From d53c2ea453341cb63517b8ab9533e0dcc053fe8b Mon Sep 17 00:00:00 2001
From: Gondolf <145931259+vGondolf@users.noreply.github.com>
Date: Sun, 9 Feb 2025 12:55:05 +0100
Subject: [PATCH 1/8] Update shellcheck.yml

---
 .github/workflows/shellcheck.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index 746727d4..039a9c7c 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -1,5 +1,6 @@
 name: Shellcheck
 on:
+  workflow_dispatch:
   push:
     branches:
       - '*'

From 2ab37f24285904c29939ca74c7666f1ff3c5a01d Mon Sep 17 00:00:00 2001
From: Gondolf <145931259+vGondolf@users.noreply.github.com>
Date: Sun, 9 Feb 2025 12:56:39 +0100
Subject: [PATCH 2/8] Create fortigate.sh

---
 deploy/fortigate.sh | 166 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 166 insertions(+)
 create mode 100644 deploy/fortigate.sh

diff --git a/deploy/fortigate.sh b/deploy/fortigate.sh
new file mode 100644
index 00000000..915ad32e
--- /dev/null
+++ b/deploy/fortigate.sh
@@ -0,0 +1,166 @@
+#!/usr/bin/env sh
+# Script to deploy a certificate to FortiGate via API and set it as the current web GUI certificate.
+#
+# FortiGate's native ACME integration does not support wildcard certificates,
+# and is not supported if you have a custom management web port (eg. DNAT web traffic).
+#
+# REQUIRED:
+#     export FGT_HOST="fortigate_hostname-or-ip"
+#     export FGT_TOKEN="fortigate_api_token"
+#
+# OPTIONAL:
+#     export FGT_PORT="10443"             # Custom HTTPS port (defaults to 443 if not set)
+#
+# This script is intended for use as an acme.sh deploy hook.
+#
+# Run `acme.sh --deploy -d example.com --deploy-hook fortigate --insecure` to use this script.
+# `--insecure` is required to allow acme.sh to connect to the FortiGate API over HTTPS without a pre-existing valid certificate.
+
+# Function to parse response
+parse_response() {
+  response="$1"
+  func="$2"
+  status=$(echo "$response" | grep -o '"status":[ ]*"[^"]*"' | sed 's/"status":[ ]*"\([^"]*\)"/\1/')
+  if [ "$status" != "success" ]; then
+    _err "[$func] Operation failed. Deploy with --insecure if current certificate is invalid. Try deploying with --debug to troubleshoot."
+    return 1
+  else
+    _debug "[$func] Operation successful."
+    return 0
+  fi
+}
+
+# Function to deploy base64-encoded certificate to firewall
+deployer() {
+  cert_base64=$(_base64 <"$_cfullchain" | tr -d '\n')
+  key_base64=$(_base64 <"$_ckey" | tr -d '\n')
+  payload=$(
+    cat <<EOF
+{
+  "type": "regular",
+  "scope": "global",
+  "certname": "$_cdomain",
+  "key_file_content": "$key_base64",
+  "file_content": "$cert_base64"
+}
+EOF
+  )
+  url="https://${FGT_HOST}:${FGT_PORT}/api/v2/monitor/vpn-certificate/local/import"
+  _debug "Uploading certificate via URL: $url"
+  _H1="Authorization: Bearer $FGT_TOKEN"
+  response=$(_post "$payload" "$url" "" "POST" "application/json")
+  _debug "FortiGate API Response: $response"
+  parse_response "$response" "Deploying certificate" || return 1
+}
+
+# Function to upload CA certificate to firewall (FortiGate doesn't automatically extract CA from fullchain)
+upload_ca_cert() {
+  ca_base64=$(_base64 <"$_cca" | tr -d '\n')
+  payload=$(
+    cat <<EOF
+{
+  "import_method": "file",
+  "scope": "global",
+  "file_content": "$ca_base64"
+}
+EOF
+  )
+  url="https://${FGT_HOST}:${FGT_PORT}/api/v2/monitor/vpn-certificate/ca/import"
+  _debug "Uploading CA certificate via URL: $url"
+  _H1="Authorization: Bearer $FGT_TOKEN"
+  response=$(_post "$payload" "$url" "" "POST" "application/json")
+  _debug "FortiGate API CA Response: $response"
+  # Handle response -328 (CA already exists)
+  if echo "$response" | grep -q '"error":[ ]*-328'; then
+    _debug "CA certificate already exists. Skipping CA upload."
+    return 0
+  fi
+  parse_response "$response" "Deploying CA certificate" || return 1
+}
+
+# Function to activate the new certificate
+set_active_web_cert() {
+  payload=$(
+    cat <<EOF
+{
+  "admin-server-cert": "$_cdomain"
+}
+EOF
+  )
+  url="https://${FGT_HOST}:${FGT_PORT}/api/v2/cmdb/system/global"
+  _debug "Setting GUI certificate..."
+  _H1="Authorization: Bearer $FGT_TOKEN"
+  response=$(_post "$payload" "$url" "" "PUT" "application/json")
+  parse_response "$response" "Assigning active certificate" || return 1
+}
+
+# Function to clean up previous certificate (if exists)
+cleanup_previous_certificate() {
+  _getdeployconf FGT_LAST_CERT
+
+  if [ -n "$FGT_LAST_CERT" ] && [ "$FGT_LAST_CERT" != "$_cdomain" ]; then
+    _debug "Found previously deployed certificate: $FGT_LAST_CERT. Deleting it."
+
+    url="https://${FGT_HOST}:${FGT_PORT}/api/v2/cmdb/vpn.certificate/local/${FGT_LAST_CERT}"
+
+    _H1="Authorization: Bearer $FGT_TOKEN"
+    response=$(_post "" "$url" "" "DELETE" "application/json")
+    _debug "Delete certificate API response: $response"
+
+    parse_response "$response" "Delete previous certificate" || return 1
+  else
+    _debug "No previous certificate found or new cert is the same as the previous one."
+  fi
+}
+
+# Main function.
+fortigate_deploy() {
+  # Create new certificate name with date appended (cannot directly overwrite old certificate)
+  _cdomain="$(echo "$1" | sed 's/*/WILDCARD_/g')_$(date -u +"%Y-%m-%d")"
+  _ckey="$2"
+  _cca="$4"
+  _cfullchain="$5"
+
+  if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then
+    _err "Valid key and/or certificate not found."
+    return 1
+  fi
+
+  # Save required environment variables if not already stored.
+  for var in FGT_HOST FGT_TOKEN FGT_PORT; do
+    if [ "$(eval echo \$$var)" ]; then
+      _debug "Detected ENV variable $var. Saving to file."
+      _savedeployconf "$var" "$(eval echo \$$var)" 1
+    else
+      _debug "Attempting to load variable $var from file."
+      _getdeployconf "$var"
+    fi
+  done
+
+  if [ -z "$FGT_HOST" ] || [ -z "$FGT_TOKEN" ]; then
+    _err "FGT_HOST and FGT_TOKEN must be set."
+    return 1
+  fi
+
+  FGT_PORT="${FGT_PORT:-443}"
+  _debug "Using FortiGate port: $FGT_PORT"
+
+  # Upload new certificate
+  deployer || return 1
+
+  # Upload base64-encoded CA certificate
+  if [ -n "$_cca" ] && [ -f "$_cca" ]; then
+    upload_ca_cert || return 1
+  else
+    _debug "No CA certificate provided."
+  fi
+
+  # Set new certificate as active
+  set_active_web_cert || return 1
+
+  # Cleanup previous certificate
+  cleanup_previous_certificate
+
+  # Store new certificate name for cleanup on next renewal
+  _savedeployconf "FGT_LAST_CERT" "$_cdomain" 1
+}

