2018-09-26 22:18:43 +00:00
|
|
|
#!rsc
|
2018-07-05 13:29:26 +00:00
|
|
|
# RouterOS script: check-certificates
|
2019-01-01 20:19:19 +00:00
|
|
|
# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
|
2018-07-05 13:29:26 +00:00
|
|
|
#
|
|
|
|
# check for certificate validity
|
|
|
|
|
global: variable names are CamelCase
___ _ ___ __
/ _ )(_)__ _ / _/__ _/ /_
/ _ / / _ `/ / _/ _ `/ __/
/____/_/\_, / /_/ \_,_/\__/
_ __ /___/ _ __
| | / /___ __________ (_)___ ____ _/ /
| | /| / / __ `/ ___/ __ \/ / __ \/ __ `/ /
| |/ |/ / /_/ / / / / / / / / / / /_/ /_/
|__/|__/\__,_/_/ /_/ /_/_/_/ /_/\__, (_)
/____/
RouterOS has some odd behavior when it comes to variable names. Let's
have a look at the interfaces:
[admin@MikroTik] > / interface print where name=en1
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU
0 RS en1 ether 1500 1598
That looks ok. Now we use a script:
{ :local interface "en1";
/ interface print where name=$interface; }
And the result...
[admin@MikroTik] > { :local interface "en1";
{... / interface print where name=$interface; }
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU
0 RS en1 ether 1500 1598
... still looks ok.
We make a little modification to the script:
{ :local name "en1";
/ interface print where name=$name; }
And the result:
[admin@MikroTik] > { :local name "en1";
{... / interface print where name=$name; }
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU
0 RS en1 ether 1500 1598
1 S en2 ether 1500 1598
2 S en3 ether 1500 1598
3 S en4 ether 1500 1598
4 S en5 ether 1500 1598
5 R br-local bridge 1500 1598
Ups! The filter has no effect!
That happens whenever the variable name ($name) matches the property
name (name=).
And another modification:
{ :local type "en1";
/ interface print where name=$type; }
And the result:
[admin@MikroTik] > { :local type "en1";
{... / interface print where name=$type; }
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU
Ups! Nothing?
Even if the variable name ($type) matches whatever property name (type=)
things go wrong.
The answer from MikroTik support (in Ticket#2019010222000454):
> This is how scripting works in RouterOS and we will not fix it.
To get around this we use variable names in CamelCase. Let's hope
Mikrotik never ever introduces property names in CamelCase...
*fingers crossed*
2019-01-03 16:45:43 +00:00
|
|
|
:global Identity;
|
|
|
|
:global CertRenewUrl;
|
|
|
|
:global CertRenewPass;
|
2018-07-05 13:29:26 +00:00
|
|
|
|
2019-07-17 14:28:22 +00:00
|
|
|
:global ParseKeyValueStore;
|
2018-10-09 13:52:08 +00:00
|
|
|
:global SendNotification;
|
2019-04-10 12:47:20 +00:00
|
|
|
:global UrlEncode;
|
2019-04-18 08:39:32 +00:00
|
|
|
:global WaitForFile;
|
2018-10-09 13:52:08 +00:00
|
|
|
|
2019-03-28 12:32:08 +00:00
|
|
|
:local FormatExpire do={
|
|
|
|
:global CharacterReplace;
|
|
|
|
:return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
|
|
|
|
}
|
|
|
|
|
2019-05-02 09:59:43 +00:00
|
|
|
:foreach Cert in=[ / certificate find where !revoked !ca expires-after<3w ] do={
|
2019-05-20 14:25:36 +00:00
|
|
|
:local CertVal [ / certificate get $Cert ];
|
2018-07-05 13:29:26 +00:00
|
|
|
|
2019-01-09 21:18:58 +00:00
|
|
|
:do {
|
|
|
|
:if ([ :len $CertRenewUrl ] = 0) do={
|
2019-04-03 19:30:43 +00:00
|
|
|
:log info "No CertRenewUrl given.";
|
2019-01-09 21:18:58 +00:00
|
|
|
:error "No CertRenewUrl given.";
|
|
|
|
}
|
2018-12-20 14:55:40 +00:00
|
|
|
|
2019-04-10 12:15:41 +00:00
|
|
|
:foreach Type in={ ".pem"; ".p12" } do={
|
2019-05-20 14:25:36 +00:00
|
|
|
:local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type);
|
2019-04-10 12:15:41 +00:00
|
|
|
:do {
|
2019-04-18 08:39:32 +00:00
|
|
|
/ tool fetch check-certificate=yes-without-crl \
|
|
|
|
($CertRenewUrl . $CertFileName) dst-path=$CertFileName;
|
|
|
|
$WaitForFile $CertFileName;
|
2019-04-10 12:15:41 +00:00
|
|
|
:foreach PassPhrase in=$CertRenewPass do={
|
2019-04-10 12:47:20 +00:00
|
|
|
/ certificate import file-name=$CertFileName passphrase=$PassPhrase;
|
2019-04-10 12:15:41 +00:00
|
|
|
}
|
2019-04-10 12:47:20 +00:00
|
|
|
/ file remove [ find where name=$CertFileName ];
|
2019-04-10 12:15:41 +00:00
|
|
|
