Commit graph

56 commits

Author SHA1 Message Date
Christian Hesse
85f9c5d62e check-certificates: exclude issued certificates on SCEP server 2020-04-24 14:38:29 +02:00
Christian Hesse
1e12c0e159 check-certificates: always use parenthesis 2020-04-24 13:49:50 +02:00
Christian Hesse
8f03a856e1 check-certificates: add missing blank 2020-04-24 12:19:14 +02:00
Christian Hesse
151630b674 check-certificates: warn about missing chain 2020-04-03 14:36:32 +02:00
Christian Hesse
c1c8d46dc0 check-certificates: check and download certificate chain 2020-04-03 14:12:09 +02:00
Christian Hesse
e962fe9189 add doc/check-certificates.md 2020-03-27 22:12:49 +01:00
Christian Hesse
1282a91f04 check-certificates: exclude certificates issued by SCEP 2020-03-20 22:03:31 +01:00
Christian Hesse
08bb73b6fc check-certificates: use $LogPrintExit for debug 2020-03-05 09:01:11 +01:00
Christian Hesse
001e7eeb39 global-functions: sort alphabetically 2020-02-28 15:26:26 +01:00
Christian Hesse
ceaa83b83e global-functions: merge $LogAnd{Error,Put} to $LogPrintExit ...
... and fix logging.

Logging with severity from variable (:log $severity ...) is not
possible, this is considered a syntax error. Also the 'workaround' with
parsing code failed with missing message in log.

The reliable code is a lot longer, so merge the two functions to save a
lot of duplicate code.
2020-02-26 14:19:54 +01:00
Christian Hesse
3cd9b9ead5 check-certificates: use $LogAndPut 2020-02-26 12:55:38 +01:00
Christian Hesse
b70a460f43 check-certificates: use $LogAndError 2020-02-26 12:54:13 +01:00
Christian Hesse
3ebf68a08c global-functions: $LogAndError: add severity 2020-02-26 12:09:19 +01:00
Christian Hesse
801608eeaf check-certificates: use $LogAndError 2020-02-26 11:51:49 +01:00
Christian Hesse
2a80fd6dbe check-certificates: check for synced time 2020-02-24 11:14:49 +01:00
Christian Hesse
23fe30c4e1 check-certificates: rename all certificates by their common names 2020-02-06 18:18:56 +01:00
Christian Hesse
afb9839073 update copyright for 2020 2020-01-01 17:00:39 +01:00
Christian Hesse
9d5c566b1c check-certificates: make renew notification silent 2019-11-11 20:47:11 +01:00
Christian Hesse
70798de8f0 check-certificates: fix renewing certificate in place 2019-07-31 21:04:06 +02:00
Christian Hesse
beb2e70097 check-certificates: use $ParseKeyValueStore 2019-07-18 13:50:01 +02:00
Christian Hesse
cf3cd89398 check-certificates: get certificate values into array 2019-05-21 13:24:43 +02:00
Christian Hesse
b7592f6b18 check-certificates: do not try to renew locally issued certificates 2019-05-02 11:59:43 +02:00
Christian Hesse
360d30bf2a check-certificates: give issuer info on locally issued certificates
Certificates issued locally do not have an 'issuer' property, but a
'ca' one. Looks like either of both is filled, so just concatenate.
2019-05-02 11:16:28 +02:00
Christian Hesse
7f96e5c966 global-functions: add $WaitForFile, wait for file on fetch
The fetch command is asynchronous, the file is not guaranteed to be
available when command terminates.

I opened an issue at Mikrotik support (Ticket#2019041722004999),
their answer:

> You should perform a check in a loop.
> :delay until file exist
>
> That can happen also with any configuration not just files.

So add a function to wait for a file with given name.