From 6b2e8e8d8332907a2a1ccfc88e3bf08ec851daa4 Mon Sep 17 00:00:00 2001
From: Gondolf <145931259+vGondolf@users.noreply.github.com>
Date: Fri, 14 Feb 2025 10:54:49 +0100
Subject: [PATCH 3/8] Create arubacentral.sh

---
 deploy/arubacentral.sh | 178 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 178 insertions(+)
 create mode 100644 deploy/arubacentral.sh

diff --git a/deploy/arubacentral.sh b/deploy/arubacentral.sh
new file mode 100644
index 00000000..0a951b24
--- /dev/null
+++ b/deploy/arubacentral.sh
@@ -0,0 +1,178 @@
+#!/usr/bin/env sh
+# Aruba Central deploy hook for acme.sh
+
+arubacentral_deploy() {
+  # Generate unique certificate name with a proper random number (5 digits)
+  _cdomain="$(echo "$1" | sed 's/*/WILDCARD_/g')_$(tr -dc '0-9' </dev/urandom | head -c 5)"
+  _ckey="$2"
+  _cca="$4"
+  _cfullchain="$5"
+  _cpfx="${_cfullchain%.cer}.pfx"
+  _passphrase="central123"
+
+  _debug "Generated certificate name: $_cdomain"
+
+  # Check required files
+  if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then
+    _err "Valid key and/or certificate not found."
+    return 1
+  fi
+
+  # Load API credentials
+  for var in ARUBA_HOST ARUBA_CLIENT_ID ARUBA_CLIENT_SECRET ARUBA_REFRESH_TOKEN; do
+    if [ "$(eval echo \$$var)" ]; then
+      _debug "Detected ENV variable $var. Saving to file."
+      _savedeployconf "$var" "$(eval echo \$$var)" 1
+    else
+      _debug "Attempting to load variable $var from file."
+      _getdeployconf "$var"
+    fi
+  done
+
+  if [ -z "$ARUBA_HOST" ] || [ -z "$ARUBA_CLIENT_ID" ] || [ -z "$ARUBA_CLIENT_SECRET" ] || [ -z "$ARUBA_REFRESH_TOKEN" ]; then
+    _err "ARUBA_HOST, ARUBA_CLIENT_ID, ARUBA_CLIENT_SECRET, and ARUBA_REFRESH_TOKEN must be set."
+    return 1
+  fi
+
+  # Refresh Access Token Only If Needed (Handled in upload function)
+  _refresh_access_token || return 1
+
+  # Delete old certificate before deploying a new one
+  _delete_old_certificate
+
+  # Convert certificate to PKCS12 using built-in `_toPkcs()`
+  _debug "Converting certificate to PKCS12 format using _toPkcs()..."
+  _toPkcs "$_cpfx" "$_ckey" "$_cfullchain" "$_cca" "$_passphrase" "$_cdomain"
+  if [ $? -ne 0 ]; then
+    _err "Failed to convert certificate to PKCS12."
+    return 1
+  fi
+
+  # Base64 encode the PFX certificate
+  _debug "Encoding PKCS12 certificate in Base64..."
+  _pfx_base64=$(_base64 <"$_cpfx" | tr -d '\n')
+
+  # Base64 encode the passphrase
+  _debug "Encoding passphrase in Base64..."
+  _passphrase_base64=$(echo -n "$_passphrase" | _base64 | tr -d '\n')
+
+  # Upload Certificate with Automatic Token Refresh on Failure
+  _upload_certificate || return 1
+}
+
+# Function to upload the certificate and retry if token is invalid
+_upload_certificate() {
+  # Prepare JSON payload
+  _debug "Preparing JSON payload..."
+  payload=$(
+    cat <<EOF
+{
+  "cert_name": "$_cdomain",
+  "cert_type": "SERVER_CERT",
+  "cert_format": "PKCS12",
+  "passphrase": "$_passphrase_base64",
+  "cert_data": "$_pfx_base64"
+}
+EOF
+  )
+
+  # Upload URL
+  url="${ARUBA_HOST}/configuration/v1/certificates"
+  _debug "Uploading certificate to Aruba Central: $url"
+
+  # Set Authorization Header
+  _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
+
+  # Attempt to upload the certificate
+  response=$(_post "$payload" "$url" "" "POST" "application/json")
+  _debug "Aruba Central API Response: $response"
+
+  # If the token is invalid, refresh it and retry once
+  if echo "$response" | grep -q '"error":"invalid_token"'; then
+    _debug "❌ Access token is invalid. Refreshing and retrying..."
+    if _refresh_access_token; then
+      _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
+      response=$(_post "$payload" "$url" "" "POST" "application/json")
+      _debug "Retry API Response: $response"
+    else
+      _err "❌ Token refresh failed. Cannot upload certificate."
+      return 1
+    fi
+  fi
+
+  # Check if upload was successful
+  if echo "$response" | grep -q '"cert_md5_checksum"'; then
+    _debug "✅ Certificate uploaded successfully!"
+    _savedeployconf "ARUBA_LAST_CERT" "$_cdomain" 1
+    return 0
+  else
+    _err "❌ Failed to upload certificate. Deploy with --debug to troubleshoot."
+    return 1
+  fi
+}
+
+# Function to refresh API token only if expired
+_refresh_access_token() {
+  _getdeployconf "ARUBA_ACCESS_TOKEN"
+  _getdeployconf "ARUBA_REFRESH_TOKEN"
+
+  _debug "Refreshing Aruba Central API token..."
+  refresh_url="${ARUBA_HOST}/oauth2/token"
+
+  payload=$(
+    cat <<EOF
+{
+  "client_id": "$ARUBA_CLIENT_ID",
+  "client_secret": "$ARUBA_CLIENT_SECRET",
+  "grant_type": "refresh_token",
+  "refresh_token": "$ARUBA_REFRESH_TOKEN"
+}
+EOF
+  )
+
+  response=$(_post "$payload" "$refresh_url" "" "POST" "application/json")
+  _debug "Token Refresh Response: $response"
+
+  new_token=$(echo "$response" | grep -o '"access_token":[ ]*"[^"]*"' | sed 's/"access_token":[ ]*"\([^"]*\)"/\1/')
+  new_refresh_token=$(echo "$response" | grep -o '"refresh_token":[ ]*"[^"]*"' | sed 's/"refresh_token":[ ]*"\([^"]*\)"/\1/')
+
+  if [ -n "$new_token" ]; then
+    _debug "✅ Token refreshed successfully!"
+    _savedeployconf "ARUBA_ACCESS_TOKEN" "$new_token" 1
+    
+    if [ -n "$new_refresh_token" ]; then
+      _debug "🔄 Updating refresh token..."
+      _savedeployconf "ARUBA_REFRESH_TOKEN" "$new_refresh_token" 1
+    else
+      _debug "⚠️ Aruba Central did not return a new refresh token!"
+    fi
+
+    ARUBA_ACCESS_TOKEN="$new_token"
+    ARUBA_REFRESH_TOKEN="$new_refresh_token"
+  else
+    _err "❌ Failed to refresh API token. Please manually generate a new one."
+    return 1
+  fi
+}
+
+# Function to delete the previous certificate
+_delete_old_certificate() {
+  _getdeployconf "ARUBA_LAST_CERT"
+  
+  if [ -n "$ARUBA_LAST_CERT" ]; then
+    _debug "Found previous certificate: $ARUBA_LAST_CERT. Deleting it..."
+    delete_url="${ARUBA_HOST}/configuration/v1/certificates/${ARUBA_LAST_CERT}"
+    _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
+    
+    response=$(_post "" "$delete_url" "" "DELETE" "application/json")
+    _debug "Delete certificate API response: $response"
+
+    if echo "$response" | grep -q '"error"'; then
+      _err "❌ Failed to delete previous certificate."
+    else
+      _debug "✅ Previous certificate deleted successfully."
+    fi
+  else
+    _debug "No previous certificate found. Skipping deletion."
+  fi
+}

