aboutsummaryrefslogtreecommitdiffstats
#!rsc
# RouterOS script: check-certificates
# Copyright (c) 2013-2019 Christian Hesse <mail@eworm.de>
#
# check for certificate validity

:global Identity;
:global CertRenewUrl;
:global CertRenewPass;

:global SendNotification;

:local GetIssuerCN do={
  :foreach IssuerI in=$1 do={
    :if ([ :pick $IssuerI 0 3 ] = "CN=") do={
      :return [ :pick $IssuerI 3 99 ];
    }
  }
}

:local FormatExpire do={
  :global CharacterReplace;
  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
}

:foreach Cert in=[ / certificate find where !revoked expires-after<3w ] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ / certificate get $Cert fingerprint ];

  :do {
    :if ([ :len $CertRenewUrl ] = 0) do={
      :error "No CertRenewUrl given.";
    }

    / tool fetch mode=https check-certificate=yes-without-crl url=($CertRenewUrl . $CommonName . ".pem");
    :foreach PassPhrase in=$CertRenewPass do={
      / certificate import file-name=($CommonName . ".pem") passphrase=$PassPhrase;
    }
    / file remove [ find where name=($CommonName . ".pem") ];

    :local CertNew [ / certificate find where common-name=$CommonName fingerprint!=$FingerPrint expires-after>3w ];
    :local CertNameNew [ / certificate get $CertNew name ];

    :foreach IpService in=[ / ip service find where certificate=$CertName ] do={
      / ip service set $IpService certificate=$CertNameNew;
    }

    :do {
      :foreach Identity in=[ / ip ipsec identity find where certificate=$CertName ] do={
        / ip ipsec identity set $Identity certificate=$CertNameNew;
      }
      :foreach Identity in=[ / ip ipsec identity find where remote-certificate=$CertName ] do={
        / ip ipsec identity set $Identity remote-certificate=$CertNameNew;
      }
    } on-error={
      :log debug ("Setting IPSEC certificates failed. Package 'security' not installed?");
    }

    :do {
      :foreach Hotspot in=[ / ip hotspot profile find where ssl-certificate=$CertName ] do={
        / ip hotspot profile set $Hotspot ssl-certificate=$CertNameNew;
      }
    } on-error={
      :log debug ("Setting hotspot certificates failed. Package 'hotspot' not installed?");
    }

    / certificate remove $Cert;
    / certificate set $CertNew name=$CertName;

    :set CommonName [ / certificate get $CertNew common-name ];
    :set FingerPrint [ / certificate get $CertNew fingerprint ];
    :local Issuer [ $GetIssuerCN [ / certificate get $CertNew issuer ] ];
    :local InvalidBefore [ / certificate get $CertNew invalid-before ];
    :local InvalidAfter [ / certificate get $CertNew invalid-after ];
    :local ExpiresAfter [ $FormatExpire [ / certificate get $CertNew expires-after ] ];

    $SendNotification ("Certificate renewed") \
      ("A certificate on " . $Identity . " has been renewed.\n\n" . \
        "Name:        " . $CertName . "\n" . \
        "CommonName:  " . $CommonName . "\n" . \
        "Fingerprint: " . $FingerPrint . "\n" . \
        "Issuer:      " . $Issuer . "\n" . \
        "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
        "Expires in:  " . $ExpiresAfter);
    :log info ("The certificate " . $CertName . " has been renewed.");
  } on-error={
    :log debug ("Could not renew certificate " . $CertName ".");
  }
}

:foreach Cert in=[ / certificate find where !revoked expires-after<2w ] do={
  :local CertName [ / certificate get $Cert name ];
  :local CommonName [ / certificate get $Cert common-name ];
  :local FingerPrint [ / certificate get $Cert fingerprint ];
  :local Issuer [ $GetIssuerCN [ / certificate get $Cert issuer ] ];
  :local InvalidBefore [ / certificate get $Cert invalid-before ];
  :local InvalidAfter [ / certificate get $Cert invalid-after ];

  :local ExpiresAfter [ $FormatExpire [ / certificate get $Cert expires-after ] ];
  :local State "is about to expire";
  :if ([ / certificate get $Cert expired ] = true) do={
    :set ExpiresAfter "expired";
    :set State "expired";
  }

  $SendNotification ("Certificate warning!") \
    ("A certificate on " . $Identity . " " . $State . ".\n\n" . \
      "Name:        " . $CertName . "\n" . \
      "CommonName:  " . $CommonName . "\n" . \
      "Fingerprint: " . $FingerPrint . "\n" . \
      "Issuer:      " . $Issuer . "\n" . \
      "Validity:    " . $InvalidBefore . " to " . $InvalidAfter . "\n" . \
      "Expires in:  " . $ExpiresAfter);
  :log warning ("The certificate " . $CertName . " " . $State . \
      ", it is invalid after " . $InvalidAfter . ".");
}