diff options
| author |  Christian Hesse <mail@eworm.de> | 2023-07-23 22:01:43 +0200 |
|---|---|---|
| committer | Christian Hesse <mail@eworm.de> | 2023-07-23 22:01:43 +0200 |
| commit | 5b789d298b8d6d48d91601b335e1feeeb1374f14 (patch) | |
| tree | c56c9b573c4307794c96eba9e917bd18e65f0320 | |
| parent | be97de3627f2fa098931d525945114f712ddae71 (diff) | |
check-certificates: properly handle in place updates
This worked just kind of... The certification was updated, but script
aborted before the notification was sent.
| -rw-r--r-- | check-certificates.rsc | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/check-certificates.rsc b/check-certificates.rsc index db9007a..86e079a 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -122,17 +122,20 @@ $WaitFullyConnected; } } - :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $LastName ] ] . "\\.(p12|pem)_[0-9]+\$") \ - (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \ - fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ]; - :local CertNewVal [ /certificate/get $CertNew ]; + :if ($CertVal->"fingerprint" != [ /certificate/get $Cert fingerprint ]) do={ + $LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was updated in place.") false; + :set CertVal [ /certificate/get $Cert ]; + } else { + $LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false; - :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={ - $LogPrintExit2 warning $0 ("The certificate chain is not available!") false; - } + :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $LastName ] ] . "\\.(p12|pem)_[0-9]+\$") \ + (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \ + fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ]; + :local CertNewVal [ /certificate/get $CertNew ]; - :if ($Cert != $CertNew) do={ - $LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false; + :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={ + $LogPrintExit2 warning $0 ("The certificate chain is not available!") false; + } :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={ /certificate/remove $CertNew; |