FRITZ!Box TLS Certificate Installer
This is a little pet project to install TLS certificates into your FRITZ!Box. I use Let’s Encrypt to get free certificates and I got tired using this tedious process to update the certs all the time. So I started to poke at my FRITZ!Box Fon WLAN 7390 and now it is automated!
Although it should work with other versions as well, it is only tested with:
- FRITZ!Box Fon WLAN 7390 (FRITZ!OS: 06.85)
- FRITZ!Box 7490 (FRITZ!OS: 07.01)
In case you want to know how to do that manually, take a look at AVM's knowledge base article.
Installation
Homebrew:
brew install tisba/taps/fritz-tls
Go
go get -u github.com/tisba/fritz-tls
Usage
fritz-tls --auto-cert --domain fritz.example.com --email letsencrypt@example.com
Done :)
You can also provide a certificate bundle (cert + private key) directly so that can be installed:
- obtain your TLS certificate, e.g. via Let’s Encrypt.
- install the newly generated certificate:
fritz-tls --key=./certbot/live/demo.example.com/privkey.pem --fullchain=./certbot/live/demo.example.com/fullchain.pem
General options are:
--help
to get usage information
--host
(default: http://fritz.box
) to specify how to talk to your FRITZ!Box. If you want to login with username and password, specify the user like this: --host http://tisba@fritz.box
.
--insecure
(optional) to skip TLS verification when talking to --host
in case it's HTTPS and you currently have a broken or expired TLS certificate.
--tls-port
(default: 443
) TLS port of FRITZ!Box. This is used for certificate validation after installing.
Let's Encrypt specific (--auto-cert
) options are:
--domain
the domain you want to have your certificate generated for
--email
your mail address you want to have registered with Let’s Encrypt
--save
(optional) to save generated private key and acquired certificate
--dns-provider
(default manual
) to specify one of lego's supported DNS providers. Note that you might have to set environment variables to configure your provider, e.g. AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, AWS_REGION
and AWS_HOSTED_ZONE_ID
. I use name servers by AWS/Route53 and inwx, so I have to provide INWX_USER
, INWX_PASSWORD
. I'm not sure if there is a overview, so for now you have to consult the source.
Options for non --auto-cert
mode:
--bundle
as an alternative for --key
and --fullchain
. The bundle where the password-less private key and certificate are both present.
TODOs and Ideas
These are some things I'd like to to in the future:
- if
--tls-port
is not given, we should try to use --host
before failing
- add validation for private keys and certificate before uploading (avoid trying to upload garbage)
- allow password protected private keys (when not provisioned by LE)
add homebrew as a release target for goreleaser
ask for --user
if not provided (may be empty then) and/or add --pw-only
flag
allow other then DNS-01 Let's Encrypt challenges and make legos DNS providers available to make things even more automated!
add --insecure
to ignore invalid TLS certificates when talking to FRITZ!Box
read FRITZ!Box administrator password from environment
add ability to use already combined private keys and certificate files
add basic Let's Encrypt support
improve detection if certificate installation was successful; currently I'm looking for a string in the response. But maybe we can just wait a little bit and make a https request and check if the certificate is actually being used.
implement FRITZ!Box authentication for user name and password
set up Travis and use GoReleaser to build and publish builds