diff options
author | Christian Hesse <mail@eworm.de> | 2023-04-06 14:56:36 +0200 |
---|---|---|
committer | Christian Hesse <mail@eworm.de> | 2023-04-07 22:53:33 +0200 |
commit | 11093045f30eb289c17c9d08a80de69798ad942d (patch) | |
tree | 0dbbc9f7dd7fb10b0a8528d398b5cd16f5265cde | |
parent | 4073daa13990076c695a2d9c32208faf7415617b (diff) |
check-certificates: download and import in a local function
-rw-r--r-- | check-certificates.rsc | 72 |
1 files changed, 41 insertions, 31 deletions
diff --git a/check-certificates.rsc b/check-certificates.rsc index 6b35cbf..8250269 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -10,23 +10,59 @@ :global GlobalFunctionsReady; :while ($GlobalFunctionsReady != true) do={ :delay 500ms; } -:global CertRenewPass; :global CertRenewTime; :global CertRenewUrl; :global CertWarnTime; :global Identity; :global CertificateAvailable -:global CertificateNameByCN; :global IfThenElse; :global LogPrintExit2; :global ParseKeyValueStore; :global SendNotification2; :global SymbolForNotification; -:global UrlEncode; -:global WaitForFile; :global WaitFullyConnected; +:local CheckCertificatesDownloadImport do={ + :local Name [ :tostr $1 ]; + + :global CertRenewUrl; + :global CertRenewPass; + + :global CertificateNameByCN; + :global LogPrintExit2; + :global UrlEncode; + :global WaitForFile; + + :foreach Type in={ ".pem"; ".p12" } do={ + :local CertFileName ([ $UrlEncode $Name ] . $Type); + :do { + /tool/fetch check-certificate=yes-without-crl \ + ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; + $WaitForFile $CertFileName; + + :local DecryptionFailed true; + :foreach PassPhrase in=$CertRenewPass do={ + :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ]; + :if ($Result->"decryption-failures" = 0) do={ + :set DecryptionFailed false; + } + } + /file/remove [ find where name=$CertFileName ]; + + :if ($DecryptionFailed = true) do={ + $LogPrintExit2 warning $0 ("Decryption failed for certificate file " . $CertFileName) false; + } + + :foreach CertInChain in=[ /certificate/find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=$Name ] do={ + $CertificateNameByCN [ /certificate/get $CertInChain common-name ]; + } + } on-error={ + $LogPrintExit2 debug $0 ("Could not download certificate file " . $CertFileName) false; + } + } +} + :local FormatInfo do={ :local CertVal $1; @@ -70,33 +106,7 @@ $WaitFullyConnected; } $LogPrintExit2 info $0 ("Attempting to renew certificate " . ($CertVal->"name") . ".") false; - :foreach Type in={ ".pem"; ".p12" } do={ - :local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type); - :do { - /tool/fetch check-certificate=yes-without-crl \ - ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; - $WaitForFile $CertFileName; - - :local DecryptionFailed true; - :foreach PassPhrase in=$CertRenewPass do={ - :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ]; - :if ($Result->"decryption-failures" = 0) do={ - :set DecryptionFailed false; - } - } - /file/remove [ find where name=$CertFileName ]; - - :if ($DecryptionFailed = true) do={ - $LogPrintExit2 warning $0 ("Decryption failed for certificate file " . $CertFileName) false; - } - - :foreach CertInChain in=[ /certificate/find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={ - $CertificateNameByCN [ /certificate/get $CertInChain common-name ]; - } - } on-error={ - $LogPrintExit2 debug $0 ("Could not download certificate file " . $CertFileName) false; - } - } + $CheckCertificatesDownloadImport ($CertVal->"common-name"); :local CertNew [ /certificate/find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ]; :local CertNewVal [ /certificate/get $CertNew ]; |