routeros-scripts/check-certificates

#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2020 Christian Hesse <mail@eworm.de>
# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
#
# check for certificate validity
# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-certificates.md

:global CertRenewPass;
:global CertRenewUrl;
:global Identity;

:global CertificateAvailable
:global CertificateNameByCN;
:global IfThenElse;
:global LogPrintExit;
:global ParseKeyValueStore;
:global SendNotification;
:global SymbolForNotification;
:global UrlEncode;
:global WaitForFile;
:global WaitFullyConnected;

:local FormatExpire do={
  :global CharacterReplace;
  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
}

$WaitFullyConnected;

:foreach Cert in=[ / certificate find where !revoked !ca !scep-url expires-after<3w ] do={
  :local CertVal [ / certificate get $Cert ];

  :do {
    :if ([ :len $CertRenewUrl ] = 0) do={
      $LogPrintExit warning ("No CertRenewUrl given.") true;
    }

    :foreach Type in={ ".pem"; ".p12" } do={
      :local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type);
      :do {
        / tool fetch check-certificate=yes-without-crl \
            ($CertRenewUrl . $CertFileName) dst-path=$CertFileName;
        $WaitForFile $CertFileName;
        :foreach PassPhrase in=$CertRenewPass do={
          / certificate import file-name=$CertFileName passphrase=$PassPhrase;
        }
        / file remove [ find where name=$CertFileName ];

        :foreach CertInChain in=[ / certificate find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={
          $CertificateNameByCN [ / certificate get $CertInChain common-name ];
        }
      } on-error={
        $LogPrintExit debug ("Could not download certificate file " . $CertFileName) false;
      }
    }

    :local CertNew [ / certificate find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>3w ];
    :local CertNewVal [ / certificate get $CertNew ];

    :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
      $LogPrintExit warning ("The certificate chain is not available!") false;
    }

    :if ($Cert != $CertNew) do={
      $LogPrintExit debug ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false;

      / ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];

      :do {
        / ip ipsec identity set certificate=($CertNewVal->"name") [ / ip ipsec identity find where certificate=($CertVal->"name") ];
        / ip ipsec identity set remote-certificate=($CertNewVal->"name") [ / ip ipsec identity find where remote-certificate=($CertVal->"name") ];
      } on-error={
        $LogPrintExit debug ("Setting IPSEC certificates failed. Package 'security' not installed?") false;
      }

      :do {
        / ip hotspot profile set ssl-certificate=($CertNewVal->"name") [ / ip hotspot profile find where ssl-certificate=($CertVal->"name") ];
      } on-error={
        $LogPrintExit debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?") false;
      }

      / certificate remove $Cert;
      / certificate set $CertNew name=($CertVal->"name");
    }

    $SendNotification ([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed") \
      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
        "Name:        " . ($CertVal->"name") . "\n" . \
        "CommonName:  " . ($CertNewVal->"common-name") . "\n" . \
        "Fingerprint: " . ($CertNewVal->"fingerprint") . "\n" . \
        "Issuer:      " . ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") . "\n" . \
        "Validity:    " . ($CertNewVal->"invalid-before") . " to " . ($CertNewVal->"invalid-after") . "\n" . \
        "Expires in:  " . [ $FormatExpire ($CertNewVal->"expires-after") ]) "" "true";
    $LogPrintExit info ("The certificate " . ($CertVal->"name") . " has been renewed.") false;
  } on-error={
    $LogPrintExit debug ("Could not renew certificate " . ($CertVal->"name") . ".") false;
  }
}

:foreach Cert in=[ / certificate find where !revoked !scep-url expires-after<2w fingerprint~"." ] do={
  :local CertVal [ / certificate get $Cert ];

  :if ([ / certificate scep-server print count-only where ca-cert=($CertVal->"ca") ] > 0) do={
    $LogPrintExit debug ("Certificate \"" . ($CertVal->"name") . "\" is handled by SCEP, skipping.") false;
  } else={
    :local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];

