1 files changed, 29 insertions, 13 deletions
diff --git a/check-certificates.rsc b/check-certificates.rsc
index 7aaac84..0907395 100644
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@@ -1,16 +1,18 @@
 #!rsc by RouterOS
 # RouterOS script: check-certificates
-# Copyright (c) 2013-2024 Christian Hesse <mail@eworm.de>
-# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
+# Copyright (c) 2013-2025 Christian Hesse <mail@eworm.de>
+# https://rsc.eworm.de/COPYING.md
 #
-# requires RouterOS, version=7.14
+# requires RouterOS, version=7.15
+# requires device-mode, fetch
 #
 # check for certificate validity
-# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-certificates.md
+# https://rsc.eworm.de/doc/check-certificates.md
 
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 
+:local ExitOK false;
 :do {
   :local ScriptName [ :jobname ];
 
@@ -32,7 +34,8 @@
 
   :local CheckCertificatesDownloadImport do={
     :local ScriptName [ :tostr $1 ];
-    :local Name       [ :tostr $2 ];
+    :local CertName   [ :tostr $2 ];
+    :local FetchName  [ :tostr $3 ];
 
     :global CertRenewUrl;
     :global CertRenewPass;
@@ -41,13 +44,14 @@
     :global EscapeForRegEx;
     :global FetchUserAgentStr;
     :global LogPrint;
+    :global RmFile;
     :global UrlEncode;
     :global WaitForFile;
 
     :local Return false;
 
     :foreach Type in={ ".pem"; ".p12" } do={
-      :local CertFileName ([ $UrlEncode $Name ] . $Type);
+      :local CertFileName ([ $UrlEncode $FetchName ] . $Type);
       :do {
         /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
             ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
@@ -60,14 +64,16 @@
             :set DecryptionFailed false;
           }
         }
-        /file/remove [ find where name=$CertFileName ];
+        $RmFile $CertFileName;
 
         :if ($DecryptionFailed = true) do={
           $LogPrint warning $ScriptName ("Decryption failed for certificate file '" . $CertFileName . "'.");
         }
 
-        :foreach CertInChain in=[ /certificate/find where name~("^" . [ $EscapeForRegEx $CertFileName ] . "_[0-9]+\$") \
-            common-name!=$Name !(subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $Name ] . "(\\W|\$)")) !(common-name=[]) ] do={
+        :foreach CertInChain in=[ /certificate/find where common-name!=$CertName !private-key \
+            name~("^" . [ $EscapeForRegEx $CertFileName ] . "_[0-9]+\$") \
+            !(subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $CertName ] . "(\\W|\$)")) \
+            !(common-name=[]) ] do={
           $CertificateNameByCN [ /certificate/get $CertInChain common-name ];
         }
 
@@ -133,6 +139,7 @@
   }
 
   :if ([ $ScriptLock $ScriptName ] = false) do={
+    :set ExitOK true;
     :error false;
   }
   $WaitFullyConnected;
@@ -140,6 +147,7 @@
   :foreach Cert in=[ /certificate/find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={
     :local CertVal [ /certificate/get $Cert ];
     :local LastName;
+    :local FetchName;
 
     :do {
       :if ([ :len $CertRenewUrl ] = 0) do={
@@ -150,11 +158,17 @@
 
       :local ImportSuccess false;
       :set LastName ($CertVal->"common-name");
-      :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName ];
+      :set FetchName $LastName;
+      :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
       :foreach SAN in=($CertVal->"subject-alt-name") do={
         :if ($ImportSuccess = false) do={
           :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ];
-          :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName ];
+          :set FetchName $LastName;
+          :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+          :if ($ImportSuccess = false && [ :pick $LastName 0 2 ] = "*.") do={
+            :set FetchName ("star." . [ :pick $LastName 2 [ :len $LastName ] ]);
+            :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+          }
         }
       }
       :if ($ImportSuccess = false) do={ :error false; }
@@ -165,7 +179,7 @@
       } else={
         $LogPrint debug $ScriptName ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.");
 
-        :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $LastName ] ] . "\\.(p12|pem)_[0-9]+\$") \
+        :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $FetchName ] ] . "\\.(p12|pem)_[0-9]+\$") \
           (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \
           fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
         :local CertNewVal [ /certificate/get $CertNew ];
@@ -218,4 +232,6 @@
           ", it is invalid after " . ($CertVal->"invalid-after") . ".");
     }
   }
-} on-error={ }
+} on-error={
+  :global ExitError; $ExitError $ExitOK [ :jobname ];
+}