; then
+    _err "DirectAdmin_MAIN_DOMAIN is not defined."
+    return 1
+  else
+    _savedomainconf DirectAdmin_MAIN_DOMAIN "$DirectAdmin_MAIN_DOMAIN"
+  fi
+
+  # Optional SCHEME
+  _getdeployconf DirectAdmin_SCHEME
+  # set default values for DirectAdmin_SCHEME
+  [ -n "${DirectAdmin_SCHEME}" ] || DirectAdmin_SCHEME="https"
+
+  _info "Deploying certificate to DirectAdmin..."
+
+  # upload certificate
+  string_cfullchain=$(sed 's/$/\\n/' "$_cfullchain" | tr -d '\n')
+  string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n')
+
+  _request_body="{\"domain\":\"$DirectAdmin_MAIN_DOMAIN\",\"action\":\"save\",\"type\":\"paste\",\"certificate\":\"$string_key\n$string_cfullchain\n\"}"
+  _debug _request_body "$_request_body"
+  _debug DirectAdmin_ENDPOINT "$DirectAdmin_ENDPOINT"
+  _debug DirectAdmin_USERNAME "$DirectAdmin_USERNAME"
+  _debug DirectAdmin_KEY "$DirectAdmin_KEY"
+  _debug DirectAdmin_MAIN_DOMAIN "$DirectAdmin_MAIN_DOMAIN"
+  _response=$(_post "$_request_body" "$DirectAdmin_SCHEME://$DirectAdmin_USERNAME:$DirectAdmin_KEY@$DirectAdmin_ENDPOINT/CMD_API_SSL" "" "POST" "application/json")
+
+  if _contains "$_response" "error=1"; then
+    _err "Error in deploying $_cdomain certificate to DirectAdmin Domain $DirectAdmin_MAIN_DOMAIN."
+    _err "$_response"
+    return 1
+  fi
+
+  _info "$_response"
+  _info "Domain $_cdomain certificate successfully deployed to DirectAdmin Domain $DirectAdmin_MAIN_DOMAIN."
+
+  return 0
+}

deploy/edgio.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env sh
+
+# Here is a script to deploy cert to edgio using its API
+# https://docs.edg.io/guides/v7/develop/rest_api/authentication
+# https://docs.edg.io/rest_api/#tag/tls-certs/operation/postConfigV01TlsCerts
+
+# This deployment required following variables
+# export EDGIO_CLIENT_ID="Your Edgio Client ID"
+# export EDGIO_CLIENT_SECRET="Your Edgio Client Secret"
+# export EDGIO_ENVIRONMENT_ID="Your Edgio Environment ID"
+
+# If have more than one Environment ID
+# export EDGIO_ENVIRONMENT_ID="ENVIRONMENT_ID_1 ENVIRONMENT_ID_2"
+
+# returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+edgio_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$EDGIO_CLIENT_ID" ]; then
+    _err "EDGIO_CLIENT_ID is not defined."
+    return 1
+  else
+    _savedomainconf EDGIO_CLIENT_ID "$EDGIO_CLIENT_ID"
+  fi
+
+  if [ -z "$EDGIO_CLIENT_SECRET" ]; then
+    _err "EDGIO_CLIENT_SECRET is not defined."
+    return 1
+  else
+    _savedomainconf EDGIO_CLIENT_SECRET "$EDGIO_CLIENT_SECRET"
+  fi
+
+  if [ -z "$EDGIO_ENVIRONMENT_ID" ]; then
+    _err "EDGIO_ENVIRONMENT_ID is not defined."
+    return 1
+  else
+    _savedomainconf EDGIO_ENVIRONMENT_ID "$EDGIO_ENVIRONMENT_ID"
+  fi
+
+  _info "Getting access token"
+  _data="client_id=$EDGIO_CLIENT_ID&client_secret=$EDGIO_CLIENT_SECRET&grant_type=client_credentials&scope=app.config"
+  _debug Get_access_token_data "$_data"
+  _response=$(_post "$_data" "https://id.edgio.app/connect/token" "" "POST" "application/x-www-form-urlencoded")
+  _debug Get_access_token_response "$_response"
+  _access_token=$(echo "$_response" | _json_decode | _egrep_o '"access_token":"[^"]*' | cut -d : -f 2 | tr -d '"')
+  _debug _access_token "$_access_token"
+  if [ -z "$_access_token" ]; then
+    _err "Error in getting access token"
+    return 1
+  fi
+
+  _info "Uploading certificate"
+  string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n')
+  string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n')
+  string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n')
+
+  for ENVIRONMENT_ID in $EDGIO_ENVIRONMENT_ID; do
+    _data="{\"environment_id\":\"$ENVIRONMENT_ID\",\"primary_cert\":\"$string_ccert\",\"intermediate_cert\":\"$string_cca\",\"private_key\":\"$string_key\"}"
+    _debug Upload_certificate_data "$_data"
+    _H1="Authorization: Bearer $_access_token"
+    _response=$(_post "$_data" "https://edgioapis.com/config/v0.1/tls-certs" "" "POST" "application/json")
+    if _contains "$_response" "message"; then
+      _err "Error in deploying $_cdomain certificate to Edgio ENVIRONMENT_ID $ENVIRONMENT_ID."
+      _err "$_response"
+      return 1
+    fi
+    _debug Upload_certificate_response "$_response"
+    _info "Domain $_cdomain certificate successfully deployed to Edgio ENVIRONMENT_ID $ENVIRONMENT_ID."
+  done
+
+  return 0
+}