    $SendNotification ([ $SymbolForNotification "warning-sign" ] . "Certificate warning!") \
      ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
        "Name:        " . ($CertVal->"name") . "\n" . \
        "CommonName:  " . ($CertVal->"common-name") . "\n" . \
        "Fingerprint: " . ($CertVal->"fingerprint") . "\n" . \
        "Issuer:      " . ($CertVal->"ca") . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\n" . \
        "Validity:    " . ($CertVal->"invalid-before") . " to " . ($CertVal->"invalid-after") . "\n" . \
        "Expires in:  " . [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ]);
    $LogPrintExit warning ("The certificate " . ($CertVal->"name") . " " . $State . \
        ", it is invalid after " . ($CertVal->"invalid-after") . ".") false;
  }
}
start scripts with a magic token / shebang 2018-09-26 22:18:43 +00:00			`#!rsc`
add scripts 2018-07-05 13:29:26 +00:00			`# RouterOS script: check-certificates`
update copyright for 2020 2020-01-01 16:00:39 +00:00			`# Copyright (c) 2013-2020 Christian Hesse <mail@eworm.de>`
explicitly name the license Copyright (C) 2013-2020 Christian Hesse <mail@eworm.de> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. https://www.gnu.org/licenses/#GPL https://www.gnu.org/licenses/gpl.html https://www.gnu.org/licenses/gpl.md 2020-06-19 20:17:42 +00:00			`# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md`
add scripts 2018-07-05 13:29:26 +00:00			`#`
			`# check for certificate validity`
add doc/check-certificates.md 2020-03-27 20:41:18 +00:00			`# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-certificates.md`
add scripts 2018-07-05 13:29:26 +00:00
global: variable names are CamelCase ___ _ ___ __ / _ )(_)__ _ / _/__ _/ /_ / _ / / _ `/ / _/ _ `/ __/ /____/_/\_, / /_/ \_,_/\__/ _ __ /___/ _ __ \| \| / /___ __________ (_)___ ____ _/ / \| \| /\| / / __ `/ ___/ __ \/ / __ \/ __ `/ / \| \|/ \|/ / /_/ / / / / / / / / / / /_/ /_/ \|__/\|__/\__,_/_/ /_/ /_/_/_/ /_/\__, (_) /____/ RouterOS has some odd behavior when it comes to variable names. Let's have a look at the interfaces: [admin@MikroTik] > / interface print where name=en1 Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 That looks ok. Now we use a script: { :local interface "en1"; / interface print where name=$interface; } And the result... [admin@MikroTik] > { :local interface "en1"; {... / interface print where name=$interface; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 ... still looks ok. We make a little modification to the script: { :local name "en1"; / interface print where name=$name; } And the result: [admin@MikroTik] > { :local name "en1"; {... / interface print where name=$name; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 1 S en2 ether 1500 1598 2 S en3 ether 1500 1598 3 S en4 ether 1500 1598 4 S en5 ether 1500 1598 5 R br-local bridge 1500 1598 Ups! The filter has no effect! That happens whenever the variable name ($name) matches the property name (name=). And another modification: { :local type "en1"; / interface print where name=$type; } And the result: [admin@MikroTik] > { :local type "en1"; {... / interface print where name=$type; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU Ups! Nothing? Even if the variable name ($type) matches whatever property name (type=) things go wrong. The answer from MikroTik support (in Ticket#2019010222000454): > This is how scripting works in RouterOS and we will not fix it. To get around this we use variable names in CamelCase. Let's hope Mikrotik never ever introduces property names in CamelCase... fingers crossed 2019-01-03 16:45:43 +00:00			`:global CertRenewPass;`
global-functions: sort alphabetically 2020-02-28 14:26:26 +00:00			`:global CertRenewUrl;`
			`:global Identity;`
add scripts 2018-07-05 13:29:26 +00:00
check-certificates: check and download certificate chain 2020-04-03 12:12:09 +00:00			`:global CertificateAvailable`
check-certificates: rename all certificates by their common names 2020-02-06 17:10:47 +00:00			`:global CertificateNameByCN;`
check-certificates: use $IfThenElse 2020-07-16 19:18:12 +00:00			`:global IfThenElse;`
global-functions: sort alphabetically 2020-02-28 14:26:26 +00:00			`:global LogPrintExit;`
check-certificates: use $ParseKeyValueStore 2019-07-17 14:28:22 +00:00			`:global ParseKeyValueStore;`
check-certificates: use function for notification 2018-10-09 13:52:08 +00:00			`:global SendNotification;`
check-certificates: add symbol in notification 2020-07-17 09:52:54 +00:00			`:global SymbolForNotification;`
check-certificates: add url encoding for certificate download 2019-04-10 12:47:20 +00:00			`:global UrlEncode;`
global-functions: add $WaitForFile, wait for file on fetch The fetch command is asynchronous, the file is not guaranteed to be available when command terminates. I opened an issue at Mikrotik support (Ticket#2019041722004999), their answer: > You should perform a check in a loop. > :delay until file exist > > That can happen also with any configuration not just files. So add a function to wait for a file with given name. I have not seen this with other configuration, though. 2019-04-18 08:39:32 +00:00			`:global WaitForFile;`
check-certificates: wait to be fully connected 2020-08-21 21:13:47 +00:00			`:global WaitFullyConnected;`
check-certificates: use function for notification 2018-10-09 13:52:08 +00:00
check-certificates: show remaining time 2019-03-28 12:32:08 +00:00			`:local FormatExpire do={`
			`:global CharacterReplace;`
			`:return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];`
			`}`

