#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
#
# check for certificate validity

:global Identity;
:global CertRenewUrl;
:global CertRenewPass;

:global SendNotification;

:local GetIssuerCN do={
  :foreach IssuerI in=$1 do={
    :if ([ :pick $IssuerI 0 3 ] = "CN=") do={
      :return [ :pick $IssuerI 3 99 ];
    }
  }
}

:foreach Cert in=[ / certificate find where !revoked expires-after<2w ] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ / certificate get $Cert fingerprint ];

  :do {
    :if ([ :len $CertRenewUrl ] = 0) do={
      :error "No CertRenewUrl given.";
    }

    / tool fetch mode=https check-certificate=yes-without-crl url=($CertRenewUrl . $CommonName . ".pem");
    / certificate import file-name=($CommonName . ".pem") passphrase=$CertRenewPass;
    / file remove [ find where name=($CommonName . ".pem") ];

    :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>2w ];
    :local CertNameNew [ / certificate get $CertNew name ];

    :foreach IpService in=[ / ip service find where certificate=$CertName ] do={
      / ip service set $IpService certificate=$CertNameNew;
    }

    :do {
      :foreach Hotspot in=[ / ip hotspot profile find where ssl-certificate=$CertName ] do={
        / ip hotspot profile set $Hotspot ssl-certificate=$CertNameNew;
      }
    } on-error={
      :log debug ("Setting hotspot certificates failed. Hotspot package not installed?");
    }

    / certificate remove $Cert;
    / certificate set $CertNew name=$CertName;

    :local InvalidBefore [ / certificate get $CertNew invalid-before ];
    :local InvalidAfter [ / certificate get $CertNew invalid-after ];
    :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ];
    :set CommonName [ / certificate get $CertNew common-name ];
    :set FingerPrint [ / certificate get $CertNew fingerprint ];

    $SendNotification ("Certificate renewed") \
      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
        "Name:        " . $CertName . "\n" . \
        "CommonName:  " . $CommonName . "\n" . \
        "Fingerprint: " . $FingerPrint . "\n" . \
        "Issuer:      " . $Issuer . "\n" . \
        "Validity:    " . $InvalidBefore . " to " . $InvalidAfter);
    :log info ("The certificate " . $CertName . " has been renewed.");
  } on-error={
    :local InvalidBefore [ / certificate get $Cert invalid-before ];
    :local InvalidAfter [ / certificate get $Cert invalid-after ];
    :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ];

    :local State;
    :if ([ / certificate get $Cert expired ] = true) do={
      :set State "expired";
    } else={
      :set State "is about to expire";
    }

    $SendNotification ("Certificate warning!") \
      ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
        "Name:        " . $CertName . "\n" . \
        "CommonName:  " . $CommonName . "\n" . \
        "Fingerprint: " . $FingerPrint . "\n" . \
        "Issuer:      " . $Issuer . "\n" . \
        "Validity:    " . $InvalidBefore . " to " . $InvalidAfter);
    :log warning ("The certificate " . $CertName . " " . $State . \
        ", it is invalid after " . $InvalidAfter . ".");
  }
}