Add deploy/zyxel_gs1900.sh

[coderjoe]

Add support for deploying to the Zyxel GS1900 line of switches as long as those switches are running at least firmware V2.80.

Tested on a Zyxel GS1900-8 and GS1900-24E

Resolves #5042

[coderjoe]

I'm now using this version locally for my switches. Please let me know if there is anything you'd like me to do to improve the PR. No rush. :)

[coderjoe]

A bug has occurred on one of my servers with a different version of sed. Working on a fix now.

[coderjoe]

Most recent commit should have resolved the issue I found.

[coderjoe]

These are the differences between the two implementations and why I was using curl rather than _post. I have not been able to get _post to work.

[coderjoe]

I've updated for the shellcheck and shfmt linting in the previous run, have removed the defunct curl errors (now that curl is not a requirement) and have squashed the commit to clean up history a bit.

[coderjoe]

I've verified that the updated commits continue to work in all of my deployed environments.
Thank you very much @Neilpang for your help/guidance on wget support.

I don't think I would have figured it out without your suggestion. :)

[coderjoe]

I have now been using this in production for a few months. @Neilpang please let me know if there is anything else you would like me to do - or if there's anything I can do to help get this included. :)

Thanks again for your time and help!

[coderjoe]

Rebased onto the latest dev.
Please let me know what else needs to be done for a review.

[Neilpang]

why do you need to "ReadBodyFromFile"?

[coderjoe]

why do you need to "ReadBodyFromFile"?

Great question @Neilpang. I responded in the gitter.im chat while the repo was restricted, but I'll repeat it here just in case it wasn't seen.

I need to read from file because this switch expects a binary exact, not encoded, upload of the certificate. The uploaded certificate contains many \0 NULL bytes which cannot be piped within the shell script without being truncated.

Making wget or curl read the certificate file directly is the only way I have been able to get the full file uploaded in the manner the switch expects without the file becoming truncated by the null bytes.

I hope this helps clarify.

[dark-m0de]

Hi, I would really appreciate if we could add support for Zyxel devices. I'm using a XMG1915 switch, as well as NWA50AX PRO and NWA130BE access points. My assumption is that with a few changes, those devices could be supported as well.
I'd be happy to support the development for this.

[coderjoe]

Hello @dark-m0de , I appreciate your interest. I don't think in its current form my PR will be accepted. I think my modifications to the _post method in acme.sh are not of sufficient quality and I'm currently investigating alternatives.

Some notes:

• Web interfaces between different series of Zyxel switches tend to be different enough that they will likely require separate integrations. At least that has been my past experience.
• I'm entirely unfamiliar with their AP products so I cannot provide any recommendation, but much like the XGS series I would be very hesistant to support them in this script.
• I have an open feature request on the Zyxel community to support other methods of upload other than just web based upload of binary PKCS12 certificates. That conversation is ongoing at this time and if you'd like to leave a polite "me too" that would be welcome.

For now I think I'm going to put this PR back into draft until I can come up with some alternative methods to get the certificates into the GS1900 series switches.

[dark-m0de]

Thank you @coderjoe, I just prepared my answer for the zyxel community. But somehow I'm not able to post it yet.

Another thought: Do you think it would help if zyxel adds support for uploading certificates to their CLI (e.g. ssh based)? This would add ssh as a dependency to acme in such scenarios. But it would definitely ease the process to manage certificates in a scripted way.