Crash_Override/routeros-scripts
1
0
Fork 0
mirror of https://github.com/eworm-de/routeros-scripts synced 2024-05-14 08:04:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

check-certificates: move code into function

Browse source
This commit is contained in:
Christian Hesse 2024-03-04 13:48:00 +01:00
parent 2d112c0b33
commit fc3fad5e87
1 changed files with 176 additions and 171 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
check-certificates.rsc
View file

@ -8,10 +8,12 @@
# check for certificate validity # check for certificate validity
# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-certificates.md # https://git.eworm.de/cgit/routeros-scripts/about/doc/check-certificates.md
:local 0 [ :jobname ];
:global GlobalFunctionsReady; :global GlobalFunctionsReady;
:while ($GlobalFunctionsReady != true) do={ :delay 500ms; } :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
:local Main do={
:local ScriptName [ :tostr $1 ];
:global CertRenewTime; :global CertRenewTime;
:global CertRenewUrl; :global CertRenewUrl;
:global CertWarnTime; :global CertWarnTime;
@ -125,7 +127,7 @@
[ $FormatLine "Expires in" [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ] ]); [ $FormatLine "Expires in" [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ] ]);
} }
$ScriptLock $0; $ScriptLock $ScriptName;
$WaitFullyConnected; $WaitFullyConnected;
:foreach Cert in=[ /certificate/find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={ :foreach Cert in=[ /certificate/find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={
@ -135,9 +137,9 @@ $WaitFullyConnected;
:do { :do {
:if ([ :len $CertRenewUrl ] = 0) do={ :if ([ :len $CertRenewUrl ] = 0) do={
$LogPrintExit2 info $0 ("No CertRenewUrl given.") true; $LogPrintExit2 info $ScriptName ("No CertRenewUrl given.") true;
} }
$LogPrintExit2 info $0 ("Attempting to renew certificate '" . ($CertVal->"name") . "'.") false; $LogPrintExit2 info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'.") false;
:local ImportSuccess false; :local ImportSuccess false;
:set LastName ($CertVal->"common-name"); :set LastName ($CertVal->"common-name");
@ -150,10 +152,10 @@ $WaitFullyConnected;
} }
:if ([ :len ($CertVal->"fingerprint") ] > 0 && $CertVal->"fingerprint" != [ /certificate/get $Cert fingerprint ]) do={ :if ([ :len ($CertVal->"fingerprint") ] > 0 && $CertVal->"fingerprint" != [ /certificate/get $Cert fingerprint ]) do={
$LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was updated in place.") false; $LogPrintExit2 debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was updated in place.") false;
:set CertVal [ /certificate/get $Cert ]; :set CertVal [ /certificate/get $Cert ];
} else={ } else={
$LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false; $LogPrintExit2 debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false;
:set CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $LastName ] ] . "\\.(p12|pem)_[0-9]+\$") \ :set CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $LastName ] ] . "\\.(p12|pem)_[0-9]+\$") \
(common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \ (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \
@ -161,12 +163,12 @@ $WaitFullyConnected;
:local CertNewVal [ /certificate/get $CertNew ]; :local CertNewVal [ /certificate/get $CertNew ];
:if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={ :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
$LogPrintExit2 warning $0 ("The certificate chain is not available!") false; $LogPrintExit2 warning $ScriptName ("The certificate chain is not available!") false;
} }
:if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={ :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={
/certificate/remove $CertNew; /certificate/remove $CertNew;
$LogPrintExit2 warning $0 ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.") true; $LogPrintExit2 warning $ScriptName ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.") true;
} }
/ip/service/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ]; /ip/service/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
@ -182,12 +184,12 @@ $WaitFullyConnected;
:set CertVal [ /certificate/get $CertNew ]; :set CertVal [ /certificate/get $CertNew ];
} }
$SendNotification2 ({ origin=$0; silent=true; \ $SendNotification2 ({ origin=$ScriptName; silent=true; \
subject=([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed: " . ($CertVal->"name")); \ subject=([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed: " . ($CertVal->"name")); \
message=("A certificate on " . $Identity . " has been renewed.\n\n" . [ $FormatInfo $CertNew ]) }); message=("A certificate on " . $Identity . " has been renewed.\n\n" . [ $FormatInfo $CertNew ]) });
$LogPrintExit2 info $0 ("The certificate '" . ($CertVal->"name") . "' has been renewed.") false; $LogPrintExit2 info $ScriptName ("The certificate '" . ($CertVal->"name") . "' has been renewed.") false;
} on-error={ } on-error={
$LogPrintExit2 debug $0 ("Could not renew certificate '" . ($CertVal->"name") . "'.") false; $LogPrintExit2 debug $ScriptName ("Could not renew certificate '" . ($CertVal->"name") . "'.") false;
} }
} }
@ -196,14 +198,17 @@ $WaitFullyConnected;
:local CertVal [ /certificate/get $Cert ]; :local CertVal [ /certificate/get $Cert ];
:if ([ :len [ /certificate/scep-server/find where ca-cert=($CertVal->"ca") ] ] > 0) do={ :if ([ :len [ /certificate/scep-server/find where ca-cert=($CertVal->"ca") ] ] > 0) do={
$LogPrintExit2 debug $0 ("Certificate '" . ($CertVal->"name") . "' is handled by SCEP, skipping.") false; $LogPrintExit2 debug $ScriptName ("Certificate '" . ($CertVal->"name") . "' is handled by SCEP, skipping.") false;
} else={ } else={
:local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ]; :local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];
$SendNotification2 ({ origin=$0; \ $SendNotification2 ({ origin=$ScriptName; \
subject=([ $SymbolForNotification "warning-sign" ] . "Certificate warning: " . ($CertVal->"name")); \ subject=([ $SymbolForNotification "warning-sign" ] . "Certificate warning: " . ($CertVal->"name")); \
message=("A certificate on " . $Identity . " " . $State . ".\n\n" . [ $FormatInfo $Cert ]) }); message=("A certificate on " . $Identity . " " . $State . ".\n\n" . [ $FormatInfo $Cert ]) });
$LogPrintExit2 info $0 ("The certificate '" . ($CertVal->"name") . "' " . $State . \ $LogPrintExit2 info $ScriptName ("The certificate '" . ($CertVal->"name") . "' " . $State . \
", it is invalid after " . ($CertVal->"invalid-after") . ".") false; ", it is invalid after " . ($CertVal->"invalid-after") . ".") false;
} }
} }
}
$Main [ :jobname ];