routeros-scripts/check-certificates

#!rsc by RouterOS
# RouterOS script: check-certificates
# Copyright (c) 2013-2021 Christian Hesse <mail@eworm.de>
# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
#
# check for certificate validity
# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-certificates.md

:local 0 "check-certificates";
:global GlobalFunctionsReady;
:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }

:global CertRenewPass;
:global CertRenewTime;
:global CertRenewUrl;
:global Identity;

:global CertificateAvailable
:global CertificateNameByCN;
:global IfThenElse;
:global LogPrintExit2;
:global ParseKeyValueStore;
:global SendNotification2;
:global SymbolForNotification;
:global UrlEncode;
:global WaitForFile;
:global WaitFullyConnected;

:local FormatExpire do={
  :global CharacterReplace;
  :return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];
}

$WaitFullyConnected;

:foreach Cert in=[ / certificate find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={
  :local CertVal [ / certificate get $Cert ];

  :do {
    :if ([ :len $CertRenewUrl ] = 0) do={
      $LogPrintExit2 info $0 ("No CertRenewUrl given.") true;
    }
    $LogPrintExit2 info $0 ("Attempting to renew certificate " . ($CertVal->"name") . ".") false;

    :foreach Type in={ ".pem"; ".p12" } do={
      :local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type);
      :do {
        / tool fetch check-certificate=yes-without-crl \
            ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
        $WaitForFile $CertFileName;
        :foreach PassPhrase in=$CertRenewPass do={
          / certificate import file-name=$CertFileName passphrase=$PassPhrase as-value;
        }
        / file remove [ find where name=$CertFileName ];

        :foreach CertInChain in=[ / certificate find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={
          $CertificateNameByCN [ / certificate get $CertInChain common-name ];
        }
      } on-error={
        $LogPrintExit2 debug $0 ("Could not download certificate file " . $CertFileName) false;
      }
    }

    :local CertNew [ / certificate find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
    :local CertNewVal [ / certificate get $CertNew ];

    :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
      $LogPrintExit2 warning $0 ("The certificate chain is not available!") false;
    }

    :if ($Cert != $CertNew) do={
      $LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false;

      :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={
        / certificate remove $CertNew;
        $LogPrintExit2 warning $0 ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.") true;
      }

      / ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];

      :do {
        / ip ipsec identity set certificate=($CertNewVal->"name") [ / ip ipsec identity find where certificate=($CertVal->"name") ];
        / ip ipsec identity set remote-certificate=($CertNewVal->"name") [ / ip ipsec identity find where remote-certificate=($CertVal->"name") ];
      } on-error={
        $LogPrintExit2 debug $0 ("Setting IPSEC certificates failed. Package 'security' not installed?") false;
      }

      :do {
        / ip hotspot profile set ssl-certificate=($CertNewVal->"name") [ / ip hotspot profile find where ssl-certificate=($CertVal->"name") ];
      } on-error={
        $LogPrintExit2 debug $0 ("Setting hotspot certificates failed. Package 'hotspot' not installed?") false;
      }

      / certificate remove $Cert;
      / certificate set $CertNew name=($CertVal->"name");
    }

    $SendNotification2 ({ origin=$0; \
      subject=([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed"); \
      message=("A certificate on " . $Identity . " has been renewed.\n\n" . \
        "Name:        " . ($CertVal->"name") . "\n" . \
        "CommonName:  " . ($CertNewVal->"common-name") . "\n" . \
        "Private key: " . [ $IfThenElse (($CertNewVal->"private-key") = true) "available" "missing" ] . "\n" . \
        "Fingerprint: " . ($CertNewVal->"fingerprint") . "\n" . \
        "Issuer:      " . ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") . "\n" . \
        "Validity:    " . ($CertNewVal->"invalid-before") . " to " . ($CertNewVal->"invalid-after") . "\n" . \
        "Expires in:  " . [ $FormatExpire ($CertNewVal->"expires-after") ]); silent=true });
    $LogPrintExit2 info $0 ("The certificate " . ($CertVal->"name") . " has been renewed.") false;
  } on-error={
    $LogPrintExit2 debug $0 ("Could not renew certificate " . ($CertVal->"name") . ".") false;
  }
}