deploy/keyhelp.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to KeyHelp
+# This deployment required following variables
+# export DEPLOY_KEYHELP_BASEURL="https://keyhelp.example.com"
+# export DEPLOY_KEYHELP_USERNAME="Your KeyHelp Username"
+# export DEPLOY_KEYHELP_PASSWORD="Your KeyHelp Password"
+# export DEPLOY_KEYHELP_DOMAIN_ID="Depoly certificate to this Domain ID"
+
+# Open the 'Edit domain' page, and you will see id=xxx at the end of the URL. This is the Domain ID.
+# https://DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit&id=xxx
+
+# If have more than one domain name
+# export DEPLOY_KEYHELP_DOMAIN_ID="111 222 333"
+
+keyhelp_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$DEPLOY_KEYHELP_BASEURL" ]; then
+    _err "DEPLOY_KEYHELP_BASEURL is not defined."
+    return 1
+  else
+    _savedomainconf DEPLOY_KEYHELP_BASEURL "$DEPLOY_KEYHELP_BASEURL"
+  fi
+
+  if [ -z "$DEPLOY_KEYHELP_USERNAME" ]; then
+    _err "DEPLOY_KEYHELP_USERNAME is not defined."
+    return 1
+  else
+    _savedomainconf DEPLOY_KEYHELP_USERNAME "$DEPLOY_KEYHELP_USERNAME"
+  fi
+
+  if [ -z "$DEPLOY_KEYHELP_PASSWORD" ]; then
+    _err "DEPLOY_KEYHELP_PASSWORD is not defined."
+    return 1
+  else
+    _savedomainconf DEPLOY_KEYHELP_PASSWORD "$DEPLOY_KEYHELP_PASSWORD"
+  fi
+
+  if [ -z "$DEPLOY_KEYHELP_DOMAIN_ID" ]; then
+    _err "DEPLOY_KEYHELP_DOMAIN_ID is not defined."
+    return 1
+  else
+    _savedomainconf DEPLOY_KEYHELP_DOMAIN_ID "$DEPLOY_KEYHELP_DOMAIN_ID"
+  fi
+
+  # Optional DEPLOY_KEYHELP_ENFORCE_HTTPS
+  _getdeployconf DEPLOY_KEYHELP_ENFORCE_HTTPS
+  # set default values for DEPLOY_KEYHELP_ENFORCE_HTTPS
+  [ -n "${DEPLOY_KEYHELP_ENFORCE_HTTPS}" ] || DEPLOY_KEYHELP_ENFORCE_HTTPS="1"
+
+  _info "Logging in to keyhelp panel"
+  username_encoded="$(printf "%s" "${DEPLOY_KEYHELP_USERNAME}" | _url_encode)"
+  password_encoded="$(printf "%s" "${DEPLOY_KEYHELP_PASSWORD}" | _url_encode)"
+  _H1="Content-Type: application/x-www-form-urlencoded"
+  _response=$(_get "$DEPLOY_KEYHELP_BASEURL/index.php?submit=1&username=$username_encoded&password=$password_encoded" "TRUE")
+  _cookie="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2)"
+
+  # If cookies is not empty then logon successful
+  if [ -z "$_cookie" ]; then
+    _err "Fail to get cookie."
+    return 1
+  fi
+  _debug "cookie" "$_cookie"
+
+  _info "Uploading certificate"
+  _date=$(date +"%Y%m%d")
+  encoded_key="$(_url_encode <"$_ckey")"
+  encoded_ccert="$(_url_encode <"$_ccert")"
+  encoded_cca="$(_url_encode <"$_cca")"
+  certificate_name="$_cdomain-$_date"
+
+  _request_body="submit=1&certificate_name=$certificate_name&add_type=upload&text_private_key=$encoded_key&text_certificate=$encoded_ccert&text_ca_certificate=$encoded_cca"
+  _H1="Cookie: $_cookie"
+  _response=$(_post "$_request_body" "$DEPLOY_KEYHELP_BASEURL/index.php?page=ssl_certificates&action=add" "" "POST")
+  _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/<div class="message-body ">/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//')
+  _info "_message" "$_message"
+  if [ -z "$_message" ]; then
+    _err "Fail to upload certificate."
+    return 1
+  fi
+
+  for DOMAIN_ID in $DEPLOY_KEYHELP_DOMAIN_ID; do
+    _info "Apply certificate to domain id $DOMAIN_ID"
+    _response=$(_get "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit&id=$DOMAIN_ID")
+    cert_value=$(echo "$_response" | grep "$certificate_name" | sed -n 's/.*value="\([^"]*\).*/\1/p')
+    target_type=$(echo "$_response" | grep 'target_type' | grep 'checked' | sed -n 's/.*value="\([^"]*\).*/\1/p')
+    if [ "$target_type" = "directory" ]; then
+      path=$(echo "$_response" | awk '/name="path"/{getline; print}' | sed -n 's/.*value="\([^"]*\).*/\1/p')
+    fi
+    echo "$_response" | grep "is_prefer_https" | grep "checked" >/dev/null
+    if [ $? -eq 0 ]; then
+      is_prefer_https=1
+    else
+      is_prefer_https=0
+    fi
+    echo "$_response" | grep "hsts_enabled" | grep "checked" >/dev/null
+    if [ $? -eq 0 ]; then
+      hsts_enabled=1
+    else
+      hsts_enabled=0
+    fi
+    _debug "cert_value" "$cert_value"
+    if [ -z "$cert_value" ]; then
+      _err "Fail to get certificate id."
+      return 1
+    fi
+
+    _request_body="submit=1&id=$DOMAIN_ID&target_type=$target_type&path=$path&is_prefer_https=$is_prefer_https&hsts_enabled=$hsts_enabled&certificate_type=custom&certificate_id=$cert_value&enforce_https=$DEPLOY_KEYHELP_ENFORCE_HTTPS"
+    _response=$(_post "$_request_body" "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit" "" "POST")
+    _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/<div class="message-body ">/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//')
+    _info "_message" "$_message"
+    if [ -z "$_message" ]; then
+      _err "Fail to apply certificate."
+      return 1
+    fi
+  done
+
+  _info "Domain $_cdomain certificate successfully deployed to KeyHelp Domain ID $DEPLOY_KEYHELP_DOMAIN_ID."
+  return 0
+}

