From 4ab9f9e7c82230547aedffbaf73b2c91ff268da7 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 9 Jan 2019 22:18:58 +0100 Subject: check-certificates: move conditions to loop --- check-certificates | 110 ++++++++++++++++++++++++----------------------------- 1 file changed, 50 insertions(+), 60 deletions(-) (limited to 'check-certificates') diff --git a/check-certificates b/check-certificates index 4b26a11..812b653 100644 --- a/check-certificates +++ b/check-certificates @@ -18,75 +18,65 @@ } } -:foreach Cert in=[ / certificate find where !revoked ] do={ +:foreach Cert in=[ / certificate find where !revoked expires-after<2w expires-after>0 ] do={ :local CertName [ / certificate get $Cert name ]; - :local ExpiresAfter [ / certificate get $Cert expires-after ]; + :local CommonName [ / certificate get $Cert common-name ]; + :local FingerPrint [ / certificate get $Cert fingerprint ]; - :if ([ :typeof $ExpiresAfter ] = "time") do={ - :if ($ExpiresAfter < 2w) do={ - :local CommonName [ / certificate get $Cert common-name ]; - :local FingerPrint [ / certificate get $Cert fingerprint ]; - - :do { - :if ([ :len $CertRenewUrl ] = 0) do={ - :error "No CertRenewUrl given."; - } - - / tool fetch mode=https check-certificate=yes-without-crl url=($CertRenewUrl . $CommonName . ".pem"); - / certificate import file-name=($CommonName . ".pem") passphrase=$CertRenewPass; - / file remove [ find where name=($CommonName . ".pem") ]; + :do { + :if ([ :len $CertRenewUrl ] = 0) do={ + :error "No CertRenewUrl given."; + } - :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint ]; - :local CertNameNew [ / certificate get $CertNew name ]; + / tool fetch mode=https check-certificate=yes-without-crl url=($CertRenewUrl . $CommonName . ".pem"); + / certificate import file-name=($CommonName . ".pem") passphrase=$CertRenewPass; + / file remove [ find where name=($CommonName . ".pem") ]; - :foreach IpService in=[ / ip service find where certificate=$CertName ] do={ - / ip service set $IpService certificate=$CertNameNew; - } + :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>2w ]; + :local CertNameNew [ / certificate get $CertNew name ]; - :do { - :foreach Hotspot in=[ / ip hotspot profile find where ssl-certificate=$CertName ] do={ - / ip hotspot profile set $Hotspot ssl-certificate=$CertNameNew; - } - } on-error={ - :log debug ("Setting hotspot certificates failed. Hotspot package not installed?"); - } + :foreach IpService in=[ / ip service find where certificate=$CertName ] do={ + / ip service set $IpService certificate=$CertNameNew; + } - / certificate remove $Cert; - / certificate set $CertNew name=$CertName; + :do { + :foreach Hotspot in=[ / ip hotspot profile find where ssl-certificate=$CertName ] do={ + / ip hotspot profile set $Hotspot ssl-certificate=$CertNameNew; + } + } on-error={ + :log debug ("Setting hotspot certificates failed. Hotspot package not installed?"); + } - :local InvalidBefore [ / certificate get $CertNew invalid-before ]; - :local InvalidAfter [ / certificate get $CertNew invalid-after ]; - :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ]; - :set CommonName [ / certificate get $CertNew common-name ]; - :set FingerPrint [ / certificate get $CertNew fingerprint ]; + / certificate remove $Cert; + / certificate set $CertNew name=$CertName; + :local InvalidBefore [ / certificate get $CertNew invalid-before ]; + :local InvalidAfter [ / certificate get $CertNew invalid-after ]; + :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ]; + :set CommonName [ / certificate get $CertNew common-name ]; + :set FingerPrint [ / certificate get $CertNew fingerprint ]; - $SendNotification ("Certificate renewed") \ - ("A certificate on " . $Identity . " has been renewed.\n\n" . \ - "Name: " . $CertName . "\n" . \ - "Common Name: " . $CommonName . "\n" . \ - "Fingerprint: " . $FingerPrint . "\n" . \ - "Issuer: " . $Issuer . "\n" . \ - "Validity: " . $InvalidBefore . " to " . $InvalidAfter); - :log info ("The certificate " . $CertName . " has been renewed."); - } on-error={ - :local InvalidBefore [ / certificate get $Cert invalid-before ]; - :local InvalidAfter [ / certificate get $Cert invalid-after ]; - :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ]; + $SendNotification ("Certificate renewed") \ + ("A certificate on " . $Identity . " has been renewed.\n\n" . \ + "Name: " . $CertName . "\n" . \ + "CommonName: " . $CommonName . "\n" . \ + "Fingerprint: " . $FingerPrint . "\n" . \ + "Issuer: " . $Issuer . "\n" . \ + "Validity: " . $InvalidBefore . " to " . $InvalidAfter); + :log info ("The certificate " . $CertName . " has been renewed."); + } on-error={ + :local ExpiresAfter [ / certificate get $Cert expires-after ]; + :local InvalidBefore [ / certificate get $Cert invalid-before ]; + :local InvalidAfter [ / certificate get $Cert invalid-after ]; + :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ]; - $SendNotification ("Certificate warning!") \ - ("A certificate on " . $Identity . " is about to expire.\n\n" . \ - "Name: " . $CertName . "\n" . \ - "Common Name: " . $CommonName . "\n" . \ - "Fingerprint: " . $FingerPrint . "\n" . \ - "Issuer: " . $Issuer . "\n" . \ - "Validity: " . $InvalidBefore . " to " . $InvalidAfter); - :log warning ("The certificate " . $CertName . " is about to expire in " . $ExpiresAfter . "."); - } - } else={ - :log debug ("The certificate " . $CertName . " expires in " . $ExpiresAfter . "."); - } - } else={ - :log debug ("The certificate " . $CertName . " is just a template."); + $SendNotification ("Certificate warning!") \ + ("A certificate on " . $Identity . " is about to expire.\n\n" . \ + "Name: " . $CertName . "\n" . \ + "CommonName: " . $CommonName . "\n" . \ + "Fingerprint: " . $FingerPrint . "\n" . \ + "Issuer: " . $Issuer . "\n" . \ + "Validity: " . $InvalidBefore . " to " . $InvalidAfter); + :log warning ("The certificate " . $CertName . " is about to expire in " . $ExpiresAfter . "."); } } -- cgit v1.2.3-54-g00ecf