check-certificates: support auto-renew of certificates

2024-05-14 08:04:19 +00:00 · 2018-12-20 15:55:40 +01:00 · 2018-12-20 15:55:40 +01:00 · 44be3d8d07
parent ee49fe3184
commit 44be3d8d07
2 changed files with 49 additions and 10 deletions
--- a/54
+++ b/54
@ -5,6 +5,8 @@
 # check for certificate validity

 :global "identity";
+:global "cert-renew-url";
+:global "cert-renew-pass";

 :global SendNotification;

@ -33,16 +35,48 @@

    :if ($remaining < 15) do={
      :local commonname [ / certificate get $cert common-name ];
-      :local fingerprint [ / certificate get $cert fingerprint ];
-      :local invalidbefore [ / certificate get $cert invalid-before ];
-      :local invalidafter [ / certificate get $cert invalid-after ];
-      $SendNotification ("Certificate warning!") \
-        ("A certificate on " . $identity . " is about to expire.\n\n" . \
-          "Certificate Name: " . $certname . "\n" . \
-          "Common Name:      " . $commonname . "\n" . \
-          "Fingerprint:      " . $fingerprint . "\n" . \
-          "Validity:         " . $invalidbefore . " to " . $invalidafter);
-      :log warning ("A certificate is about to expire within " . $remaining . " days: " . $certname);
+      :local fprint [ / certificate get $cert fingerprint ];
+
+      :do {
+        :if ([ :len $"cert-renew-url" ] = 0) do={
+          :error "No renew-url given.";
+        }
+
+        / tool fetch mode=https check-certificate=yes-without-crl url=($"cert-renew-url" . $commonname . ".pem");
+        / certificate import file-name=($commonname . ".pem") passphrase=$"cert-renew-pass";
+        / file remove [ find where name=($commonname . ".pem") ];
+
+        :local certnew [ / certificate find where common-name=$commonname fingerprint!=$fprint ];
+        :local certnamenew [ / certificate get $certnew name ];
+
+        :foreach ipservice in=[ / ip service find where certificate=$certname ] do={
+          / ip service set $ipservice certificate=$certnamenew;
+        }
+
+        :do {
+          :foreach hotspot in=[ / ip hotspot profile find where ssl-certificate=$certname ] do={
+            / ip hotspot profile set $hotspot ssl-certificate=$certnamenew;
+          }
+        } on-error={
+          :log debug ("Setting hotspot certificates failed. Hotspot package not installed?");
+        }
+
+        / certificate remove $cert;
+        / certificate set $certnew name=$certname;
+      } on-error={
+        :log warning ("Failed to auto-update certificate " . $certname);
+
+        :local invalidbefore [ / certificate get $cert invalid-before ];
+        :local invalidafter [ / certificate get $cert invalid-after ];
+
+        $SendNotification ("Certificate warning!") \
+          ("A certificate on " . $identity . " is about to expire.\n\n" . \
+            "Certificate Name: " . $certname . "\n" . \
+            "Common Name:      " . $commonname . "\n" . \
+            "Fingerprint:      " . $fprint . "\n" . \
+            "Validity:         " . $invalidbefore . " to " . $invalidafter);
+        :log warning ("A certificate is about to expire within " . $remaining . " days: " . $certname);
+      }
    } else={
      :log debug ("The certificate " . $certname . " expires in " . $remaining . " days.");
    }
--- a/5
+++ b/5
@ -90,6 +90,11 @@
  "global-config"
 }

+# Use this for certificate auto-renew
+:global "cert-renew-url" "";
+#:global "cert-renew-url" "https://example.com/certificates/";
+:global "cert-renew-pass" "v3ry-s3cr3t";
+
 # Do *NOT* change these!
 :global "sent-routeros-update-notification" "-";
 :global "sent-lte-firmware-update-notification" "-";