From 5180201869b5a1136b88f138d7f05e02e6582514 Mon Sep 17 00:00:00 2001
From: Gondolf <145931259+vGondolf@users.noreply.github.com>
Date: Fri, 14 Feb 2025 12:12:46 +0100
Subject: [PATCH 4/8] Update arubacentral.sh

fix shfmt and shellcheck
---
 deploy/arubacentral.sh | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/deploy/arubacentral.sh b/deploy/arubacentral.sh
index 0a951b24..99873ce8 100644
--- a/deploy/arubacentral.sh
+++ b/deploy/arubacentral.sh
@@ -54,7 +54,7 @@ arubacentral_deploy() {
 
   # Base64 encode the passphrase
   _debug "Encoding passphrase in Base64..."
-  _passphrase_base64=$(echo -n "$_passphrase" | _base64 | tr -d '\n')
+  _passphrase_base64=$(printf "%s" "$_passphrase" | _base64 | tr -d '\n')
 
   # Upload Certificate with Automatic Token Refresh on Failure
   _upload_certificate || return 1
@@ -116,6 +116,20 @@ _refresh_access_token() {
   _getdeployconf "ARUBA_ACCESS_TOKEN"
   _getdeployconf "ARUBA_REFRESH_TOKEN"
 
+  # 🔍 Step 1: Check if the access token is still valid
+  _debug "Checking if the access token is still valid..."
+  check_url="${ARUBA_HOST}/configuration/v1/certificates?limit=1"
+  _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
+  response=$(_post "" "$check_url" "" "GET" "application/json")
+
+  if echo "$response" | grep -q '"error":"invalid_token"'; then
+    _debug "❌ Access token is invalid, refreshing..."
+  else
+    _debug "✅ Access token is still valid, skipping refresh."
+    return 0  # Skip refresh
+  fi
+
+  # 🔄 Step 2: Refresh token if it's invalid
   _debug "Refreshing Aruba Central API token..."
   refresh_url="${ARUBA_HOST}/oauth2/token"
 
@@ -139,16 +153,15 @@ EOF
   if [ -n "$new_token" ]; then
     _debug "✅ Token refreshed successfully!"
     _savedeployconf "ARUBA_ACCESS_TOKEN" "$new_token" 1
-    
+    ARUBA_ACCESS_TOKEN="$new_token"
+
     if [ -n "$new_refresh_token" ]; then
       _debug "🔄 Updating refresh token..."
       _savedeployconf "ARUBA_REFRESH_TOKEN" "$new_refresh_token" 1
+      ARUBA_REFRESH_TOKEN="$new_refresh_token"
     else
-      _debug "⚠️ Aruba Central did not return a new refresh token!"
+      _debug "⚠️ Aruba Central did not return a new refresh token! Keeping the old one."
     fi
-
-    ARUBA_ACCESS_TOKEN="$new_token"
-    ARUBA_REFRESH_TOKEN="$new_refresh_token"
   else
     _err "❌ Failed to refresh API token. Please manually generate a new one."
     return 1
@@ -158,12 +171,12 @@ EOF
 # Function to delete the previous certificate
 _delete_old_certificate() {
   _getdeployconf "ARUBA_LAST_CERT"
-  
+
   if [ -n "$ARUBA_LAST_CERT" ]; then
     _debug "Found previous certificate: $ARUBA_LAST_CERT. Deleting it..."
     delete_url="${ARUBA_HOST}/configuration/v1/certificates/${ARUBA_LAST_CERT}"
     _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
-    
+
     response=$(_post "" "$delete_url" "" "DELETE" "application/json")
     _debug "Delete certificate API response: $response"
 

