routeros-scripts/check-certificates

#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2020 Christian Hesse <mail@eworm.de>
#
# check for certificate validity

:global Identity;
:global CertRenewUrl;
:global CertRenewPass;

:global CertificateNameByCN;
:global ParseKeyValueStore;
:global SendNotification;
:global UrlEncode;
:global WaitForFile;

:local FormatExpire do={
  :global CharacterReplace;
  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
}

:foreach Cert in=[ / certificate find where !revoked !ca expires-after<3w ] do={
  :local CertVal [ / certificate get $Cert ];

  :do {
    :if ([ :len $CertRenewUrl ] = 0) do={
      :log info "No CertRenewUrl given.";
      :error "No CertRenewUrl given.";
    }

    :foreach Type in={ ".pem"; ".p12" } do={
      :local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type);
      :do {
        / tool fetch check-certificate=yes-without-crl \
            ($CertRenewUrl . $CertFileName) dst-path=$CertFileName;
        $WaitForFile $CertFileName;
        :foreach PassPhrase in=$CertRenewPass do={
          / certificate import file-name=$CertFileName passphrase=$PassPhrase;
        }
        / file remove [ find where name=$CertFileName ];

        :foreach CertInChain in=[ / certificate find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={
          $CertificateNameByCN [ / certificate get $CertInChain common-name ];
        }
      } on-error={
        :log debug ("Could not download certificate file " . $CertFileName);
      }
    }

    :local CertNew [ / certificate find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>3w ];
    :local CertNewVal [ / certificate get $CertNew ];

    :if ($Cert != $CertNew) do={
      :log debug ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.");

      / ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];

      :do {
        / ip ipsec identity set certificate=($CertNewVal->"name") [ / ip ipsec identity find where certificate=($CertVal->"name") ];
        / ip ipsec identity set remote-certificate=($CertNewVal->"name") [ / ip ipsec identity find where remote-certificate=($CertVal->"name") ];
      } on-error={
        :log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");
      }

      :do {
        / ip hotspot profile set ssl-certificate=($CertNewVal->"name") [ / ip hotspot profile find where ssl-certificate=($CertVal->"name") ];
      } on-error={
        :log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");
      }

      / certificate remove $Cert;
      / certificate set $CertNew name=($CertVal->"name");
    }

    $SendNotification ("Certificate renewed") \
      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
        "Name:        " . ($CertVal->"name") . "\n" . \
        "CommonName:  " . ($CertNewVal->"common-name") . "\n" . \
        "Fingerprint: " . ($CertNewVal->"fingerprint") . "\n" . \
        "Issuer:      " . ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") . "\n" . \
        "Validity:    " . ($CertNewVal->"invalid-before") . " to " . ($CertNewVal->"invalid-after") . "\n" . \
        "Expires in:  " . [ $FormatExpire ($CertNewVal->"expires-after") ]) "" "true";
    :log info ("The certificate " . ($CertVal->"name") . " has been renewed.");
  } on-error={
    :log debug ("Could not renew certificate " . ($CertVal->"name") . ".");
  }
}

:foreach Cert in=[ / certificate find where !revoked expires-after<2w fingerprint~"."] do={
  :local CertVal [ / certificate get $Cert ];

  :local ExpiresAfter [ $FormatExpire ($CertVal->"expires-after") ];
  :local State "is about to expire";
  :if (($CertVal->"expired") = true) do={
    :set ExpiresAfter "expired";
    :set State "expired";
  }

  $SendNotification ("Certificate warning!") \
    ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
      "Name:        " . ($CertVal->"name") . "\n" . \
      "CommonName:  " . ($CertVal->"common-name") . "\n" . \
      "Fingerprint: " . ($CertVal->"fingerprint") . "\n" . \
      "Issuer:      " . ($CertVal->"ca") . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\n" . \
      "Validity:    " . ($CertVal->"invalid-before") . " to " . ($CertVal->"invalid-after") . "\n" . \
      "Expires in:  " . $ExpiresAfter);
  :log warning ("The certificate " . ($CertVal->"name") . " " . $State . \
      ", it is invalid after " . ($CertVal->"invalid-after") . ".");
}
start scripts with a magic token / shebang 2018-09-26 22:18:43 +00:00			`#!rsc`
add scripts 2018-07-05 13:29:26 +00:00			`# RouterOS script: check-certificates`
update copyright for 2020 2020-01-01 16:00:39 +00:00			`# Copyright (c) 2013-2020 Christian Hesse <mail@eworm.de>`
add scripts 2018-07-05 13:29:26 +00:00			`#`
			`# check for certificate validity`

