eworm-de.routeros-scripts/doc/check-certificates.md

Renew certificates and notify on expiration
===========================================

[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.15-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)

[⬅️ Go back to main README](../README.md)

> ℹ️ **Info**: This script can not be used on its own but requires the base
> installation. See [main README](../README.md) for details.

Description
-----------

This script tries to download and renew certificates, then notifies about
certificates that are still about to expire.

### Sample notification

![check-certificates notification](check-certificates.d/notification.avif)

Requirements and installation
-----------------------------

Just install the script:

    $ScriptInstallUpdate check-certificates;

Configuration
-------------

For automatic download and renewal of certificates you need configuration
in `global-config-overlay`, these are the parameters:

* `CertRenewPass`: an array of passphrases to try
* `CertRenewTime`: on what remaining time to try a renew
* `CertRenewUrl`: the url to download certificates from
* `CertWarnTime`: on what remaining time to warn via notification

> ℹ️ **Info**: Copy relevant configuration from
> [`global-config`](../global-config.rsc) (the one without `-overlay`) to
> your local `global-config-overlay` and modify it to your specific needs.

Certificates on the web server should be named by their common name, like
`CN.pem` (`PEM` format) or`CN.p12` (`PKCS#12` format). Alternatively any
subject alternative name (aka *Subject Alt Name* or *SAN*) can be used.

Also notification settings are required for
[e-mail](mod/notification-email.md),
[gotify](mod/notification-gotify.md),
[matrix](mod/notification-matrix.md),
[ntfy](mod/notification-ntfy.md) and/or
[telegram](mod/notification-telegram.md).

Usage and invocation
--------------------

Just run the script:

    /system/script/run check-certificates;

... or create a scheduler for periodic execution:

    /system/scheduler/add interval=1d name=check-certificates on-event="/system/script/run check-certificates;" start-time=startup;


Tips & Tricks
-------------

### Schedule at startup

The script checks for full connectivity before acting, so scheduling at
startup is perfectly valid:

    /system/scheduler/add name=check-certificates@startup on-event="/system/script/run check-certificates;" start-time=startup;

### Initial import

Given you have a certificate on you server, you can use `check-certificates`
for the initial import. Just create a *dummy* certificate with short lifetime
that matches criteria to be renewed:

    /certificate/add name=example.com common-name=example.com days-valid=1;
    /certificate/sign example.com;
    /system/script/run check-certificates;

See also
--------

* [Renew locally issued certificates](certificate-renew-issued.md)

---
[⬅️ Go back to main README](../README.md)  
[⬆️ Go back to top](#top)