} on-error={
|
2019-04-10 12:47:20 +00:00
|
|
|
:log debug ("Could not download certificate file " . $CertFileName);
|
2019-04-10 12:15:41 +00:00
|
|
|
}
|
2019-04-01 20:45:38 +00:00
|
|
|
}
|
2018-12-20 14:55:40 +00:00
|
|
|
|
2019-05-20 14:25:36 +00:00
|
|
|
:local CertNew [ / certificate find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>3w ];
|
|
|
|
:local CertNewVal [ / certificate get $CertNew ];
|
2018-12-20 14:55:40 +00:00
|
|
|
|
2019-07-31 19:04:06 +00:00
|
|
|
:if ($Cert != $CertNew) do={
|
|
|
|
:log debug ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.");
|
2018-12-20 14:55:40 +00:00
|
|
|
|
2019-07-31 19:04:06 +00:00
|
|
|
/ ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
|
2019-03-25 15:49:26 +00:00
|
|
|
|
2019-07-31 19:04:06 +00:00
|
|
|
:do {
|
|
|
|
/ ip ipsec identity set certificate=($CertNewVal->"name") [ / ip ipsec identity find where certificate=($CertVal->"name") ];
|
|
|
|
/ ip ipsec identity set remote-certificate=($CertNewVal->"name") [ / ip ipsec identity find where remote-certificate=($CertVal->"name") ];
|
|
|
|
} on-error={
|
|
|
|
:log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");
|
|
|
|
}
|
2018-12-20 14:55:40 +00:00
|
|
|
|
2019-07-31 19:04:06 +00:00
|
|
|
:do {
|
|
|
|
/ ip hotspot profile set ssl-certificate=($CertNewVal->"name") [ / ip hotspot profile find where ssl-certificate=($CertVal->"name") ];
|
|
|
|
} on-error={
|
|
|
|
:log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");
|
|
|
|
}
|
|
|
|
|
|
|
|
/ certificate remove $Cert;
|
|
|
|
/ certificate set $CertNew name=($CertVal->"name");
|
|
|
|
}
|
2019-01-09 16:34:08 +00:00
|
|
|
|
2019-01-09 21:18:58 +00:00
|
|
|
$SendNotification ("Certificate renewed") \
|
|
|
|
("A certificate on " . $Identity . " has been renewed.\n\n" . \
|
2019-05-20 14:25:36 +00:00
|
|
|
"Name: " . ($CertVal->"name") . "\n" . \
|
|
|
|
"CommonName: " . ($CertNewVal->"common-name") . "\n" . \
|
|
|
|
"Fingerprint: " . ($CertNewVal->"fingerprint") . "\n" . \
|
2019-07-17 14:28:22 +00:00
|
|
|
"Issuer: " . ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") . "\n" . \
|
2019-05-20 14:25:36 +00:00
|
|
|
"Validity: " . ($CertNewVal->"invalid-before") . " to " . ($CertNewVal->"invalid-after") . "\n" . \
|
|
|
|
"Expires in: " . [ $FormatExpire ($CertNewVal->"expires-after") ]);
|
|
|
|
:log info ("The certificate " . ($CertVal->"name") . " has been renewed.");
|
2019-01-09 21:18:58 +00:00
|
|
|
} on-error={
|
2019-05-20 14:25:36 +00:00
|
|
|
:log debug ("Could not renew certificate " . ($CertVal->"name") . ".");
|
2019-03-06 12:49:12 +00:00
|
|
|
}
|
|
|
|
}
|
2019-01-09 10:43:30 +00:00
|
|
|
|
2019-04-11 08:19:46 +00:00
|
|
|
:foreach Cert in=[ / certificate find where !revoked expires-after<2w fingerprint~"."] do={
|
2019-05-20 14:25:36 +00:00
|
|
|
:local CertVal [ / certificate get $Cert ];
|
|
|
|
|
|
|
|
:local ExpiresAfter [ $FormatExpire ($CertVal->"expires-after") ];
|
2019-03-28 12:32:08 +00:00
|
|
|
:local State "is about to expire";
|
2019-05-20 14:25:36 +00:00
|
|
|
:if (($CertVal->"expired") = true) do={
|
2019-03-28 12:32:08 +00:00
|
|
|
:set ExpiresAfter "expired";
|
2019-03-06 12:49:12 +00:00
|
|
|
:set State "expired";
|
2018-07-05 13:29:26 +00:00
|
|
|
}
|
2019-03-06 12:49:12 +00:00
|
|
|
|
|
|
|
$SendNotification ("Certificate warning!") \
|
|
|
|
("A certificate on " . $Identity . " " . $State . ".\n\n" . \
|
2019-05-20 14:25:36 +00:00
|
|
|
"Name: " . ($CertVal->"name") . "\n" . \
|
|
|
|
"CommonName: " . ($CertVal->"common-name") . "\n" . \
|
|
|
|
"Fingerprint: " . ($CertVal->"fingerprint") . "\n" . \
|
2019-07-17 14:28:22 +00:00
|
|
|
"Issuer: " . ($CertVal->"ca") . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\n" . \
|
2019-05-20 14:25:36 +00:00
|
|
|
"Validity: " . ($CertVal->"invalid-before") . " to " . ($CertVal->"invalid-after") . "\n" . \
|
2019-03-28 12:32:08 +00:00
|
|
|
"Expires in: " . $ExpiresAfter);
|
2019-05-20 14:25:36 +00:00
|
|
|
:log warning ("The certificate " . ($CertVal->"name") . " " . $State . \
|
|
|
|
", it is invalid after " . ($CertVal->"invalid-after") . ".");
|
2018-07-05 13:29:26 +00:00
|
|
|
}
|