global: variable names are CamelCase ___ _ ___ __ / _ )(_)__ _ / _/__ _/ /_ / _ / / _ `/ / _/ _ `/ __/ /____/_/\_, / /_/ \_,_/\__/ _ __ /___/ _ __ \| \| / /___ __________ (_)___ ____ _/ / \| \| /\| / / __ `/ ___/ __ \/ / __ \/ __ `/ / \| \|/ \|/ / /_/ / / / / / / / / / / /_/ /_/ \|__/\|__/\__,_/_/ /_/ /_/_/_/ /_/\__, (_) /____/ RouterOS has some odd behavior when it comes to variable names. Let's have a look at the interfaces: [admin@MikroTik] > / interface print where name=en1 Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 That looks ok. Now we use a script: { :local interface "en1"; / interface print where name=$interface; } And the result... [admin@MikroTik] > { :local interface "en1"; {... / interface print where name=$interface; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 ... still looks ok. We make a little modification to the script: { :local name "en1"; / interface print where name=$name; } And the result: [admin@MikroTik] > { :local name "en1"; {... / interface print where name=$name; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 1 S en2 ether 1500 1598 2 S en3 ether 1500 1598 3 S en4 ether 1500 1598 4 S en5 ether 1500 1598 5 R br-local bridge 1500 1598 Ups! The filter has no effect! That happens whenever the variable name ($name) matches the property name (name=). And another modification: { :local type "en1"; / interface print where name=$type; } And the result: [admin@MikroTik] > { :local type "en1"; {... / interface print where name=$type; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU Ups! Nothing? Even if the variable name ($type) matches whatever property name (type=) things go wrong. The answer from MikroTik support (in Ticket#2019010222000454): > This is how scripting works in RouterOS and we will not fix it. To get around this we use variable names in CamelCase. Let's hope Mikrotik never ever introduces property names in CamelCase... fingers crossed 2019-01-03 16:45:43 +00:00			`:global Identity;`
			`:global CertRenewUrl;`
			`:global CertRenewPass;`
add scripts 2018-07-05 13:29:26 +00:00
check-certificates: rename all certificates by their common names 2020-02-06 17:10:47 +00:00			`:global CertificateNameByCN;`
check-certificates: use $ParseKeyValueStore 2019-07-17 14:28:22 +00:00			`:global ParseKeyValueStore;`
check-certificates: use function for notification 2018-10-09 13:52:08 +00:00			`:global SendNotification;`
check-certificates: add url encoding for certificate download 2019-04-10 12:47:20 +00:00			`:global UrlEncode;`
global-functions: add $WaitForFile, wait for file on fetch The fetch command is asynchronous, the file is not guaranteed to be available when command terminates. I opened an issue at Mikrotik support (Ticket#2019041722004999), their answer: > You should perform a check in a loop. > :delay until file exist > > That can happen also with any configuration not just files. So add a function to wait for a file with given name. I have not seen this with other configuration, though. 2019-04-18 08:39:32 +00:00			`:global WaitForFile;`
check-certificates: use function for notification 2018-10-09 13:52:08 +00:00
check-certificates: show remaining time 2019-03-28 12:32:08 +00:00			`:local FormatExpire do={`
			`:global CharacterReplace;`
			`:return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];`
			`}`

check-certificates: do not try to renew locally issued certificates 2019-05-02 09:59:43 +00:00			`:foreach Cert in=[ / certificate find where !revoked !ca expires-after<3w ] do={`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:local CertVal [ / certificate get $Cert ];`
add scripts 2018-07-05 13:29:26 +00:00
check-certificates: move conditions to loop 2019-01-09 21:18:58 +00:00			`:do {`
			`:if ([ :len $CertRenewUrl ] = 0) do={`
always write warnings and errors to log 2019-04-03 19:30:43 +00:00			`:log info "No CertRenewUrl given.";`
check-certificates: move conditions to loop 2019-01-09 21:18:58 +00:00			`:error "No CertRenewUrl given.";`
			`}`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`:foreach Type in={ ".pem"; ".p12" } do={`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type);`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`:do {`
global-functions: add $WaitForFile, wait for file on fetch The fetch command is asynchronous, the file is not guaranteed to be available when command terminates. I opened an issue at Mikrotik support (Ticket#2019041722004999), their answer: > You should perform a check in a loop. > :delay until file exist > > That can happen also with any configuration not just files. So add a function to wait for a file with given name. I have not seen this with other configuration, though. 2019-04-18 08:39:32 +00:00			`/ tool fetch check-certificate=yes-without-crl \`
			`($CertRenewUrl . $CertFileName) dst-path=$CertFileName;`
			`$WaitForFile $CertFileName;`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`:foreach PassPhrase in=$CertRenewPass do={`
check-certificates: add url encoding for certificate download 2019-04-10 12:47:20 +00:00			`/ certificate import file-name=$CertFileName passphrase=$PassPhrase;`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`}`
check-certificates: add url encoding for certificate download 2019-04-10 12:47:20 +00:00			`/ file remove [ find where name=$CertFileName ];`
check-certificates: rename all certificates by their common names 2020-02-06 17:10:47 +00:00
			`:foreach CertInChain in=[ / certificate find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={`
			`$CertificateNameByCN [ / certificate get $CertInChain common-name ];`
			`}`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`} on-error={`
check-certificates: add url encoding for certificate download 2019-04-10 12:47:20 +00:00			`:log debug ("Could not download certificate file " . $CertFileName);`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`}`
check-certificates: support multiple passphrases 2019-04-01 20:45:38 +00:00			`}`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:local CertNew [ / certificate find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>3w ];`
			`:local CertNewVal [ / certificate get $CertNew ];`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`:if ($Cert != $CertNew) do={`
			`:log debug ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.");`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`/ ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];`
check-certificates: update certificates for ipsec identities 2019-03-25 15:49:26 +00:00
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`:do {`
			`/ ip ipsec identity set certificate=($CertNewVal->"name") [ / ip ipsec identity find where certificate=($CertVal->"name") ];`
			`/ ip ipsec identity set remote-certificate=($CertNewVal->"name") [ / ip ipsec identity find where remote-certificate=($CertVal->"name") ];`
			`} on-error={`
			`:log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");`
			`}`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`:do {`
			`/ ip hotspot profile set ssl-certificate=($CertNewVal->"name") [ / ip hotspot profile find where ssl-certificate=($CertVal->"name") ];`
			`} on-error={`
			`:log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");`
			`}`