check-certificates: wait to be fully connected 2020-08-21 21:13:47 +00:00			`$WaitFullyConnected;`
check-certificates: check for synced time 2020-02-24 10:12:45 +00:00
check-certificates: exclude certificates issued by SCEP 2020-03-20 21:03:31 +00:00			`:foreach Cert in=[ / certificate find where !revoked !ca !scep-url expires-after<3w ] do={`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:local CertVal [ / certificate get $Cert ];`
add scripts 2018-07-05 13:29:26 +00:00
check-certificates: move conditions to loop 2019-01-09 21:18:58 +00:00			`:do {`
			`:if ([ :len $CertRenewUrl ] = 0) do={`
check-certificates: always use parenthesis 2020-04-24 11:49:50 +00:00			`$LogPrintExit warning ("No CertRenewUrl given.") true;`
check-certificates: move conditions to loop 2019-01-09 21:18:58 +00:00			`}`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`:foreach Type in={ ".pem"; ".p12" } do={`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type);`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`:do {`
global-functions: add $WaitForFile, wait for file on fetch The fetch command is asynchronous, the file is not guaranteed to be available when command terminates. I opened an issue at Mikrotik support (Ticket#2019041722004999), their answer: > You should perform a check in a loop. > :delay until file exist > > That can happen also with any configuration not just files. So add a function to wait for a file with given name. I have not seen this with other configuration, though. 2019-04-18 08:39:32 +00:00			`/ tool fetch check-certificate=yes-without-crl \`
			`($CertRenewUrl . $CertFileName) dst-path=$CertFileName;`
			`$WaitForFile $CertFileName;`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`:foreach PassPhrase in=$CertRenewPass do={`
check-certificates: add url encoding for certificate download 2019-04-10 12:47:20 +00:00			`/ certificate import file-name=$CertFileName passphrase=$PassPhrase;`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`}`
check-certificates: add url encoding for certificate download 2019-04-10 12:47:20 +00:00			`/ file remove [ find where name=$CertFileName ];`
check-certificates: rename all certificates by their common names 2020-02-06 17:10:47 +00:00
			`:foreach CertInChain in=[ / certificate find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={`
			`$CertificateNameByCN [ / certificate get $CertInChain common-name ];`
			`}`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`} on-error={`
check-certificates: use $LogPrintExit for debug 2020-03-05 08:01:11 +00:00			`$LogPrintExit debug ("Could not download certificate file " . $CertFileName) false;`
check-certificates: try to fetch PEM and P12 file 2019-04-10 12:15:41 +00:00			`}`
check-certificates: support multiple passphrases 2019-04-01 20:45:38 +00:00			`}`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:local CertNew [ / certificate find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>3w ];`
			`:local CertNewVal [ / certificate get $CertNew ];`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: warn about missing chain 2020-04-03 12:36:32 +00:00			`:if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={`
			`$LogPrintExit warning ("The certificate chain is not available!") false;`
			`}`
check-certificates: check and download certificate chain 2020-04-03 12:12:09 +00:00
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`:if ($Cert != $CertNew) do={`
check-certificates: use $LogPrintExit for debug 2020-03-05 08:01:11 +00:00			`$LogPrintExit debug ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false;`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`/ ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];`
check-certificates: update certificates for ipsec identities 2019-03-25 15:49:26 +00:00
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`:do {`
			`/ ip ipsec identity set certificate=($CertNewVal->"name") [ / ip ipsec identity find where certificate=($CertVal->"name") ];`
			`/ ip ipsec identity set remote-certificate=($CertNewVal->"name") [ / ip ipsec identity find where remote-certificate=($CertVal->"name") ];`
			`} on-error={`
check-certificates: use $LogPrintExit for debug 2020-03-05 08:01:11 +00:00			`$LogPrintExit debug ("Setting IPSEC certificates failed. Package 'security' not installed?") false;`
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`}`
check-certificates: support auto-renew of certificates 2018-12-20 14:55:40 +00:00
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`:do {`
			`/ ip hotspot profile set ssl-certificate=($CertNewVal->"name") [ / ip hotspot profile find where ssl-certificate=($CertVal->"name") ];`
			`} on-error={`
check-certificates: use $LogPrintExit for debug 2020-03-05 08:01:11 +00:00			`$LogPrintExit debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?") false;`
check-certificates: fix renewing certificate in place 2019-07-31 19:04:06 +00:00			`}`