:foreach Cert in=[ / certificate find where !revoked !scep-url !(expires-after=[]) expires-after<2w !(fingerprint=[]) ] do={
  :local CertVal [ / certificate get $Cert ];

  :if ([ :len [ / certificate scep-server find where ca-cert=($CertVal->"ca") ] ] > 0) do={
    $LogPrintExit2 debug $0 ("Certificate \"" . ($CertVal->"name") . "\" is handled by SCEP, skipping.") false;
  } else={
    :local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];

    $SendNotification2 ({ origin=$0; \
      subject=([ $SymbolForNotification "warning-sign" ] . "Certificate warning!"); \
      message=("A certificate on " . $Identity . " " . $State . ".\n\n" . \
        "Name:        " . ($CertVal->"name") . "\n" . \
        "CommonName:  " . ($CertVal->"common-name") . "\n" . \
        "Private key: " . [ $IfThenElse (($CertVal->"private-key") = true) "available" "missing" ] . "\n" . \
        "Fingerprint: " . ($CertVal->"fingerprint") . "\n" . \
        "Issuer:      " . ($CertVal->"ca") . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\n" . \
        "Validity:    " . ($CertVal->"invalid-before") . " to " . ($CertVal->"invalid-after") . "\n" . \
        "Expires in:  " . [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ]) });
    $LogPrintExit2 info $0 ("The certificate " . ($CertVal->"name") . " " . $State . \
        ", it is invalid after " . ($CertVal->"invalid-after") . ".") false;
  }
}
extend magic pattern with "by RouterOS" This matches the string included in export. 2020-09-18 11:00:27 +02:00			`#!rsc by RouterOS`
add scripts 2018-07-05 15:29:26 +02:00			`# RouterOS script: check-certificates`
update copyright for 2021 2021-01-01 21:33:52 +01:00			`# Copyright (c) 2013-2021 Christian Hesse <mail@eworm.de>`
explicitly name the license Copyright (C) 2013-2020 Christian Hesse <mail@eworm.de> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. https://www.gnu.org/licenses/#GPL https://www.gnu.org/licenses/gpl.html https://www.gnu.org/licenses/gpl.md 2020-06-19 22:17:42 +02:00			`# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md`
add scripts 2018-07-05 15:29:26 +02:00			`#`
			`# check for certificate validity`
add doc/check-certificates.md 2020-03-27 21:41:18 +01:00			`# https://git.eworm.de/cgit/routeros-scripts/about/doc/check-certificates.md`
add scripts 2018-07-05 15:29:26 +02:00
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`:local 0 "check-certificates";`
global: drop script 'global-wait' All scripts wait for the global functions on their own now. 2021-02-18 14:52:47 +01:00			`:global GlobalFunctionsReady;`
			`:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }`