			`/ certificate remove $Cert;`
			`/ certificate set $CertNew name=($CertVal->"name");`
			`}`
check-certificates: show issuer CN only 2019-01-09 16:34:08 +00:00
check-certificates: move conditions to loop 2019-01-09 21:18:58 +00:00			`$SendNotification ("Certificate renewed") \`
			`("A certificate on " . $Identity . " has been renewed.\n\n" . \`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`"Name: " . ($CertVal->"name") . "\n" . \`
			`"CommonName: " . ($CertNewVal->"common-name") . "\n" . \`
			`"Fingerprint: " . ($CertNewVal->"fingerprint") . "\n" . \`
check-certificates: use $ParseKeyValueStore 2019-07-17 14:28:22 +00:00			`"Issuer: " . ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") . "\n" . \`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`"Validity: " . ($CertNewVal->"invalid-before") . " to " . ($CertNewVal->"invalid-after") . "\n" . \`
check-certificates: make renew notification silent 2019-11-11 19:47:11 +00:00			`"Expires in: " . [ $FormatExpire ($CertNewVal->"expires-after") ]) "" "true";`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:log info ("The certificate " . ($CertVal->"name") . " has been renewed.");`
check-certificates: move conditions to loop 2019-01-09 21:18:58 +00:00			`} on-error={`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:log debug ("Could not renew certificate " . ($CertVal->"name") . ".");`
check-certificates: split loop for certificate renew and warning This allows to have differnt time values. 2019-03-06 12:49:12 +00:00			`}`
			`}`
check-certificates: use time functionality No need to calculate that... 2019-01-09 10:43:30 +00:00
check-certificates: do not send notification for templates 2019-04-11 08:19:46 +00:00			`:foreach Cert in=[ / certificate find where !revoked expires-after<2w fingerprint~"."] do={`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:local CertVal [ / certificate get $Cert ];`

			`:local ExpiresAfter [ $FormatExpire ($CertVal->"expires-after") ];`
check-certificates: show remaining time 2019-03-28 12:32:08 +00:00			`:local State "is about to expire";`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:if (($CertVal->"expired") = true) do={`
check-certificates: show remaining time 2019-03-28 12:32:08 +00:00			`:set ExpiresAfter "expired";`
check-certificates: split loop for certificate renew and warning This allows to have differnt time values. 2019-03-06 12:49:12 +00:00			`:set State "expired";`
add scripts 2018-07-05 13:29:26 +00:00			`}`
check-certificates: split loop for certificate renew and warning This allows to have differnt time values. 2019-03-06 12:49:12 +00:00
			`$SendNotification ("Certificate warning!") \`
			`("A certificate on " . $Identity . " " . $State . ".\n\n" . \`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`"Name: " . ($CertVal->"name") . "\n" . \`
			`"CommonName: " . ($CertVal->"common-name") . "\n" . \`
			`"Fingerprint: " . ($CertVal->"fingerprint") . "\n" . \`
check-certificates: use $ParseKeyValueStore 2019-07-17 14:28:22 +00:00			`"Issuer: " . ($CertVal->"ca") . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\n" . \`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`"Validity: " . ($CertVal->"invalid-before") . " to " . ($CertVal->"invalid-after") . "\n" . \`
check-certificates: show remaining time 2019-03-28 12:32:08 +00:00			`"Expires in: " . $ExpiresAfter);`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:log warning ("The certificate " . ($CertVal->"name") . " " . $State . \`
			`", it is invalid after " . ($CertVal->"invalid-after") . ".");`
add scripts 2018-07-05 13:29:26 +00:00			`}`