routeros-scripts/check-certificates

#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
#
# check for certificate validity

:global Identity;
:global CertRenewUrl;
:global CertRenewPass;

:global SendNotification;
:global UrlEncode;

:local GetIssuerCN do={
  :foreach IssuerI in=$1 do={
    :if ([ :pick $IssuerI 0 3 ] = "CN=") do={
      :return [ :pick $IssuerI 3 99 ];
    }
  }
  :return "";
}

:local FormatExpire do={
  :global CharacterReplace;
  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
}

:foreach Cert in=[ / certificate find where !revoked expires-after<3w ] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ :tostr [ / certificate get $Cert fingerprint ] ];

  :do {
    :if ([ :len $CertRenewUrl ] = 0) do={
      :log info "No CertRenewUrl given.";
      :error "No CertRenewUrl given.";
    }

    :foreach Type in={ ".pem"; ".p12" } do={
      :local CertFileName ([ $UrlEncode $CommonName ] . $Type);
      :do {
        / tool fetch check-certificate=yes-without-crl ($CertRenewUrl . $CertFileName);
        :foreach PassPhrase in=$CertRenewPass do={
          / certificate import file-name=$CertFileName passphrase=$PassPhrase;
        }
        / file remove [ find where name=$CertFileName ];
      } on-error={
        :log debug ("Could not download certificate file " . $CertFileName);
      }
    }

    :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>3w ];
    :local CertNameNew [ / certificate get $CertNew name ];

    / ip service set certificate=$CertNameNew [ find where certificate=$CertName ];

    :do {
      / ip ipsec identity set certificate=$CertNameNew [ / ip ipsec identity find where certificate=$CertName ];
      / ip ipsec identity set remote-certificate=$CertNameNew [ / ip ipsec identity find where remote-certificate=$CertName ];
    } on-error={
      :log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");
    }

    :do {
      / ip hotspot profile set ssl-certificate=$CertNameNew [ / ip hotspot profile find where ssl-certificate=$CertName ];
    } on-error={
      :log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");
    }

    / certificate remove $Cert;
    / certificate set $CertNew name=$CertName;

    :set CommonName [ / certificate get $CertNew common-name ];
    :set FingerPrint [ / certificate get $CertNew fingerprint ];
    :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ];
    :local InvalidBefore [ / certificate get $CertNew invalid-before ];
    :local InvalidAfter [ / certificate get $CertNew invalid-after ];
    :local ExpiresAfter [ $FormatExpire [ / certificate get $CertNew expires-after ] ];

    $SendNotification ("Certificate renewed") \
      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
        "Name:        " . $CertName . "\n" . \
        "CommonName:  " . $CommonName . "\n" . \
        "Fingerprint: " . $FingerPrint . "\n" . \
        "Issuer:      " . $Issuer . "\n" . \
        "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
        "Expires in:  " . $ExpiresAfter);
    :log info ("The certificate " . $CertName . " has been renewed.");
  } on-error={
    :log debug ("Could not renew certificate " . $CertName ".");
  }
}

:foreach Cert in=[ / certificate find where !revoked expires-after<2w fingerprint~"."] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ / certificate get $Cert fingerprint ];
  :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ];
  :local InvalidBefore [ / certificate get $Cert invalid-before ];
  :local InvalidAfter [ / certificate get $Cert invalid-after ];

  :local ExpiresAfter [ $FormatExpire [ / certificate get $Cert expires-after ] ];
  :local State "is about to expire";
  :if ([ / certificate get $Cert expired ] = true) do={
    :set ExpiresAfter "expired";
    :set State "expired";
  }

  $SendNotification ("Certificate warning!") \
    ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
      "Name:        " . $CertName . "\n" . \
      "CommonName:  " . $CommonName . "\n" . \
      "Fingerprint: " . $FingerPrint . "\n" . \
      "Issuer:      " . $Issuer . "\n" . \
      "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
      "Expires in:  " . $ExpiresAfter);
  :log warning ("The certificate " . $CertName . " " . $State . \
      ", it is invalid after " . $InvalidAfter . ".");
}