global: variable names are CamelCase ___ _ ___ __ / _ )(_)__ _ / _/__ _/ /_ / _ / / _ `/ / _/ _ `/ __/ /____/_/\_, / /_/ \_,_/\__/ _ __ /___/ _ __ \| \| / /___ __________ (_)___ ____ _/ / \| \| /\| / / __ `/ ___/ __ \/ / __ \/ __ `/ / \| \|/ \|/ / /_/ / / / / / / / / / / /_/ /_/ \|__/\|__/\__,_/_/ /_/ /_/_/_/ /_/\__, (_) /____/ RouterOS has some odd behavior when it comes to variable names. Let's have a look at the interfaces: [admin@MikroTik] > / interface print where name=en1 Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 That looks ok. Now we use a script: { :local interface "en1"; / interface print where name=$interface; } And the result... [admin@MikroTik] > { :local interface "en1"; {... / interface print where name=$interface; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 ... still looks ok. We make a little modification to the script: { :local name "en1"; / interface print where name=$name; } And the result: [admin@MikroTik] > { :local name "en1"; {... / interface print where name=$name; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU 0 RS en1 ether 1500 1598 1 S en2 ether 1500 1598 2 S en3 ether 1500 1598 3 S en4 ether 1500 1598 4 S en5 ether 1500 1598 5 R br-local bridge 1500 1598 Ups! The filter has no effect! That happens whenever the variable name ($name) matches the property name (name=). And another modification: { :local type "en1"; / interface print where name=$type; } And the result: [admin@MikroTik] > { :local type "en1"; {... / interface print where name=$type; } Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU Ups! Nothing? Even if the variable name ($type) matches whatever property name (type=) things go wrong. The answer from MikroTik support (in Ticket#2019010222000454): > This is how scripting works in RouterOS and we will not fix it. To get around this we use variable names in CamelCase. Let's hope Mikrotik never ever introduces property names in CamelCase... fingers crossed 2019-01-03 17:45:43 +01:00			`:global CertRenewPass;`
check-certificates: make the certificate renewal time configurable 2020-12-18 16:02:31 +01:00			`:global CertRenewTime;`
global-functions: sort alphabetically 2020-02-28 15:26:26 +01:00			`:global CertRenewUrl;`
			`:global Identity;`
add scripts 2018-07-05 15:29:26 +02:00
check-certificates: check and download certificate chain 2020-04-03 14:12:09 +02:00			`:global CertificateAvailable`
check-certificates: rename all certificates by their common names 2020-02-06 18:10:47 +01:00			`:global CertificateNameByCN;`
check-certificates: use $IfThenElse 2020-07-16 21:18:12 +02:00			`:global IfThenElse;`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`:global LogPrintExit2;`
check-certificates: use $ParseKeyValueStore 2019-07-17 16:28:22 +02:00			`:global ParseKeyValueStore;`
check-certificates: use $SendNotification2 2021-04-27 20:58:19 +02:00			`:global SendNotification2;`
check-certificates: add symbol in notification 2020-07-17 11:52:54 +02:00			`:global SymbolForNotification;`
check-certificates: add url encoding for certificate download 2019-04-10 14:47:20 +02:00			`:global UrlEncode;`
global-functions: add $WaitForFile, wait for file on fetch The fetch command is asynchronous, the file is not guaranteed to be available when command terminates. I opened an issue at Mikrotik support (Ticket#2019041722004999), their answer: > You should perform a check in a loop. > :delay until file exist > > That can happen also with any configuration not just files. So add a function to wait for a file with given name. I have not seen this with other configuration, though. 2019-04-18 10:39:32 +02:00			`:global WaitForFile;`
check-certificates: wait to be fully connected 2020-08-21 23:13:47 +02:00			`:global WaitFullyConnected;`
check-certificates: use function for notification 2018-10-09 15:52:08 +02:00
check-certificates: show remaining time 2019-03-28 13:32:08 +01:00			`:local FormatExpire do={`
			`:global CharacterReplace;`
			`:return [ $CharacterReplace [ $CharacterReplace [ :tostr $1 ] "w" "w " ] "d" "d " ];`
			`}`