deploy/netlify.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to Netlify
+# https://docs.netlify.com/api/get-started/#authentication
+# https://open-api.netlify.com/#tag/sniCertificate
+
+# This deployment required following variables
+# export Netlify_ACCESS_TOKEN="Your Netlify Access Token"
+# export Netlify_SITE_ID="Your Netlify Site ID"
+
+# If have more than one SITE ID
+# export Netlify_SITE_ID="SITE_ID_1 SITE_ID_2"
+
+# returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+netlify_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$Netlify_ACCESS_TOKEN" ]; then
+    _err "Netlify_ACCESS_TOKEN is not defined."
+    return 1
+  else
+    _savedomainconf Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN"
+  fi
+  if [ -z "$Netlify_SITE_ID" ]; then
+    _err "Netlify_SITE_ID is not defined."
+    return 1
+  else
+    _savedomainconf Netlify_SITE_ID "$Netlify_SITE_ID"
+  fi
+
+  _info "Deploying certificate to Netlify..."
+
+  ## upload certificate
+  string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n')
+  string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n')
+  string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n')
+
+  for SITE_ID in $Netlify_SITE_ID; do
+    _request_body="{\"certificate\":\"$string_ccert\",\"key\":\"$string_key\",\"ca_certificates\":\"$string_cca\"}"
+    _debug _request_body "$_request_body"
+    _debug Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN"
+    export _H1="Authorization: Bearer $Netlify_ACCESS_TOKEN"
+    _response=$(_post "$_request_body" "https://api.netlify.com/api/v1/sites/$SITE_ID/ssl" "" "POST" "application/json")
+
+    if _contains "$_response" "\"error\""; then
+      _err "Error in deploying $_cdomain certificate to Netlify SITE_ID $SITE_ID."
+      _err "$_response"
+      return 1
+    fi
+    _debug response "$_response"
+    _info "Domain $_cdomain certificate successfully deployed to Netlify SITE_ID $SITE_ID."
+  done
+
+  return 0
+}