From 529d1789cc40f56ef3da5d489cfdec1c894edc79 Mon Sep 17 00:00:00 2001
From: Gondolf <145931259+vGondolf@users.noreply.github.com>
Date: Fri, 14 Feb 2025 12:14:31 +0100
Subject: [PATCH 5/8] Update arubacentral.sh

---
 deploy/arubacentral.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/arubacentral.sh b/deploy/arubacentral.sh
index 99873ce8..474e4cfa 100644
--- a/deploy/arubacentral.sh
+++ b/deploy/arubacentral.sh
@@ -126,7 +126,7 @@ _refresh_access_token() {
     _debug "❌ Access token is invalid, refreshing..."
   else
     _debug "✅ Access token is still valid, skipping refresh."
-    return 0  # Skip refresh
+    return 0 # Skip refresh
   fi
 
   # 🔄 Step 2: Refresh token if it's invalid

From 6382500afabd5a3fefcf5fbb81d41e33f96de4b7 Mon Sep 17 00:00:00 2001
From: Gondolf <145931259+vGondolf@users.noreply.github.com>
Date: Fri, 14 Feb 2025 12:17:26 +0100
Subject: [PATCH 6/8] Delete deploy/arubacentral.sh

---
 deploy/arubacentral.sh | 191 -----------------------------------------
 1 file changed, 191 deletions(-)
 delete mode 100644 deploy/arubacentral.sh