check-certificates: wait to be fully connected 2020-08-21 23:13:47 +02:00			`$WaitFullyConnected;`
check-certificates: check for synced time 2020-02-24 11:12:45 +01:00
check-certificates: make the certificate renewal time configurable 2020-12-18 16:02:31 +01:00			`:foreach Cert in=[ / certificate find where !revoked !ca !scep-url expires-after<$CertRenewTime ] do={`
check-certificates: get certificate values into array 2019-05-20 16:25:36 +02:00			`:local CertVal [ / certificate get $Cert ];`
add scripts 2018-07-05 15:29:26 +02:00
check-certificates: move conditions to loop 2019-01-09 22:18:58 +01:00			`:do {`
			`:if ([ :len $CertRenewUrl ] = 0) do={`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 info $0 ("No CertRenewUrl given.") true;`
check-certificates: move conditions to loop 2019-01-09 22:18:58 +01:00			`}`
check-certificates: be more verbose when attempting to renew 2021-03-21 22:22:52 +01:00			`$LogPrintExit2 info $0 ("Attempting to renew certificate " . ($CertVal->"name") . ".") false;`
check-certificates: support auto-renew of certificates 2018-12-20 15:55:40 +01:00
check-certificates: try to fetch PEM and P12 file 2019-04-10 14:15:41 +02:00			`:foreach Type in={ ".pem"; ".p12" } do={`
check-certificates: get certificate values into array 2019-05-20 16:25:36 +02:00			`:local CertFileName ([ $UrlEncode ($CertVal->"common-name") ] . $Type);`
check-certificates: try to fetch PEM and P12 file 2019-04-10 14:15:41 +02:00			`:do {`
global-functions: add $WaitForFile, wait for file on fetch The fetch command is asynchronous, the file is not guaranteed to be available when command terminates. I opened an issue at Mikrotik support (Ticket#2019041722004999), their answer: > You should perform a check in a loop. > :delay until file exist > > That can happen also with any configuration not just files. So add a function to wait for a file with given name. I have not seen this with other configuration, though. 2019-04-18 10:39:32 +02:00			`/ tool fetch check-certificate=yes-without-crl \`
check-certificates: silence fetch 2021-02-24 22:14:33 +01:00			`($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;`
global-functions: add $WaitForFile, wait for file on fetch The fetch command is asynchronous, the file is not guaranteed to be available when command terminates. I opened an issue at Mikrotik support (Ticket#2019041722004999), their answer: > You should perform a check in a loop. > :delay until file exist > > That can happen also with any configuration not just files. So add a function to wait for a file with given name. I have not seen this with other configuration, though. 2019-04-18 10:39:32 +02:00			`$WaitForFile $CertFileName;`
check-certificates: try to fetch PEM and P12 file 2019-04-10 14:15:41 +02:00			`:foreach PassPhrase in=$CertRenewPass do={`
check-certificates: silence certificate import 2021-03-21 22:27:31 +01:00			`/ certificate import file-name=$CertFileName passphrase=$PassPhrase as-value;`
check-certificates: try to fetch PEM and P12 file 2019-04-10 14:15:41 +02:00			`}`
check-certificates: add url encoding for certificate download 2019-04-10 14:47:20 +02:00			`/ file remove [ find where name=$CertFileName ];`
check-certificates: rename all certificates by their common names 2020-02-06 18:10:47 +01:00
			`:foreach CertInChain in=[ / certificate find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={`
			`$CertificateNameByCN [ / certificate get $CertInChain common-name ];`
			`}`
check-certificates: try to fetch PEM and P12 file 2019-04-10 14:15:41 +02:00			`} on-error={`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 debug $0 ("Could not download certificate file " . $CertFileName) false;`
check-certificates: try to fetch PEM and P12 file 2019-04-10 14:15:41 +02:00			`}`
check-certificates: support multiple passphrases 2019-04-01 22:45:38 +02:00			`}`
check-certificates: support auto-renew of certificates 2018-12-20 15:55:40 +01:00
check-certificates: complete certificate renewal time With a modified certificate renewal time may have failed if the new certificate was not found. 2021-01-11 00:16:00 +01:00			`:local CertNew [ / certificate find where common-name=($CertVal->"common-name") fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];`
check-certificates: get certificate values into array 2019-05-20 16:25:36 +02:00			`:local CertNewVal [ / certificate get $CertNew ];`
check-certificates: support auto-renew of certificates 2018-12-20 15:55:40 +01:00
check-certificates: warn about missing chain 2020-04-03 14:36:32 +02:00			`:if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 warning $0 ("The certificate chain is not available!") false;`
check-certificates: warn about missing chain 2020-04-03 14:36:32 +02:00			`}`
check-certificates: check and download certificate chain 2020-04-03 14:12:09 +02:00
check-certificates: fix renewing certificate in place 2019-07-31 21:04:06 +02:00			`:if ($Cert != $CertNew) do={`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false;`
check-certificates: support auto-renew of certificates 2018-12-20 15:55:40 +01:00
check-certificates: do not renew if loosing private key 2021-01-11 00:05:58 +01:00			`:if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={`
			`/ certificate remove $CertNew;`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 warning $0 ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.") true;`
check-certificates: do not renew if loosing private key 2021-01-11 00:05:58 +01:00			`}`