I have not seen this with other configuration, though.
2019-04-30 16:52:53 +02:00
Christian Hesse
5273efda21 check-certificates: make sure fingerprint is a string
This makes sure the condition below works for certificate templates,
which do not have a fingerprint.
2019-04-11 22:22:05 +02:00
Christian Hesse
20d7020fe3 check-certificates: do not send notification for templates 2019-04-11 10:19:46 +02:00
Christian Hesse
ea94b7598e check-certificates: always return a string in $GetIssuerCN 2019-04-11 09:57:20 +02:00
Christian Hesse
58c25c8cca check-certificates: add url encoding for certificate download 2019-04-10 14:47:20 +02:00
Christian Hesse
e562825bd9 check-certificates: try to fetch PEM and P12 file 2019-04-10 14:29:24 +02:00
Christian Hesse
5beebbe8e8 check-certificates: use full path...
... to make sure syntax does not break if package is not installed.
2019-04-10 14:29:24 +02:00
Christian Hesse
c0b73d6e92 check-certificates: just change certificates, no loop 2019-04-10 13:59:38 +02:00
Christian Hesse
b93d4d40bc drop deprecated mode= for fetch 2019-04-09 18:01:44 +02:00
Christian Hesse
b35c0b8a6f always write warnings and errors to log 2019-04-03 21:30:43 +02:00
Christian Hesse
594aef2aab check-certificates: support multiple passphrases 2019-04-01 22:45:38 +02:00
Christian Hesse
de602cba4f check-certificates: show remaining time 2019-03-28 13:32:08 +01:00
Christian Hesse
04b7b1f3b5 check-certificates: update certificates for ipsec identities 2019-03-25 16:49:26 +01:00
Christian Hesse
a66713d093 check-certificates: split loop for certificate renew and warning
This allows to have differnt time values.
2019-03-06 13:49:12 +01:00
Christian Hesse
afeab858d4 check-certificates: strip prefix from issuer CN 2019-01-12 00:47:53 +01:00
Christian Hesse
e62fbd2489 check-certificates: properly handle expired certificates 2019-01-12 00:04:53 +01:00
Christian Hesse
4ab9f9e7c8 check-certificates: move conditions to loop 2019-01-09 22:26:32 +01:00
Christian Hesse
df7cb1b88b check-certificates: shorten key for detailed infos 2019-01-09 17:38:55 +01:00
Christian Hesse
e51daf2761 check-certificates: show issuer CN only 2019-01-09 17:34:08 +01:00
Christian Hesse
fe34a80a3d check-certificates: include the issuer in notifications 2019-01-09 14:33:09 +01:00
Christian Hesse
1b9a277b47 check-certificates: update CommonName after renewal 2019-01-09 14:29:15 +01:00
Christian Hesse
1ee2491e66 check-certificates: use time functionality
No need to calculate that...
2019-01-09 11:43:30 +01:00
Christian Hesse
5539233417 check-certificates: send notification on renewal 2019-01-09 10:38:41 +01:00
Christian Hesse
6b6c3d5119 check-certificates: drop extra warning
A sent notification implies that renewal failed.
2019-01-09 10:31:54 +01:00
Christian Hesse
870f00bb36 global: variable names are CamelCase
___  _         ___     __
           / _ )(_)__ _   / _/__ _/ /_
          / _  / / _ `/  / _/ _ `/ __/
         /____/_/\_, /  /_/ \_,_/\__/
 _       __     /___/       _             __
| |     / /___ __________  (_)___  ____ _/ /
| | /| / / __ `/ ___/ __ \/ / __ \/ __ `/ /
| |/ |/ / /_/ / /  / / / / / / / / /_/ /_/
|__/|__/\__,_/_/  /_/ /_/_/_/ /_/\__, (_)
                                /____/

RouterOS has some odd behavior when it comes to variable names. Let's
have a look at the interfaces:

[admin@MikroTik] > / interface print where name=en1
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
 0  RS en1                                 ether            1500  1598

That looks ok. Now we use a script:

{ :local interface "en1";
  / interface print where name=$interface; }

And the result...

[admin@MikroTik] > { :local interface "en1";
{...   / interface print where name=$interface; }
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
 0  RS en1                                 ether            1500  1598

... still looks ok.
We make a little modification to the script:

{ :local name "en1";
  / interface print where name=$name; }

And the result:

[admin@MikroTik] > { :local name "en1";
{...   / interface print where name=$name; }
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
 0  RS en1                                 ether            1500  1598
 1   S en2                                 ether            1500  1598
 2   S en3                                 ether            1500  1598
 3   S en4                                 ether            1500  1598
 4   S en5                                 ether            1500  1598
 5  R  br-local                            bridge           1500  1598

Ups! The filter has no effect!
That happens whenever the variable name ($name) matches the property
name (name=).

And another modification:

{ :local type "en1";
  / interface print where name=$type; }

And the result:

[admin@MikroTik] > { :local type "en1";
{...   / interface print where name=$type; }
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU

Ups! Nothing?
Even if the variable name ($type) matches whatever property name (type=)
things go wrong.

The answer from MikroTik support (in Ticket#2019010222000454):

> This is how scripting works in RouterOS and we will not fix it.

To get around this we use variable names in CamelCase. Let's hope
Mikrotik never ever introduces property names in CamelCase...

*fingers crossed*
2019-01-04 12:35:34 +01:00
Christian Hesse
472cd3d905 update copyright for 2019 2019-01-02 09:38:34 +01:00
Christian Hesse
44be3d8d07 check-certificates: support auto-renew of certificates 2018-12-20 15:55:40 +01:00