diff --git a/deploy/arubacentral.sh b/deploy/arubacentral.sh
deleted file mode 100644
index 474e4cfa..00000000
--- a/deploy/arubacentral.sh
+++ /dev/null
@@ -1,191 +0,0 @@
-#!/usr/bin/env sh
-# Aruba Central deploy hook for acme.sh
-
-arubacentral_deploy() {
-  # Generate unique certificate name with a proper random number (5 digits)
-  _cdomain="$(echo "$1" | sed 's/*/WILDCARD_/g')_$(tr -dc '0-9' </dev/urandom | head -c 5)"
-  _ckey="$2"
-  _cca="$4"
-  _cfullchain="$5"
-  _cpfx="${_cfullchain%.cer}.pfx"
-  _passphrase="central123"
-
-  _debug "Generated certificate name: $_cdomain"
-
-  # Check required files
-  if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then
-    _err "Valid key and/or certificate not found."
-    return 1
-  fi
-
-  # Load API credentials
-  for var in ARUBA_HOST ARUBA_CLIENT_ID ARUBA_CLIENT_SECRET ARUBA_REFRESH_TOKEN; do
-    if [ "$(eval echo \$$var)" ]; then
-      _debug "Detected ENV variable $var. Saving to file."
-      _savedeployconf "$var" "$(eval echo \$$var)" 1
-    else
-      _debug "Attempting to load variable $var from file."
-      _getdeployconf "$var"
-    fi
-  done
-
-  if [ -z "$ARUBA_HOST" ] || [ -z "$ARUBA_CLIENT_ID" ] || [ -z "$ARUBA_CLIENT_SECRET" ] || [ -z "$ARUBA_REFRESH_TOKEN" ]; then
-    _err "ARUBA_HOST, ARUBA_CLIENT_ID, ARUBA_CLIENT_SECRET, and ARUBA_REFRESH_TOKEN must be set."
-    return 1
-  fi
-
-  # Refresh Access Token Only If Needed (Handled in upload function)
-  _refresh_access_token || return 1
-
-  # Delete old certificate before deploying a new one
-  _delete_old_certificate
-
-  # Convert certificate to PKCS12 using built-in `_toPkcs()`
-  _debug "Converting certificate to PKCS12 format using _toPkcs()..."
-  _toPkcs "$_cpfx" "$_ckey" "$_cfullchain" "$_cca" "$_passphrase" "$_cdomain"
-  if [ $? -ne 0 ]; then
-    _err "Failed to convert certificate to PKCS12."
-    return 1
-  fi
-
-  # Base64 encode the PFX certificate
-  _debug "Encoding PKCS12 certificate in Base64..."
-  _pfx_base64=$(_base64 <"$_cpfx" | tr -d '\n')
-
-  # Base64 encode the passphrase
-  _debug "Encoding passphrase in Base64..."
-  _passphrase_base64=$(printf "%s" "$_passphrase" | _base64 | tr -d '\n')
-
-  # Upload Certificate with Automatic Token Refresh on Failure
-  _upload_certificate || return 1
-}
-
-# Function to upload the certificate and retry if token is invalid
-_upload_certificate() {
-  # Prepare JSON payload
-  _debug "Preparing JSON payload..."
-  payload=$(
-    cat <<EOF
-{
-  "cert_name": "$_cdomain",
-  "cert_type": "SERVER_CERT",
-  "cert_format": "PKCS12",
-  "passphrase": "$_passphrase_base64",
-  "cert_data": "$_pfx_base64"
-}
-EOF
-  )
-
-  # Upload URL
-  url="${ARUBA_HOST}/configuration/v1/certificates"
-  _debug "Uploading certificate to Aruba Central: $url"
-
-  # Set Authorization Header
-  _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
-
-  # Attempt to upload the certificate
-  response=$(_post "$payload" "$url" "" "POST" "application/json")
-  _debug "Aruba Central API Response: $response"
-
-  # If the token is invalid, refresh it and retry once
-  if echo "$response" | grep -q '"error":"invalid_token"'; then
-    _debug "❌ Access token is invalid. Refreshing and retrying..."
-    if _refresh_access_token; then
-      _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