			`/ certificate remove $Cert;`
			`/ certificate set $CertNew name=($CertVal->"name");`
			`}`
check-certificates: show issuer CN only 2019-01-09 16:34:08 +00:00
check-certificates: add symbol in notification 2020-07-17 09:52:54 +00:00			`$SendNotification ([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed") \`
check-certificates: move conditions to loop 2019-01-09 21:18:58 +00:00			`("A certificate on " . $Identity . " has been renewed.\n\n" . \`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`"Name: " . ($CertVal->"name") . "\n" . \`
			`"CommonName: " . ($CertNewVal->"common-name") . "\n" . \`
			`"Fingerprint: " . ($CertNewVal->"fingerprint") . "\n" . \`
check-certificates: use $ParseKeyValueStore 2019-07-17 14:28:22 +00:00			`"Issuer: " . ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") . "\n" . \`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`"Validity: " . ($CertNewVal->"invalid-before") . " to " . ($CertNewVal->"invalid-after") . "\n" . \`
check-certificates: make renew notification silent 2019-11-11 19:47:11 +00:00			`"Expires in: " . [ $FormatExpire ($CertNewVal->"expires-after") ]) "" "true";`
global-functions: merge $LogAnd{Error,Put} to $LogPrintExit ... ... and fix logging. Logging with severity from variable (:log $severity ...) is not possible, this is considered a syntax error. Also the 'workaround' with parsing code failed with missing message in log. The reliable code is a lot longer, so merge the two functions to save a lot of duplicate code. 2020-02-26 13:19:54 +00:00			`$LogPrintExit info ("The certificate " . ($CertVal->"name") . " has been renewed.") false;`
check-certificates: move conditions to loop 2019-01-09 21:18:58 +00:00			`} on-error={`
check-certificates: use $LogPrintExit for debug 2020-03-05 08:01:11 +00:00			`$LogPrintExit debug ("Could not renew certificate " . ($CertVal->"name") . ".") false;`
check-certificates: split loop for certificate renew and warning This allows to have differnt time values. 2019-03-06 12:49:12 +00:00			`}`
			`}`
check-certificates: use time functionality No need to calculate that... 2019-01-09 10:43:30 +00:00
check-certificates: add missing blank 2020-04-24 10:19:14 +00:00			`:foreach Cert in=[ / certificate find where !revoked !scep-url expires-after<2w fingerprint~"." ] do={`
check-certificates: get certificate values into array 2019-05-20 14:25:36 +00:00			`:local CertVal [ / certificate get $Cert ];`

check-certificates: exclude issued certificates on SCEP server 2020-04-24 12:26:00 +00:00			`:if ([ / certificate scep-server print count-only where ca-cert=($CertVal->"ca") ] > 0) do={`
			`$LogPrintExit debug ("Certificate \"" . ($CertVal->"name") . "\" is handled by SCEP, skipping.") false;`
			`} else={`
check-certificates: use $IfThenElse 2020-07-16 19:18:12 +00:00			`:local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];`
check-certificates: split loop for certificate renew and warning This allows to have differnt time values. 2019-03-06 12:49:12 +00:00
check-certificates: add symbol in notification 2020-07-17 09:52:54 +00:00			`$SendNotification ([ $SymbolForNotification "warning-sign" ] . "Certificate warning!") \`
check-certificates: exclude issued certificates on SCEP server 2020-04-24 12:26:00 +00:00			`("A certificate on " . $Identity . " " . $State . ".\n\n" . \`
			`"Name: " . ($CertVal->"name") . "\n" . \`
			`"CommonName: " . ($CertVal->"common-name") . "\n" . \`
			`"Fingerprint: " . ($CertVal->"fingerprint") . "\n" . \`
			`"Issuer: " . ($CertVal->"ca") . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\n" . \`
			`"Validity: " . ($CertVal->"invalid-before") . " to " . ($CertVal->"invalid-after") . "\n" . \`
check-certificates: use $IfThenElse 2020-07-16 19:18:12 +00:00			`"Expires in: " . [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ]);`
check-certificates: exclude issued certificates on SCEP server 2020-04-24 12:26:00 +00:00			`$LogPrintExit warning ("The certificate " . ($CertVal->"name") . " " . $State . \`
			`", it is invalid after " . ($CertVal->"invalid-after") . ".") false;`
			`}`
add scripts 2018-07-05 13:29:26 +00:00			`}`