From a66713d093d59141ab23e1a282ae9eddb2e7db22 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 6 Mar 2019 13:49:12 +0100 Subject: check-certificates: split loop for certificate renew and warning This allows to have differnt time values. --- check-certificates | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) (limited to 'check-certificates') diff --git a/check-certificates b/check-certificates index 290fd0d..9508f35 100644 --- a/check-certificates +++ b/check-certificates @@ -18,7 +18,7 @@ } } -:foreach Cert in=[ / certificate find where !revoked expires-after<2w ] do={ +:foreach Cert in=[ / certificate find where !revoked expires-after<3w ] do={ :local CertName [ / certificate get $Cert name ]; :local CommonName [ / certificate get $Cert common-name ]; :local FingerPrint [ / certificate get $Cert fingerprint ]; @@ -32,7 +32,7 @@ / certificate import file-name=($CommonName . ".pem") passphrase=$CertRenewPass; / file remove [ find where name=($CommonName . ".pem") ]; - :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>2w ]; + :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>3w ]; :local CertNameNew [ / certificate get $CertNew name ]; :foreach IpService in=[ / ip service find where certificate=$CertName ] do={ @@ -65,25 +65,32 @@ "Validity: " . $InvalidBefore . " to " . $InvalidAfter); :log info ("The certificate " . $CertName . " has been renewed."); } on-error={ - :local InvalidBefore [ / certificate get $Cert invalid-before ]; - :local InvalidAfter [ / certificate get $Cert invalid-after ]; - :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ]; + :log debug ("Could not renew certificate " . $CertName "."); + } +} - :local State; - :if ([ / certificate get $Cert expired ] = true) do={ - :set State "expired"; - } else={ - :set State "is about to expire"; - } +:foreach Cert in=[ / certificate find where !revoked expires-after<2w ] do={ + :local CertName [ / certificate get $Cert name ]; + :local CommonName [ / certificate get $Cert common-name ]; + :local FingerPrint [ / certificate get $Cert fingerprint ]; + :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ]; + :local InvalidBefore [ / certificate get $Cert invalid-before ]; + :local InvalidAfter [ / certificate get $Cert invalid-after ]; - $SendNotification ("Certificate warning!") \ - ("A certificate on " . $Identity . " " . $State . ".\n\n" . \ - "Name: " . $CertName . "\n" . \ - "CommonName: " . $CommonName . "\n" . \ - "Fingerprint: " . $FingerPrint . "\n" . \ - "Issuer: " . $Issuer . "\n" . \ - "Validity: " . $InvalidBefore . " to " . $InvalidAfter); - :log warning ("The certificate " . $CertName . " " . $State . \ - ", it is invalid after " . $InvalidAfter . "."); + :local State; + :if ([ / certificate get $Cert expired ] = true) do={ + :set State "expired"; + } else={ + :set State "is about to expire"; } + + $SendNotification ("Certificate warning!") \ + ("A certificate on " . $Identity . " " . $State . ".\n\n" . \ + "Name: " . $CertName . "\n" . \ + "CommonName: " . $CommonName . "\n" . \ + "Fingerprint: " . $FingerPrint . "\n" . \ + "Issuer: " . $Issuer . "\n" . \ + "Validity: " . $InvalidBefore . " to " . $InvalidAfter); + :log warning ("The certificate " . $CertName . " " . $State . \ + ", it is invalid after " . $InvalidAfter . "."); } -- cgit v1.2.3-54-g00ecf