diff options
Diffstat (limited to 'doc/check-certificates.md')
| -rw-r--r-- | doc/check-certificates.md | 65 |
1 files changed, 53 insertions, 12 deletions
diff --git a/doc/check-certificates.md b/doc/check-certificates.md index 318805d..636f719 100644 --- a/doc/check-certificates.md +++ b/doc/check-certificates.md @@ -1,7 +1,17 @@ Renew certificates and notify on expiration =========================================== -[◀ Go back to main README](../README.md) +[](https://github.com/eworm-de/routeros-scripts/stargazers) +[](https://github.com/eworm-de/routeros-scripts/network) +[](https://github.com/eworm-de/routeros-scripts/watchers) +[](https://mikrotik.com/download/changelogs/) +[](https://t.me/routeros_scripts) +[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J) + +[⬅️ Go back to main README](../README.md) + +> ℹ️ **Info**: This script can not be used on its own but requires the base +> installation. See [main README](../README.md) for details. Description ----------- @@ -9,6 +19,10 @@ Description This script tries to download and renew certificates, then notifies about certificates that are still about to expire. +### Sample notification + + + Requirements and installation ----------------------------- @@ -19,32 +33,59 @@ Just install the script: Configuration ------------- -The expiry notifications just require notification settings for e-mail and -telegram. - For automatic download and renewal of certificates you need configuration in `global-config-overlay`, these are the parameters: * `CertRenewPass`: an array of passphrases to try +* `CertRenewTime`: on what remaining time to try a renew * `CertRenewUrl`: the url to download certificates from +* `CertWarnTime`: on what remaining time to warn via notification + +> ℹ️ **Info**: Copy relevant configuration from +> [`global-config`](../global-config.rsc) (the one without `-overlay`) to +> your local `global-config-overlay` and modify it to your specific needs. + +Certificates on the web server should be named by their common name, like +`CN.pem` (`PEM` format) or`CN.p12` (`PKCS#12` format). Alternatively any +subject alternative name (aka *Subject Alt Name* or *SAN*) can be used. -Certificates on the web server should be named `CN.pem` (`PEM` format) or -`CN.p12` (`PKCS#12` format). +Also notification settings are required for +[e-mail](mod/notification-email.md), +[matrix](mod/notification-matrix.md), +[ntfy](mod/notification-ntfy.md) and/or +[telegram](mod/notification-telegram.md). Usage and invocation -------------------- Just run the script: - / system script run check-certificates; + /system/script/run check-certificates; ... or create a scheduler for periodic execution: - / system scheduler add interval=1d name=check-certificates on-event="/ system script run check-certificates;" start-time=startup; + /system/scheduler/add interval=1d name=check-certificates on-event="/system/script/run check-certificates;" start-time=startup; + + +Tips & Tricks +------------- + +### Schedule at startup + +The script checks for full connectivity before acting, so scheduling at +startup is perfectly valid: + + /system/scheduler/add name=check-certificates@startup on-event="/system/script/run check-certificates;" start-time=startup; + +### Initial import -Alternatively running on startup may be desired: +Given you have a certificate on you server, you can use `check-certificates` +for the initial import. Just create a *dummy* certificate with short lifetime +that matches criteria to be renewed: - / system scheduler add name=check-certificates-startup on-event="/ system script run check-certificates;" start-time=startup; + /certificate/add name=example.com common-name=example.com days-valid=1; + /certificate/sign example.com; + /system/script/run check-certificates; See also -------- @@ -52,5 +93,5 @@ See also * [Renew locally issued certificates](certificate-renew-issued.md) --- -[◀ Go back to main README](../README.md) -[▲ Go back to top](#top) +[⬅️ Go back to main README](../README.md) +[⬆️ Go back to top](#top) |