routeros-scripts/check-certificates

#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2018 Christian Hesse <mail@eworm.de>
#
# check for certificate validity

:global "identity";
:global "cert-renew-url";
:global "cert-renew-pass";

:global SendNotification;

:local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");

:local currentdate [ / system clock get date ];

:local currentmonthstr [ :pick $currentdate 0 3 ];
:local currentday [ :pick $currentdate 4 6 ];
:local currentyear [ :pick $currentdate 7 11 ];
:local currentmonth ([ :find $months $currentmonthstr -1 ] + 1);
:local currentstamp ($currentyear * 365 + $currentmonth * 30 + $currentday);

:foreach cert in=[ / certificate find where !revoked ] do={
  :local certname [ / certificate get $cert name ];
  :local invaliddate [ / certificate get $cert invalid-after ];

  :if ([ :len $invaliddate ] > 0) do={
    :local invalidmonthstr [ :pick $invaliddate 0 3 ];
    :local invalidday [ :pick $invaliddate 4 6 ];
    :local invalidyear [ :pick $invaliddate 7 11 ];
    :local invalidmonth ([ :find $months $invalidmonthstr -1 ] + 1);
    :local invalidstamp ($invalidyear * 365 + invalidmonth * 30 + invalidday);

    :local remaining ($invalidstamp - $currentstamp);

    :if ($remaining < 15) do={
      :local commonname [ / certificate get $cert common-name ];
      :local fprint [ / certificate get $cert fingerprint ];

      :do {
        :if ([ :len $"cert-renew-url" ] = 0) do={
          :error "No renew-url given.";
        }

        / tool fetch mode=https check-certificate=yes-without-crl url=($"cert-renew-url" . $commonname . ".pem");
        / certificate import file-name=($commonname . ".pem") passphrase=$"cert-renew-pass";
        / file remove [ find where name=($commonname . ".pem") ];

        :local certnew [ / certificate find where common-name=$commonname fingerprint!=$fprint ];
        :local certnamenew [ / certificate get $certnew name ];

        :foreach ipservice in=[ / ip service find where certificate=$certname ] do={
          / ip service set $ipservice certificate=$certnamenew;
        }

        :do {
          :foreach hotspot in=[ / ip hotspot profile find where ssl-certificate=$certname ] do={
            / ip hotspot profile set $hotspot ssl-certificate=$certnamenew;
          }
        } on-error={
          :log debug ("Setting hotspot certificates failed. Hotspot package not installed?");
        }

        / certificate remove $cert;
        / certificate set $certnew name=$certname;
      } on-error={
        :log warning ("Failed to auto-update certificate " . $certname);

        :local invalidbefore [ / certificate get $cert invalid-before ];
        :local invalidafter [ / certificate get $cert invalid-after ];

        $SendNotification ("Certificate warning!") \
          ("A certificate on " . $identity . " is about to expire.\n\n" . \
            "Certificate Name: " . $certname . "\n" . \
            "Common Name:      " . $commonname . "\n" . \
            "Fingerprint:      " . $fprint . "\n" . \
            "Validity:         " . $invalidbefore . " to " . $invalidafter);
        :log warning ("A certificate is about to expire within " . $remaining . " days: " . $certname);
      }
    } else={
      :log debug ("The certificate " . $certname . " expires in " . $remaining . " days.");
    }
  } else={
    :log debug ("The certificate " . $certname . " is just a template.");
  }
}
start scripts with a magic token / shebang 2018-09-26 22:18:43 +00:00			`#!rsc`
add scripts 2018-07-05 13:29:26 +00:00			`# RouterOS script: check-certificates`
			`# Copyright (c) 2013-2018 Christian Hesse <mail@eworm.de>`
			`#`
			`# check for certificate validity`

			`:global "identity";`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00			`:global "cert-renew-url";`
			`:global "cert-renew-pass";`
add scripts 2018-07-05 13:29:26 +00:00
check-certificates: use function for notification 2018-10-09 13:52:08 +00:00			`:global SendNotification;`

add scripts 2018-07-05 13:29:26 +00:00			`:local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");`

			`:local currentdate [ / system clock get date ];`

			`:local currentmonthstr [ :pick $currentdate 0 3 ];`
			`:local currentday [ :pick $currentdate 4 6 ];`
			`:local currentyear [ :pick $currentdate 7 11 ];`
			`:local currentmonth ([ :find $months $currentmonthstr -1 ] + 1);`
			`:local currentstamp ($currentyear * 365 + $currentmonth * 30 + $currentday);`

			`:foreach cert in=[ / certificate find where !revoked ] do={`
			`:local certname [ / certificate get $cert name ];`
			`:local invaliddate [ / certificate get $cert invalid-after ];`

			`:if ([ :len $invaliddate ] > 0) do={`
			`:local invalidmonthstr [ :pick $invaliddate 0 3 ];`
			`:local invalidday [ :pick $invaliddate 4 6 ];`
			`:local invalidyear [ :pick $invaliddate 7 11 ];`
			`:local invalidmonth ([ :find $months $invalidmonthstr -1 ] + 1);`
			`:local invalidstamp ($invalidyear * 365 + invalidmonth * 30 + invalidday);`

			`:local remaining ($invalidstamp - $currentstamp);`

			`:if ($remaining < 15) do={`
			`:local commonname [ / certificate get $cert common-name ];`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00			`:local fprint [ / certificate get $cert fingerprint ];`

			`:do {`
			`:if ([ :len $"cert-renew-url" ] = 0) do={`
			`:error "No renew-url given.";`
			`}`

			`/ tool fetch mode=https check-certificate=yes-without-crl url=($"cert-renew-url" . $commonname . ".pem");`
			`/ certificate import file-name=($commonname . ".pem") passphrase=$"cert-renew-pass";`
			`/ file remove [ find where name=($commonname . ".pem") ];`

			`:local certnew [ / certificate find where common-name=$commonname fingerprint!=$fprint ];`
			`:local certnamenew [ / certificate get $certnew name ];`

			`:foreach ipservice in=[ / ip service find where certificate=$certname ] do={`
			`/ ip service set $ipservice certificate=$certnamenew;`
			`}`

			`:do {`
			`:foreach hotspot in=[ / ip hotspot profile find where ssl-certificate=$certname ] do={`
			`/ ip hotspot profile set $hotspot ssl-certificate=$certnamenew;`
			`}`
			`} on-error={`
			`:log debug ("Setting hotspot certificates failed. Hotspot package not installed?");`
			`}`

			`/ certificate remove $cert;`
			`/ certificate set $certnew name=$certname;`
			`} on-error={`
			`:log warning ("Failed to auto-update certificate " . $certname);`

			`:local invalidbefore [ / certificate get $cert invalid-before ];`
			`:local invalidafter [ / certificate get $cert invalid-after ];`

			`$SendNotification ("Certificate warning!") \`
			`("A certificate on " . $identity . " is about to expire.\n\n" . \`
			`"Certificate Name: " . $certname . "\n" . \`
			`"Common Name: " . $commonname . "\n" . \`
			`"Fingerprint: " . $fprint . "\n" . \`
			`"Validity: " . $invalidbefore . " to " . $invalidafter);`
			`:log warning ("A certificate is about to expire within " . $remaining . " days: " . $certname);`
			`}`
add scripts 2018-07-05 13:29:26 +00:00			`} else={`
			`:log debug ("The certificate " . $certname . " expires in " . $remaining . " days.");`
			`}`
			`} else={`
			`:log debug ("The certificate " . $certname . " is just a template.");`
			`}`
			`}`