deploy/panos.sh

@@ -7,20 +7,26 @@
 #
 # Firewall admin with superuser and IP address is required.
 #
-# REQURED:
+# REQUIRED:
 #     export PANOS_HOST=""
 #     export PANOS_USER=""    #User *MUST* have Commit and Import Permissions in XML API for Admin Role
 #     export PANOS_PASS=""
 #
 # OPTIONAL
-#    export PANOS_TEMPLATE="" #Template Name of panorama managed devices
+#    export PANOS_TEMPLATE="" # Template Name of panorama managed devices
+#    export PANOS_TEMPLATE_STACK="" # set a Template Stack if certificate should also be pushed automatically
+#    export PANOS_VSYS="Shared"  # name of the vsys to import the certificate
 #
 # The script will automatically generate a new API key if
 # no key is found, or if a saved key has expired or is invalid.
 
+_COMMIT_WAIT_INTERVAL=30   # query commit status every 30 seconds
+_COMMIT_WAIT_ITERATIONS=20 # query commit status 20 times (20*30 = 600 seconds = 10 minutes)
+
 # This function is to parse the XML response from the firewall
 parse_response() {
   type=$2
+  _debug "API Response: $1"
   if [ "$type" = 'keygen' ]; then
     status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g')
     if [ "$status" = "success" ]; then
@@ -30,6 +36,13 @@ parse_response() {
       message="PAN-OS Key could not be set."
     fi
   else
+    if [ "$type" = 'commit' ]; then
+      job_id=$(echo "$1" | sed 's/^.*\(<job>\)\(.*\)<\/job>.*/\2/g')
+      _commit_job_id=$job_id
+    elif [ "$type" = 'job_status' ]; then
+      job_status=$(echo "$1" | tr -d '\n' | sed 's/^.*<result>\([^<]*\)<\/result>.*/\1/g')
+      _commit_job_status=$job_status
+    fi
     status=$(echo "$1" | tr -d '\n' | sed 's/^.*"\([a-z]*\)".*/\1/g')
     message=$(echo "$1" | tr -d '\n' | sed 's/.*\(<result>\|<msg>\|<line>\)\([^<]*\).*/\2/g')
     _debug "Firewall message:  $message"
@@ -44,13 +57,13 @@ parse_response() {
 #This function is used to deploy to the firewall
 deployer() {
   content=""
-  type=$1 # Types are keytest, keygen, cert, key, commit
+  type=$1 # Types are keytest, keygen, cert, key, commit, job_status, push
   panos_url="https://$_panos_host/api/"
+  export _H1="Content-Type: application/x-www-form-urlencoded"
 
   #Test API Key by performing a lookup
   if [ "$type" = 'keytest' ]; then
     _debug "**** Testing saved API Key ****"
-    _H1="Content-Type: application/x-www-form-urlencoded"
     # Get Version Info to test key
     content="type=version&key=$_panos_key"
     ## Exclude all scopes for the empty commit
@@ -61,7 +74,6 @@ deployer() {
   # Generate API Key
   if [ "$type" = 'keygen' ]; then
     _debug "**** Generating new API Key ****"
-    _H1="Content-Type: application/x-www-form-urlencoded"
     content="type=keygen&user=$_panos_user&password=$_panos_pass"
     # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
   fi
@@ -84,6 +96,9 @@ deployer() {
       if [ "$_panos_template" ]; then
         content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template"
       fi
+      if [ "$_panos_vsys" ]; then
+        content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl-vsys\"\r\n\r\n$_panos_vsys"
+      fi
     fi
     if [ "$type" = 'key' ]; then
       panos_url="${panos_url}?type=import"
@@ -96,6 +111,9 @@ deployer() {
       if [ "$_panos_template" ]; then
         content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template"
       fi
+      if [ "$_panos_vsys" ]; then
+        content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl-vsys\"\r\n\r\n$_panos_vsys"
+      fi
     fi
     #Close multipart
     content="$content${nl}--$delim--${nl}${nl}"
@@ -106,7 +124,6 @@ deployer() {
   # Commit changes
   if [ "$type" = 'commit' ]; then
     _debug "**** Committing changes ****"
-    export _H1="Content-Type: application/x-www-form-urlencoded"
     #Check for force commit - will commit ALL uncommited changes to the firewall. Use with caution!
     if [ "$FORCE" ]; then
       _debug "Force switch detected.  Committing ALL changes to the firewall."
@@ -118,6 +135,20 @@ deployer() {
     content="type=commit&action=partial&key=$_panos_key&cmd=$cmd"
   fi
 
