routeros-scripts/check-certificates
2018-12-20 15:55:40 +01:00

86 lines
3.4 KiB
Text

#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2018 Christian Hesse <mail@eworm.de>
#
# check for certificate validity
:global "identity";
:global "cert-renew-url";
:global "cert-renew-pass";
:global SendNotification;
:local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
:local currentdate [ / system clock get date ];
:local currentmonthstr [ :pick $currentdate 0 3 ];
:local currentday [ :pick $currentdate 4 6 ];
:local currentyear [ :pick $currentdate 7 11 ];
:local currentmonth ([ :find $months $currentmonthstr -1 ] + 1);
:local currentstamp ($currentyear * 365 + $currentmonth * 30 + $currentday);
:foreach cert in=[ / certificate find where !revoked ] do={
:local certname [ / certificate get $cert name ];
:local invaliddate [ / certificate get $cert invalid-after ];
:if ([ :len $invaliddate ] > 0) do={
:local invalidmonthstr [ :pick $invaliddate 0 3 ];
:local invalidday [ :pick $invaliddate 4 6 ];
:local invalidyear [ :pick $invaliddate 7 11 ];
:local invalidmonth ([ :find $months $invalidmonthstr -1 ] + 1);
:local invalidstamp ($invalidyear * 365 + invalidmonth * 30 + invalidday);
:local remaining ($invalidstamp - $currentstamp);
:if ($remaining < 15) do={
:local commonname [ / certificate get $cert common-name ];
:local fprint [ / certificate get $cert fingerprint ];
:do {
:if ([ :len $"cert-renew-url" ] = 0) do={
:error "No renew-url given.";
}
/ tool fetch mode=https check-certificate=yes-without-crl url=($"cert-renew-url" . $commonname . ".pem");
/ certificate import file-name=($commonname . ".pem") passphrase=$"cert-renew-pass";
/ file remove [ find where name=($commonname . ".pem") ];
:local certnew [ / certificate find where common-name=$commonname fingerprint!=$fprint ];
:local certnamenew [ / certificate get $certnew name ];
:foreach ipservice in=[ / ip service find where certificate=$certname ] do={
/ ip service set $ipservice certificate=$certnamenew;
}
:do {
:foreach hotspot in=[ / ip hotspot profile find where ssl-certificate=$certname ] do={
/ ip hotspot profile set $hotspot ssl-certificate=$certnamenew;
}
} on-error={
:log debug ("Setting hotspot certificates failed. Hotspot package not installed?");
}
/ certificate remove $cert;
/ certificate set $certnew name=$certname;
} on-error={
:log warning ("Failed to auto-update certificate " . $certname);
:local invalidbefore [ / certificate get $cert invalid-before ];
:local invalidafter [ / certificate get $cert invalid-after ];
$SendNotification ("Certificate warning!") \
("A certificate on " . $identity . " is about to expire.\n\n" . \
"Certificate Name: " . $certname . "\n" . \
"Common Name: " . $commonname . "\n" . \
"Fingerprint: " . $fprint . "\n" . \
"Validity: " . $invalidbefore . " to " . $invalidafter);
:log warning ("A certificate is about to expire within " . $remaining . " days: " . $certname);
}
} else={
:log debug ("The certificate " . $certname . " expires in " . $remaining . " days.");
}
} else={
:log debug ("The certificate " . $certname . " is just a template.");
}
}