check-certificates: fix renewing certificate in place 2019-07-31 21:04:06 +02:00			`/ ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];`
check-certificates: update certificates for ipsec identities 2019-03-25 16:49:26 +01:00
check-certificates: fix renewing certificate in place 2019-07-31 21:04:06 +02:00			`:do {`
			`/ ip ipsec identity set certificate=($CertNewVal->"name") [ / ip ipsec identity find where certificate=($CertVal->"name") ];`
			`/ ip ipsec identity set remote-certificate=($CertNewVal->"name") [ / ip ipsec identity find where remote-certificate=($CertVal->"name") ];`
			`} on-error={`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 debug $0 ("Setting IPSEC certificates failed. Package 'security' not installed?") false;`
check-certificates: fix renewing certificate in place 2019-07-31 21:04:06 +02:00			`}`
check-certificates: support auto-renew of certificates 2018-12-20 15:55:40 +01:00
check-certificates: fix renewing certificate in place 2019-07-31 21:04:06 +02:00			`:do {`
			`/ ip hotspot profile set ssl-certificate=($CertNewVal->"name") [ / ip hotspot profile find where ssl-certificate=($CertVal->"name") ];`
			`} on-error={`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 debug $0 ("Setting hotspot certificates failed. Package 'hotspot' not installed?") false;`
check-certificates: fix renewing certificate in place 2019-07-31 21:04:06 +02:00			`}`

			`/ certificate remove $Cert;`
			`/ certificate set $CertNew name=($CertVal->"name");`
			`}`
check-certificates: show issuer CN only 2019-01-09 17:34:08 +01:00
check-certificates: pass origin to $SendNotification2 2021-04-27 21:58:35 +02:00			`$SendNotification2 ({ origin=$0; \`
			`subject=([ $SymbolForNotification "lock-with-ink-pen" ] . "Certificate renewed"); \`
check-certificates: use $SendNotification2 2021-04-27 20:58:19 +02:00			`message=("A certificate on " . $Identity . " has been renewed.\n\n" . \`
check-certificates: get certificate values into array 2019-05-20 16:25:36 +02:00			`"Name: " . ($CertVal->"name") . "\n" . \`
			`"CommonName: " . ($CertNewVal->"common-name") . "\n" . \`
check-certificates: show info on private key 2021-01-10 23:53:24 +01:00			`"Private key: " . [ $IfThenElse (($CertNewVal->"private-key") = true) "available" "missing" ] . "\n" . \`
check-certificates: get certificate values into array 2019-05-20 16:25:36 +02:00			`"Fingerprint: " . ($CertNewVal->"fingerprint") . "\n" . \`
check-certificates: use $ParseKeyValueStore 2019-07-17 16:28:22 +02:00			`"Issuer: " . ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") . "\n" . \`
check-certificates: get certificate values into array 2019-05-20 16:25:36 +02:00			`"Validity: " . ($CertNewVal->"invalid-before") . " to " . ($CertNewVal->"invalid-after") . "\n" . \`
check-certificates: use $SendNotification2 2021-04-27 20:58:19 +02:00			`"Expires in: " . [ $FormatExpire ($CertNewVal->"expires-after") ]); silent=true });`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 info $0 ("The certificate " . ($CertVal->"name") . " has been renewed.") false;`
check-certificates: move conditions to loop 2019-01-09 22:18:58 +01:00			`} on-error={`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 debug $0 ("Could not renew certificate " . ($CertVal->"name") . ".") false;`
check-certificates: split loop for certificate renew and warning This allows to have differnt time values. 2019-03-06 13:49:12 +01:00			`}`
			`}`
check-certificates: use time functionality No need to calculate that... 2019-01-09 11:43:30 +01:00
check-certificates: do not notify with missing validity period 2020-09-06 22:31:55 +02:00			`:foreach Cert in=[ / certificate find where !revoked !scep-url !(expires-after=[]) expires-after<2w !(fingerprint=[]) ] do={`
check-certificates: get certificate values into array 2019-05-20 16:25:36 +02:00			`:local CertVal [ / certificate get $Cert ];`

