diff options
Diffstat (limited to 'doc/check-certificates.md')
-rw-r--r-- | doc/check-certificates.md | 66 |
1 files changed, 52 insertions, 14 deletions
diff --git a/doc/check-certificates.md b/doc/check-certificates.md index 5b1e3b2..636f719 100644 --- a/doc/check-certificates.md +++ b/doc/check-certificates.md @@ -1,10 +1,17 @@ Renew certificates and notify on expiration =========================================== -[◀ Go back to main README](../README.md) +[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers) +[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network) +[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers) +[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.13-yellow?style=flat)](https://mikrotik.com/download/changelogs/) +[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts) +[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J) -🛈 This script can not be used on its own but requires the base installation. -See [main README](../README.md) for details. +[⬅️ Go back to main README](../README.md) + +> ℹ️ **Info**: This script can not be used on its own but requires the base +> installation. See [main README](../README.md) for details. Description ----------- @@ -12,6 +19,10 @@ Description This script tries to download and renew certificates, then notifies about certificates that are still about to expire. +### Sample notification + +![check-certificates notification](check-certificates.d/notification.avif) + Requirements and installation ----------------------------- @@ -22,32 +33,59 @@ Just install the script: Configuration ------------- -The expiry notifications just require notification settings for e-mail and -telegram. - For automatic download and renewal of certificates you need configuration in `global-config-overlay`, these are the parameters: * `CertRenewPass`: an array of passphrases to try +* `CertRenewTime`: on what remaining time to try a renew * `CertRenewUrl`: the url to download certificates from +* `CertWarnTime`: on what remaining time to warn via notification -Certificates on the web server should be named `CN.pem` (`PEM` format) or -`CN.p12` (`PKCS#12` format). +> ℹ️ **Info**: Copy relevant configuration from +> [`global-config`](../global-config.rsc) (the one without `-overlay`) to +> your local `global-config-overlay` and modify it to your specific needs. + +Certificates on the web server should be named by their common name, like +`CN.pem` (`PEM` format) or`CN.p12` (`PKCS#12` format). Alternatively any +subject alternative name (aka *Subject Alt Name* or *SAN*) can be used. + +Also notification settings are required for +[e-mail](mod/notification-email.md), +[matrix](mod/notification-matrix.md), +[ntfy](mod/notification-ntfy.md) and/or +[telegram](mod/notification-telegram.md). Usage and invocation -------------------- Just run the script: - / system script run check-certificates; + /system/script/run check-certificates; ... or create a scheduler for periodic execution: - / system scheduler add interval=1d name=check-certificates on-event="/ system script run check-certificates;" start-time=startup; + /system/scheduler/add interval=1d name=check-certificates on-event="/system/script/run check-certificates;" start-time=startup; + + +Tips & Tricks +------------- + +### Schedule at startup + +The script checks for full connectivity before acting, so scheduling at +startup is perfectly valid: + + /system/scheduler/add name=check-certificates@startup on-event="/system/script/run check-certificates;" start-time=startup; + +### Initial import -Alternatively running on startup may be desired: +Given you have a certificate on you server, you can use `check-certificates` +for the initial import. Just create a *dummy* certificate with short lifetime +that matches criteria to be renewed: - / system scheduler add name=check-certificates-startup on-event="/ system script run check-certificates;" start-time=startup; + /certificate/add name=example.com common-name=example.com days-valid=1; + /certificate/sign example.com; + /system/script/run check-certificates; See also -------- @@ -55,5 +93,5 @@ See also * [Renew locally issued certificates](certificate-renew-issued.md) --- -[◀ Go back to main README](../README.md) -[▲ Go back to top](#top) +[⬅️ Go back to main README](../README.md) +[⬆️ Go back to top](#top) |