#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
#
# check for certificate validity

:global "identity";
:global "cert-renew-url";
:global "cert-renew-pass";

:global SendNotification;

:local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");

:local currentdate [ / system clock get date ];

:local currentmonthstr [ :pick $currentdate 0 3 ];
:local currentday [ :pick $currentdate 4 6 ];
:local currentyear [ :pick $currentdate 7 11 ];
:local currentmonth ([ :find $months $currentmonthstr -1 ] + 1);
:local currentstamp ($currentyear * 365 + $currentmonth * 30 + $currentday);

:foreach cert in=[ / certificate find where !revoked ] do={
  :local certname [ / certificate get $cert name ];
  :local invaliddate [ / certificate get $cert invalid-after ];

  :if ([ :len $invaliddate ] > 0) do={
    :local invalidmonthstr [ :pick $invaliddate 0 3 ];
    :local invalidday [ :pick $invaliddate 4 6 ];
    :local invalidyear [ :pick $invaliddate 7 11 ];
    :local invalidmonth ([ :find $months $invalidmonthstr -1 ] + 1);
    :local invalidstamp ($invalidyear * 365 + invalidmonth * 30 + invalidday);

    :local remaining ($invalidstamp - $currentstamp);

    :if ($remaining < 15) do={
      :local commonname [ / certificate get $cert common-name ];
      :local fprint [ / certificate get $cert fingerprint ];

      :do {
        :if ([ :len $"cert-renew-url" ] = 0) do={
          :error "No renew-url given.";
        }

        / tool fetch mode=https check-certificate=yes-without-crl url=($"cert-renew-url" . $commonname . ".pem");
        / certificate import file-name=($commonname . ".pem") passphrase=$"cert-renew-pass";
        / file remove [ find where name=($commonname . ".pem") ];

        :local certnew [ / certificate find where common-name=$commonname fingerprint!=$fprint ];
        :local certnamenew [ / certificate get $certnew name ];

        :foreach ipservice in=[ / ip service find where certificate=$certname ] do={
          / ip service set $ipservice certificate=$certnamenew;
        }

        :do {
          :foreach hotspot in=[ / ip hotspot profile find where ssl-certificate=$certname ] do={
            / ip hotspot profile set $hotspot ssl-certificate=$certnamenew;
          }
        } on-error={
          :log debug ("Setting hotspot certificates failed. Hotspot package not installed?");
        }

        / certificate remove $cert;
        / certificate set $certnew name=$certname;
      } on-error={
        :log warning ("Failed to auto-update certificate " . $certname);

        :local invalidbefore [ / certificate get $cert invalid-before ];
        :local invalidafter [ / certificate get $cert invalid-after ];

        $SendNotification ("Certificate warning!") \
          ("A certificate on " . $identity . " is about to expire.\n\n" . \
            "Certificate Name: " . $certname . "\n" . \
            "Common Name:      " . $commonname . "\n" . \
            "Fingerprint:      " . $fprint . "\n" . \
            "Validity:         " . $invalidbefore . " to " . $invalidafter);
        :log warning ("A certificate is about to expire within " . $remaining . " days: " . $certname);
      }
    } else={
      :log debug ("The certificate " . $certname . " expires in " . $remaining . " days.");
    }
  } else={
    :log debug ("The certificate " . $certname . " is just a template.");
  }
}