-      response=$(_post "$payload" "$url" "" "POST" "application/json")
-      _debug "Retry API Response: $response"
-    else
-      _err "❌ Token refresh failed. Cannot upload certificate."
-      return 1
-    fi
-  fi
-
-  # Check if upload was successful
-  if echo "$response" | grep -q '"cert_md5_checksum"'; then
-    _debug "✅ Certificate uploaded successfully!"
-    _savedeployconf "ARUBA_LAST_CERT" "$_cdomain" 1
-    return 0
-  else
-    _err "❌ Failed to upload certificate. Deploy with --debug to troubleshoot."
-    return 1
-  fi
-}
-
-# Function to refresh API token only if expired
-_refresh_access_token() {
-  _getdeployconf "ARUBA_ACCESS_TOKEN"
-  _getdeployconf "ARUBA_REFRESH_TOKEN"
-
-  # 🔍 Step 1: Check if the access token is still valid
-  _debug "Checking if the access token is still valid..."
-  check_url="${ARUBA_HOST}/configuration/v1/certificates?limit=1"
-  _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
-  response=$(_post "" "$check_url" "" "GET" "application/json")
-
-  if echo "$response" | grep -q '"error":"invalid_token"'; then
-    _debug "❌ Access token is invalid, refreshing..."
-  else
-    _debug "✅ Access token is still valid, skipping refresh."
-    return 0 # Skip refresh
-  fi
-
-  # 🔄 Step 2: Refresh token if it's invalid
-  _debug "Refreshing Aruba Central API token..."
-  refresh_url="${ARUBA_HOST}/oauth2/token"
-
-  payload=$(
-    cat <<EOF
-{
-  "client_id": "$ARUBA_CLIENT_ID",
-  "client_secret": "$ARUBA_CLIENT_SECRET",
-  "grant_type": "refresh_token",
-  "refresh_token": "$ARUBA_REFRESH_TOKEN"
-}
-EOF
-  )
-
-  response=$(_post "$payload" "$refresh_url" "" "POST" "application/json")
-  _debug "Token Refresh Response: $response"
-
-  new_token=$(echo "$response" | grep -o '"access_token":[ ]*"[^"]*"' | sed 's/"access_token":[ ]*"\([^"]*\)"/\1/')
-  new_refresh_token=$(echo "$response" | grep -o '"refresh_token":[ ]*"[^"]*"' | sed 's/"refresh_token":[ ]*"\([^"]*\)"/\1/')
-
-  if [ -n "$new_token" ]; then
-    _debug "✅ Token refreshed successfully!"
-    _savedeployconf "ARUBA_ACCESS_TOKEN" "$new_token" 1
-    ARUBA_ACCESS_TOKEN="$new_token"
-
-    if [ -n "$new_refresh_token" ]; then
-      _debug "🔄 Updating refresh token..."
-      _savedeployconf "ARUBA_REFRESH_TOKEN" "$new_refresh_token" 1
-      ARUBA_REFRESH_TOKEN="$new_refresh_token"
-    else
-      _debug "⚠️ Aruba Central did not return a new refresh token! Keeping the old one."
-    fi
-  else
-    _err "❌ Failed to refresh API token. Please manually generate a new one."
-    return 1
-  fi
-}
-
-# Function to delete the previous certificate
-_delete_old_certificate() {
-  _getdeployconf "ARUBA_LAST_CERT"
-
-  if [ -n "$ARUBA_LAST_CERT" ]; then
-    _debug "Found previous certificate: $ARUBA_LAST_CERT. Deleting it..."
-    delete_url="${ARUBA_HOST}/configuration/v1/certificates/${ARUBA_LAST_CERT}"
-    _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
-
-    response=$(_post "" "$delete_url" "" "DELETE" "application/json")
-    _debug "Delete certificate API response: $response"
-
-    if echo "$response" | grep -q '"error"'; then
-      _err "❌ Failed to delete previous certificate."
-    else
-      _debug "✅ Previous certificate deleted successfully."
-    fi
-  else
-    _debug "No previous certificate found. Skipping deletion."
-  fi
-}

