#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
#
# check for certificate validity

:global Identity;
:global CertRenewUrl;
:global CertRenewPass;

:global SendNotification;

:foreach Cert in=[ / certificate find where !revoked ] do={
  :local CertName [ / certificate get $Cert name ];
  :local ExpiresAfter [ / certificate get $Cert expires-after ];

  :if ([ :typeof $ExpiresAfter ] = "time") do={
    :if ($ExpiresAfter < 2w) do={
      :local CommonName [ / certificate get $Cert common-name ];
      :local FingerPrint [ / certificate get $Cert fingerprint ];

      :do {
        :if ([ :len $CertRenewUrl ] = 0) do={
          :error "No CertRenewUrl given.";
        }

        / tool fetch mode=https check-certificate=yes-without-crl url=($CertRenewUrl . $CommonName . ".pem");
        / certificate import file-name=($CommonName . ".pem") passphrase=$CertRenewPass;
        / file remove [ find where name=($CommonName . ".pem") ];

        :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint ];
        :local CertNameNew [ / certificate get $CertNew name ];

        :foreach IpService in=[ / ip service find where certificate=$CertName ] do={
          / ip service set $IpService certificate=$CertNameNew;
        }

        :do {
          :foreach Hotspot in=[ / ip hotspot profile find where ssl-certificate=$CertName ] do={
            / ip hotspot profile set $Hotspot ssl-certificate=$CertNameNew;
          }
        } on-error={
          :log debug ("Setting hotspot certificates failed. Hotspot package not installed?");
        }

        / certificate remove $Cert;
        / certificate set $CertNew name=$CertName;

        :local InvalidBefore [ / certificate get $CertNew invalid-before ];
        :local InvalidAfter [ / certificate get $CertNew invalid-after ];
        :set FingerPrint [ / certificate get $CertNew fingerprint ];

        $SendNotification ("Certificate renewed") \
          ("A certificate on " . $Identity . " has been renewed.\n\n" . \
            "Certificate Name: " . $CertName . "\n" . \
            "Common Name:      " . $CommonName . "\n" . \
            "Fingerprint:      " . $FingerPrint . "\n" . \
            "Validity:         " . $InvalidBefore . " to " . $InvalidAfter);
        :log info ("The certificate " . $CertName . " has been renewed.");
      } on-error={
        :local InvalidBefore [ / certificate get $Cert invalid-before ];
        :local InvalidAfter [ / certificate get $Cert invalid-after ];

        $SendNotification ("Certificate warning!") \
          ("A certificate on " . $Identity . " is about to expire.\n\n" . \
            "Certificate Name: " . $CertName . "\n" . \
            "Common Name:      " . $CommonName . "\n" . \
            "Fingerprint:      " . $FingerPrint . "\n" . \
            "Validity:         " . $InvalidBefore . " to " . $InvalidAfter);
        :log warning ("The certificate " . $CertName . " is about to expire in " . $ExpiresAfter . ".");
      }
    } else={
      :log debug ("The certificate " . $CertName . " expires in " . $ExpiresAfter . ".");
    }
  } else={
    :log debug ("The certificate " . $CertName . " is just a template.");
  }
}