sh LetsEncrypt部署到防火墙

Posted 2021-05-06

# Deploy LetsEncrypt cert to Palo Alto Networks Next-generation Firewall

This is a POC of an [acme.sh](http://acme.sh) deployment hooks that automatically
deploys the new certificate to a Palo Alto Networks firewall.

More information on deployment script:
https://github.com/Neilpang/acme.sh/wiki/deployhooks

## Usage

Step 1: Copy the included file (`panw.sh`) to your acme.sh deploy script
directory: `$HOME/.acme.sh/deploy/panw.sh`

Step 2: Get a LetsEncrypt certicate for your firewall:

`acme.sh --issue -d firewall.example.com`

Step 3: Deploy the LetsEcrypt certificate to your firewall:

`acme.sh --deploy -d firewall.example.com --deploy-hook panw`

Step 4: Commit.  
At this time, the commit must be done manually on the firewall
itself. In the future, the commit could be triggered on a specific LetsEncrypt
user on the firewall so that only the certificate gets commited and not other
changes made by firewall administrators.

#domain keyfile certfile cafile fullchain
panw_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  # Install certificate on Firewall
  curl -k --form "file=@$_ccert" "https://<FW-FQDN>/api/?type=import&category=certificate&certificate-name=$_cdomain&format=pem&key=<ADD-YOUR-KEY>"
  # Install private key on Firewall
  curl -k --form "file=@$_ckey" "https://<FW-FQDN>/api/?type=import&category=private-key&certificate-name=$_cdomain&format=pem&passphrase=nonenone&key=<ADD-YOUR-KEY>"
  
  return 0
}