From 980a2509562c1369c9fd8ec1886a0f5f219de0c6 Mon Sep 17 00:00:00 2001
From: Gondolf <145931259+vGondolf@users.noreply.github.com>
Date: Fri, 14 Feb 2025 12:19:47 +0100
Subject: [PATCH 7/8] Create arubacentral.sh

---
 deploy/arubacentral.sh | 181 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 181 insertions(+)
 create mode 100644 deploy/arubacentral.sh

diff --git a/deploy/arubacentral.sh b/deploy/arubacentral.sh
new file mode 100644
index 00000000..b4b58283
--- /dev/null
+++ b/deploy/arubacentral.sh
@@ -0,0 +1,181 @@
+#!/usr/bin/env sh
+# Aruba Central deploy hook for acme.sh
+
+arubacentral_deploy() {
+  # Generate unique certificate name with a proper random number (5 digits)
+  _cdomain="$(echo "$1" | sed 's/*/WILDCARD_/g')_$(tr -dc '0-9' </dev/urandom | head -c 5)"
+  _ckey="$2"
+  _cca="$4"
+  _cfullchain="$5"
+  _cpfx="${_cfullchain%.cer}.pfx"
+  _passphrase="central123"
+
+  _debug "Generated certificate name: $_cdomain"
+
+  if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then
+    _err "Valid key and/or certificate not found."
+    return 1
+  fi
+
+  for var in ARUBA_HOST ARUBA_CLIENT_ID ARUBA_CLIENT_SECRET ARUBA_REFRESH_TOKEN; do
+    if [ "$(eval echo \$$var)" ]; then
+      _debug "Detected ENV variable $var. Saving to file."
+      _savedeployconf "$var" "$(eval echo \$$var)" 1
+    else
+      _debug "Attempting to load variable $var from file."
+      _getdeployconf "$var"
+    fi
+  done
+
+  if [ -z "$ARUBA_HOST" ] || [ -z "$ARUBA_CLIENT_ID" ] || [ -z "$ARUBA_CLIENT_SECRET" ] || [ -z "$ARUBA_REFRESH_TOKEN" ]; then
+    _err "ARUBA_HOST, ARUBA_CLIENT_ID, ARUBA_CLIENT_SECRET, and ARUBA_REFRESH_TOKEN must be set."
+    return 1
+  fi
+
+  # Refresh Access Token Only If Needed
+  _refresh_access_token || return 1
+
+  # Delete old certificate before deploying a new one
+  _delete_old_certificate
+
+  # Convert certificate to PKCS12 using built-in `_toPkcs()`
+  _debug "Converting certificate to PKCS12 format using _toPkcs()..."
+  _toPkcs "$_cpfx" "$_ckey" "$_cfullchain" "$_cca" "$_passphrase" "$_cdomain"
+  if [ $? -ne 0 ]; then
+    _err "Failed to convert certificate to PKCS12."
+    return 1
+  fi
+
+  _debug "Encoding PKCS12 certificate in Base64..."
+  _pfx_base64=$(_base64 <"$_cpfx" | tr -d '\n')
+
+  _debug "Encoding passphrase in Base64..."
+  _passphrase_base64=$(printf "%s" "$_passphrase" | _base64 | tr -d '\n')
+
+  _upload_certificate || return 1
+}
+
+# Function to upload the certificate and retry if token is invalid
+_upload_certificate() {
+  _debug "Preparing JSON payload..."
+  payload=$(
+    cat <<EOF
+{
+  "cert_name": "$_cdomain",
+  "cert_type": "SERVER_CERT",
+  "cert_format": "PKCS12",
+  "passphrase": "$_passphrase_base64",
+  "cert_data": "$_pfx_base64"
+}
+EOF
+  )
+
+  url="${ARUBA_HOST}/configuration/v1/certificates"
+  _debug "Uploading certificate to Aruba Central: $url"
+
+  _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
+
+  response=$(_post "$payload" "$url" "" "POST" "application/json")
+  _debug "Aruba Central API Response: $response"
+
+  # If the token is invalid, refresh it and retry once
+  if echo "$response" | grep -q '"error":"invalid_token"'; then
+    _debug "❌ Access token is invalid. Refreshing and retrying..."
+    if _refresh_access_token; then
+      _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
+      response=$(_post "$payload" "$url" "" "POST" "application/json")
+      _debug "Retry API Response: $response"
+    else
+      _err "❌ Token refresh failed. Cannot upload certificate."
+      return 1
+    fi
+  fi
+
+  # Check if upload was successful
+  if echo "$response" | grep -q '"cert_md5_checksum"'; then
+    _debug "✅ Certificate uploaded successfully!"
+    _savedeployconf "ARUBA_LAST_CERT" "$_cdomain" 1
+    return 0
+  else
+    _err "❌ Failed to upload certificate. Deploy with --debug to troubleshoot."
