aboutsummaryrefslogblamecommitdiffstats
path: root/check-certificates
blob: 308c40149386bf1dbb9f7e0e3ebb7233c64f6d90 (plain) (tree)
1
2
3
4
5
6
7
8
9
     
                                     
                                                         

                                

                      
 
                         

                                             
                                      


     



                                                                                      
                                                                            
                                                   
                                                             
 
                                         
                                         
                                      
 
                                                                                          

                                                                                   
                                                             
 
                                                                                                                   
                                                           
 
                                                                                   
 
         
                                                                                                          



                                                                                          
                                                                                                     
                
                                                                                           
     
 
                                              
 
                                                                


                                                                                       
 




                                                                     
                                                                            
                                                                      

                                                                
 





                                                                            
 
                                                                                  
                                                       
                                
                         
   





                                                                 
                                                                          
                                                                 
 
#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
#
# check for certificate validity

:global Identity;
:global CertRenewUrl;
:global CertRenewPass;

:global SendNotification;

:local GetIssuerCN do={
  :foreach IssuerI in=$1 do={
    :if ([ :pick $IssuerI 0 3 ] = "CN=") do={
      :return [ :pick $IssuerI 3 99 ];
    }
  }
}

:local FormatExpire do={
  :global CharacterReplace;
  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
}

:foreach Cert in=[ / certificate find where !revoked expires-after<3w ] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ / certificate get $Cert fingerprint ];

  :do {
    :if ([ :len $CertRenewUrl ] = 0) do={
      :log info "No CertRenewUrl given.";
      :error "No CertRenewUrl given.";
    }

    / tool fetch check-certificate=yes-without-crl ($CertRenewUrl . $CommonName . ".pem");
    :foreach PassPhrase in=$CertRenewPass do={
      / certificate import file-name=($CommonName . ".pem") passphrase=$PassPhrase;
    }
    / file remove [ find where name=($CommonName . ".pem") ];

    :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>3w ];
    :local CertNameNew [ / certificate get $CertNew name ];

    / ip service set certificate=$CertNameNew [ find where certificate=$CertName ];

    :do {
      / ip ipsec identity set certificate=$CertNameNew [ find where certificate=$CertName ];
      / ip ipsec identity set remote-certificate=$CertNameNew [ find where remote-certificate=$CertName ];
    } on-error={
      :log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");
    }

    :do {
      / ip hotspot profile set ssl-certificate=$CertNameNew [ find where ssl-certificate=$CertName ];
    } on-error={
      :log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");
    }

    / certificate remove $Cert;
    / certificate set $CertNew name=$CertName;

    :set CommonName [ / certificate get $CertNew common-name ];
    :set FingerPrint [ / certificate get $CertNew fingerprint ];
    :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ];
    :local InvalidBefore [ / certificate get $CertNew invalid-before ];
    :local InvalidAfter [ / certificate get $CertNew invalid-after ];
    :local ExpiresAfter [ $FormatExpire [ / certificate get $CertNew expires-after ] ];

    $SendNotification ("Certificate renewed") \
      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
        "Name:        " . $CertName . "\n" . \
        "CommonName:  " . $CommonName . "\n" . \
        "Fingerprint: " . $FingerPrint . "\n" . \
        "Issuer:      " . $Issuer . "\n" . \
        "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
        "Expires in:  " . $ExpiresAfter);
    :log info ("The certificate " . $CertName . " has been renewed.");
  } on-error={
    :log debug ("Could not renew certificate " . $CertName ".");
  }
}

:foreach Cert in=[ / certificate find where !revoked expires-after<2w ] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ / certificate get $Cert fingerprint ];
  :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ];
  :local InvalidBefore [ / certificate get $Cert invalid-before ];
  :local InvalidAfter [ / certificate get $Cert invalid-after ];

  :local ExpiresAfter [ $FormatExpire [ / certificate get $Cert expires-after ] ];
  :local State "is about to expire";
  :if ([ / certificate get $Cert expired ] = true) do={
    :set ExpiresAfter "expired";
    :set State "expired";
  }

  $SendNotification ("Certificate warning!") \
    ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
      "Name:        " . $CertName . "\n" . \
      "CommonName:  " . $CommonName . "\n" . \
      "Fingerprint: " . $FingerPrint . "\n" . \
      "Issuer:      " . $Issuer . "\n" . \
      "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
      "Expires in:  " . $ExpiresAfter);
  :log warning ("The certificate " . $CertName . " " . $State . \
      ", it is invalid after " . $InvalidAfter . ".");
}