[ ... print count-only ...] -> [ :len [ ... find ... ] ] Using 'print count-only' always prints a number to terminal, even if the value is evaluated in a condition or assigned to a variable. This can be quite annoying. Behavior will not chance (SUP-25503), so replacing the code... 2020-08-26 09:23:56 +02:00			`:if ([ :len [ / certificate scep-server find where ca-cert=($CertVal->"ca") ] ] > 0) do={`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 debug $0 ("Certificate \"" . ($CertVal->"name") . "\" is handled by SCEP, skipping.") false;`
check-certificates: exclude issued certificates on SCEP server 2020-04-24 14:26:00 +02:00			`} else={`
check-certificates: use $IfThenElse 2020-07-16 21:18:12 +02:00			`:local State [ $IfThenElse (($CertVal->"expired") = true) "expired" "is about to expire" ];`
check-certificates: split loop for certificate renew and warning This allows to have differnt time values. 2019-03-06 13:49:12 +01:00
check-certificates: pass origin to $SendNotification2 2021-04-27 21:58:35 +02:00			`$SendNotification2 ({ origin=$0; \`
			`subject=([ $SymbolForNotification "warning-sign" ] . "Certificate warning!"); \`
check-certificates: use $SendNotification2 2021-04-27 20:58:19 +02:00			`message=("A certificate on " . $Identity . " " . $State . ".\n\n" . \`
check-certificates: exclude issued certificates on SCEP server 2020-04-24 14:26:00 +02:00			`"Name: " . ($CertVal->"name") . "\n" . \`
			`"CommonName: " . ($CertVal->"common-name") . "\n" . \`
check-certificates: fix variable name 2021-05-21 08:31:45 +02:00			`"Private key: " . [ $IfThenElse (($CertVal->"private-key") = true) "available" "missing" ] . "\n" . \`
check-certificates: exclude issued certificates on SCEP server 2020-04-24 14:26:00 +02:00			`"Fingerprint: " . ($CertVal->"fingerprint") . "\n" . \`
			`"Issuer: " . ($CertVal->"ca") . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "\n" . \`
			`"Validity: " . ($CertVal->"invalid-before") . " to " . ($CertVal->"invalid-after") . "\n" . \`
check-certificates: use $SendNotification2 2021-04-27 20:58:19 +02:00			`"Expires in: " . [ $IfThenElse (($CertVal->"expired") = true) "expired" [ $FormatExpire ($CertVal->"expires-after") ] ]) });`
global: give script or function name in log messages 2021-02-22 15:14:10 +01:00			`$LogPrintExit2 info $0 ("The certificate " . ($CertVal->"name") . " " . $State . \`
check-certificates: exclude issued certificates on SCEP server 2020-04-24 14:26:00 +02:00			`", it is invalid after " . ($CertVal->"invalid-after") . ".") false;`
			`}`
add scripts 2018-07-05 15:29:26 +02:00			`}`