Skip to content

Latest commit

 

History

History
97 lines (65 loc) · 3.72 KB

check-certificates.md

File metadata and controls

97 lines (65 loc) · 3.72 KB

Renew certificates and notify on expiration

GitHub stars GitHub forks GitHub watchers required RouterOS version Telegram group @routeros_scripts donate with PayPal

⬅️ Go back to main README

ℹ️ Info: This script can not be used on its own but requires the base installation. See main README for details.

Description

This script tries to download and renew certificates, then notifies about certificates that are still about to expire.

Sample notification

check-certificates notification

Requirements and installation

Just install the script:

$ScriptInstallUpdate check-certificates;

Configuration

For automatic download and renewal of certificates you need configuration in global-config-overlay, these are the parameters:

  • CertRenewPass: an array of passphrases to try
  • CertRenewTime: on what remaining time to try a renew
  • CertRenewUrl: the url to download certificates from
  • CertWarnTime: on what remaining time to warn via notification

ℹ️ Info: Copy relevant configuration from global-config (the one without -overlay) to your local global-config-overlay and modify it to your specific needs.

Certificates on the web server should be named by their common name, like CN.pem (PEM format) orCN.p12 (PKCS#12 format). Alternatively any subject alternative name (aka Subject Alt Name or SAN) can be used.

Also notification settings are required for e-mail, matrix, ntfy and/or telegram.

Usage and invocation

Just run the script:

/system/script/run check-certificates;

... or create a scheduler for periodic execution:

/system/scheduler/add interval=1d name=check-certificates on-event="/system/script/run check-certificates;" start-time=startup;

Tips & Tricks

Schedule at startup

The script checks for full connectivity before acting, so scheduling at startup is perfectly valid:

/system/scheduler/add name=check-certificates@startup on-event="/system/script/run check-certificates;" start-time=startup;

Initial import

Given you have a certificate on you server, you can use check-certificates for the initial import. Just create a dummy certificate with short lifetime that matches criteria to be renewed:

/certificate/add name=example.com common-name=example.com days-valid=1;
/certificate/sign example.com;
/system/script/run check-certificates;

See also


⬅️ Go back to main README
⬆️ Go back to top