From 44be3d8d07da80bfb0610b92763a2fded466a01e Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 20 Dec 2018 15:55:40 +0100 Subject: check-certificates: support auto-renew of certificates --- check-certificates | 54 ++++++++++++++++++++++++++++++++++++++++++++---------- global-config | 5 +++++ 2 files changed, 49 insertions(+), 10 deletions(-) diff --git a/check-certificates b/check-certificates index 557589e..c95ead8 100644 --- a/check-certificates +++ b/check-certificates @@ -5,6 +5,8 @@ # check for certificate validity :global "identity"; +:global "cert-renew-url"; +:global "cert-renew-pass"; :global SendNotification; @@ -33,16 +35,48 @@ :if ($remaining < 15) do={ :local commonname [ / certificate get $cert common-name ]; - :local fingerprint [ / certificate get $cert fingerprint ]; - :local invalidbefore [ / certificate get $cert invalid-before ]; - :local invalidafter [ / certificate get $cert invalid-after ]; - $SendNotification ("Certificate warning!") \ - ("A certificate on " . $identity . " is about to expire.\n\n" . \ - "Certificate Name: " . $certname . "\n" . \ - "Common Name: " . $commonname . "\n" . \ - "Fingerprint: " . $fingerprint . "\n" . \ - "Validity: " . $invalidbefore . " to " . $invalidafter); - :log warning ("A certificate is about to expire within " . $remaining . " days: " . $certname); + :local fprint [ / certificate get $cert fingerprint ]; + + :do { + :if ([ :len $"cert-renew-url" ] = 0) do={ + :error "No renew-url given."; + } + + / tool fetch mode=https check-certificate=yes-without-crl url=($"cert-renew-url" . $commonname . ".pem"); + / certificate import file-name=($commonname . ".pem") passphrase=$"cert-renew-pass"; + / file remove [ find where name=($commonname . ".pem") ]; + + :local certnew [ / certificate find where common-name=$commonname fingerprint!=$fprint ]; + :local certnamenew [ / certificate get $certnew name ]; + + :foreach ipservice in=[ / ip service find where certificate=$certname ] do={ + / ip service set $ipservice certificate=$certnamenew; + } + + :do { + :foreach hotspot in=[ / ip hotspot profile find where ssl-certificate=$certname ] do={ + / ip hotspot profile set $hotspot ssl-certificate=$certnamenew; + } + } on-error={ + :log debug ("Setting hotspot certificates failed. Hotspot package not installed?"); + } + + / certificate remove $cert; + / certificate set $certnew name=$certname; + } on-error={ + :log warning ("Failed to auto-update certificate " . $certname); + + :local invalidbefore [ / certificate get $cert invalid-before ]; + :local invalidafter [ / certificate get $cert invalid-after ]; + + $SendNotification ("Certificate warning!") \ + ("A certificate on " . $identity . " is about to expire.\n\n" . \ + "Certificate Name: " . $certname . "\n" . \ + "Common Name: " . $commonname . "\n" . \ + "Fingerprint: " . $fprint . "\n" . \ + "Validity: " . $invalidbefore . " to " . $invalidafter); + :log warning ("A certificate is about to expire within " . $remaining . " days: " . $certname); + } } else={ :log debug ("The certificate " . $certname . " expires in " . $remaining . " days."); } diff --git a/global-config b/global-config index be0392a..2312c78 100644 --- a/global-config +++ b/global-config @@ -90,6 +90,11 @@ "global-config" } +# Use this for certificate auto-renew +:global "cert-renew-url" ""; +#:global "cert-renew-url" "https://example.com/certificates/"; +:global "cert-renew-pass" "v3ry-s3cr3t"; + # Do *NOT* change these! :global "sent-routeros-update-notification" "-"; :global "sent-lte-firmware-update-notification" "-"; -- cgit v1.2.3-54-g00ecf