+  # Query job status
+  if [ "$type" = 'job_status' ]; then
+    echo "**** Querying job $_commit_job_id status ****"
+    cmd=$(printf "%s" "<show><jobs><id>$_commit_job_id</id></jobs></show>" | _url_encode)
+    content="type=op&key=$_panos_key&cmd=$cmd"
+  fi
+
+  # Push changes
+  if [ "$type" = 'push' ]; then
+    echo "**** Pushing changes ****"
+    cmd=$(printf "%s" "<commit-all><template-stack><name>$_panos_template_stack</name><admin><member>$_panos_user</member></admin></template-stack></commit-all>" | _url_encode)
+    content="type=commit&action=all&key=$_panos_key&cmd=$cmd"
+  fi
+
   response=$(_post "$content" "$panos_url" "" "POST")
   parse_response "$response" "$type"
   # Saving response to variables
@@ -126,6 +157,8 @@ deployer() {
   if [ "$response_status" = "success" ]; then
     _debug "Successfully deployed $type"
     return 0
+  elif [ "$_commit_job_status" ]; then
+    _debug "Commit Job Status = $_commit_job_status"
   else
     _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot."
     _debug "$message"
@@ -191,11 +224,31 @@ panos_deploy() {
     _getdeployconf PANOS_TEMPLATE
   fi
 
+  # PANOS_TEMPLATE_STACK
+  if [ "$PANOS_TEMPLATE_STACK" ]; then
+    _debug "Detected ENV variable PANOS_TEMPLATE_STACK. Saving to file."
+    _savedeployconf PANOS_TEMPLATE_STACK "$PANOS_TEMPLATE_STACK" 1
+  else
+    _debug "Attempting to load variable PANOS_TEMPLATE_STACK from file."
+    _getdeployconf PANOS_TEMPLATE_STACK
+  fi
+
+  # PANOS_TEMPLATE_STACK
+  if [ "$PANOS_VSYS" ]; then
+    _debug "Detected ENV variable PANOS_VSYS. Saving to file."
+    _savedeployconf PANOS_VSYS "$PANOS_VSYS" 1
+  else
+    _debug "Attempting to load variable PANOS_VSYS from file."
+    _getdeployconf PANOS_VSYS
+  fi
+
   #Store variables
   _panos_host=$PANOS_HOST
   _panos_user=$PANOS_USER
   _panos_pass=$PANOS_PASS
   _panos_template=$PANOS_TEMPLATE
+  _panos_template_stack=$PANOS_TEMPLATE_STACK
+  _panos_vsys=$PANOS_VSYS
 
   #Test API Key if found.  If the key is invalid, the variable _panos_key will be unset.
   if [ "$_panos_host" ] && [ "$_panos_key" ]; then
@@ -229,6 +282,20 @@ panos_deploy() {
       deployer cert
       deployer key
       deployer commit
+      if [ "$_panos_template_stack" ]; then
+        # try to get job status for 20 times in 30 sec interval
+        i=0
+        while [ "$i" -lt $_COMMIT_WAIT_ITERATIONS ]; do
+          deployer job_status
+          if [ "$_commit_job_status" = "OK" ]; then
+            echo "Commit finished!"
+            break
+          fi
+          sleep $_COMMIT_WAIT_INTERVAL
+          i=$((i + 1))
+        done
+        deployer push
+      fi
     fi
   fi
 }

deploy/proxmoxbs.sh

@@ -115,6 +115,16 @@ HEREDOC
   _info "Push certificates to server"
   export HTTPS_INSECURE=1
   export _H1="Authorization: PBSAPIToken=${_proxmoxbs_header_api_token}"
-  _post "$_json_payload" "$_target_url" "" POST "application/json"
+  response=$(_post "$_json_payload" "$_target_url" "" POST "application/json")
+  _retval=$?
+  if [ "${_retval}" -eq 0 ]; then
+    _debug3 response "$response"
+    _info "Certificate successfully deployed"
+    return 0
+  else
+    _err "Certificate deployment failed"
+    _debug "Response" "$response"
+    return 1
+  fi
 