+    return 1
+  fi
+}
+
+# Function to refresh API token only if expired
+_refresh_access_token() {
+  _getdeployconf "ARUBA_ACCESS_TOKEN"
+  _getdeployconf "ARUBA_REFRESH_TOKEN"
+
+  _debug "Checking if the access token is still valid..."
+  check_url="${ARUBA_HOST}/configuration/v1/certificates?limit=1"
+  _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
+  response=$(_post "" "$check_url" "" "GET" "application/json")
+
+  if echo "$response" | grep -q '"error":"invalid_token"'; then
+    _debug "❌ Access token is invalid, refreshing..."
+  else
+    _debug "✅ Access token is still valid, skipping refresh."
+    return 0
+  fi
+
+  # Refresh token if it's invalid
+  _debug "Refreshing Aruba Central API token..."
+  refresh_url="${ARUBA_HOST}/oauth2/token"
+
+  payload=$(
+    cat <<EOF
+{
+  "client_id": "$ARUBA_CLIENT_ID",
+  "client_secret": "$ARUBA_CLIENT_SECRET",
+  "grant_type": "refresh_token",
+  "refresh_token": "$ARUBA_REFRESH_TOKEN"
+}
+EOF
+  )
+
+  response=$(_post "$payload" "$refresh_url" "" "POST" "application/json")
+  _debug "Token Refresh Response: $response"
+
+  new_token=$(echo "$response" | grep -o '"access_token":[ ]*"[^"]*"' | sed 's/"access_token":[ ]*"\([^"]*\)"/\1/')
+  new_refresh_token=$(echo "$response" | grep -o '"refresh_token":[ ]*"[^"]*"' | sed 's/"refresh_token":[ ]*"\([^"]*\)"/\1/')
+
+  if [ -n "$new_token" ]; then
+    _debug "✅ Token refreshed successfully!"
+    _savedeployconf "ARUBA_ACCESS_TOKEN" "$new_token" 1
+    ARUBA_ACCESS_TOKEN="$new_token"
+
+    if [ -n "$new_refresh_token" ]; then
+      _debug "🔄 Updating refresh token..."
+      _savedeployconf "ARUBA_REFRESH_TOKEN" "$new_refresh_token" 1
+      ARUBA_REFRESH_TOKEN="$new_refresh_token"
+    else
+      _debug "⚠️ Aruba Central did not return a new refresh token! Keeping the old one."
+    fi
+  else
+    _err "❌ Failed to refresh API token. Please manually generate a new one."
+    return 1
+  fi
+}
+
+# Function to delete the previous certificate
+_delete_old_certificate() {
+  _getdeployconf "ARUBA_LAST_CERT"
+
+  if [ -n "$ARUBA_LAST_CERT" ]; then
+    _debug "Found previous certificate: $ARUBA_LAST_CERT. Deleting it..."
+    delete_url="${ARUBA_HOST}/configuration/v1/certificates/${ARUBA_LAST_CERT}"
+    _H1="Authorization: Bearer $ARUBA_ACCESS_TOKEN"
+
+    response=$(_post "" "$delete_url" "" "DELETE" "application/json")
+    _debug "Delete certificate API response: $response"
+
+    if echo "$response" | grep -q '"error"'; then
+      _err "❌ Failed to delete previous certificate."
+    else
+      _debug "✅ Previous certificate deleted successfully."
+    fi
+  else
+    _debug "No previous certificate found. Skipping deletion."
+  fi
+}

From 4a58ddd0aa944ed908e9506af84a71bcb8e1901a Mon Sep 17 00:00:00 2001
From: Gondolf <145931259+vGondolf@users.noreply.github.com>
Date: Fri, 14 Feb 2025 12:54:17 +0100
Subject: [PATCH 8/8] Update arubacentral.sh

---
 deploy/arubacentral.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/deploy/arubacentral.sh b/deploy/arubacentral.sh
index b4b58283..2191c6b0 100644
--- a/deploy/arubacentral.sh
+++ b/deploy/arubacentral.sh
@@ -170,8 +170,10 @@ _delete_old_certificate() {
     response=$(_post "" "$delete_url" "" "DELETE" "application/json")
     _debug "Delete certificate API response: $response"
 
-    if echo "$response" | grep -q '"error"'; then
-      _err "❌ Failed to delete previous certificate."
+    if echo "$response" | jq -e '.description | test("not present")' >/dev/null 2>&1; then
+      _debug "✅ Previous certificate not found - skipping."
+    elif echo "$response" | jq -e '.error_code' >/dev/null 2>&1; then
+      _err "❌ Failed to delete previous certificate: $(echo "$response" | jq -r '.description')"
     else
       _debug "✅ Previous certificate deleted successfully."
     fi