 }

deploy/proxmoxve.sh

@@ -127,6 +127,16 @@ HEREDOC
   _info "Push certificates to server"
   export HTTPS_INSECURE=1
   export _H1="Authorization: PVEAPIToken=${_proxmoxve_header_api_token}"
-  _post "$_json_payload" "$_target_url" "" POST "application/json"
+  response=$(_post "$_json_payload" "$_target_url" "" POST "application/json")
+  _retval=$?
+  if [ "${_retval}" -eq 0 ]; then
+    _debug3 response "$response"
+    _info "Certificate successfully deployed"
+    return 0
+  else
+    _err "Certificate deployment failed"
+    _debug "Response" "$response"
+    return 1
+  fi
 
 }

deploy/truenas_ws.sh

@@ -39,13 +39,13 @@ _ws_call() {
   _debug "_ws_call arg2" "$2"
   _debug "_ws_call arg3" "$3"
   if [ $# -eq 3 ]; then
-    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3")
+    _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3")
   fi
   if [ $# -eq 2 ]; then
-    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2")
+    _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2")
   fi
   if [ $# -eq 1 ]; then
-    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1")
+    _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1")
   fi
   _debug "_ws_response" "$_ws_response"
   printf "%s" "$_ws_response"
@@ -60,7 +60,7 @@ _ws_upload_cert() {
 import sys
 
 from truenas_api_client import Client
-with Client() as c:
+with Client(uri="$_ws_uri") as c:
 
   ### Login with API key
   print("I:Trying to upload new certificate...")
@@ -121,7 +121,7 @@ _ws_check_jobid() {
 #   n/a
 _ws_get_job_result() {
   while true; do
-    sleep 2
+    _sleep 2
     _ws_response=$(_ws_call "core.get_jobs" "[[\"id\", \"=\", $1]]")
     if [ "$(printf "%s" "$_ws_response" | jq -r '.[]."state"')" != "RUNNING" ]; then
       _ws_result="$(printf "%s" "$_ws_response" | jq '.[]."result"')"
@@ -179,11 +179,27 @@ truenas_ws_deploy() {
 
   _info "Checking environment variables..."
   _getdeployconf DEPLOY_TRUENAS_APIKEY
+  _getdeployconf DEPLOY_TRUENAS_HOSTNAME
+  _getdeployconf DEPLOY_TRUENAS_PROTOCOL
   # Check API Key
   if [ -z "$DEPLOY_TRUENAS_APIKEY" ]; then
     _err "TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable."
     return 1
   fi
+  # Check Hostname, default to localhost if not set
+  if [ -z "$DEPLOY_TRUENAS_HOSTNAME" ]; then
+    _info "TrueNAS hostname not set. Using 'localhost'."
+    DEPLOY_TRUENAS_HOSTNAME="localhost"
+  fi
+  # Check protocol, default to ws if not set
+  if [ -z "$DEPLOY_TRUENAS_PROTOCOL" ]; then
+    _info "TrueNAS protocol not set. Using 'ws'."
+    DEPLOY_TRUENAS_PROTOCOL="ws"
+  fi
+  _ws_uri="$DEPLOY_TRUENAS_PROTOCOL://$DEPLOY_TRUENAS_HOSTNAME/websocket"
+  _debug2 DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME"
+  _debug2 DEPLOY_TRUENAS_PROTOCOL "$DEPLOY_TRUENAS_PROTOCOL"
+  _debug _ws_uri "$_ws_uri"
   _secure_debug2 DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY"
   _info "Environment variables: OK"
 
@@ -205,6 +221,8 @@ truenas_ws_deploy() {
     return 2
   fi
   _savedeployconf DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY"
+  _savedeployconf DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME"
+  _savedeployconf DEPLOY_TRUENAS_PROTOCOL "$DEPLOY_TRUENAS_PROTOCOL"
   _info "TrueNAS health: OK"
 
   ########## System info
@@ -304,7 +322,7 @@ truenas_ws_deploy() {
   _info "Restarting WebUI..."
   _ws_response=$(_ws_call "system.general.ui_restart")
   _info "Waiting for UI restart..."
-  sleep 6
+  _sleep 15
 
   ########## Certificates