-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathletsencrypt-renew.rsc
86 lines (72 loc) · 3.08 KB
/
letsencrypt-renew.rsc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!rsc by RouterOS
# RouterOS script: letsencrypt-renew
#
# renew letsencrypt ssl certificate and restart services
# https://github.com/martindb/routeros/blob/main/doc/letsencrypt-renew.md
:local 0 "letsencrypt-renew";
:global GlobalFunctionsReady;
:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
:global SendNotification;
:global SymbolForNotification;
:global LogPrint;
:global ParseKeyValueStore;
:global IsFullyConnected;
:global LetsEncryptCN;
:local CommName;
:local WwwDisable false;
:local CertRenewed true;
$LogPrint debug $0 "Init";
# Custom or default dns name
:if ([:typeof $LetsEncryptCN] = "str") do={
:set CommName ($LetsEncryptCN);
} else={
:set CommName [/ip/cloud/get dns-name];
}
$LogPrint debug $0 ("LetsEncrypt cert for $CommName will be renewed");
# Check if exists the firewall rule to open port 80
:if ([:len [/ip/firewall/filter/find where comment="IP Services HTTP"]] = 0) do={
$SendNotification ([$SymbolForNotification "cross-mark"] . "LetsEncrypt error") ("$0: Rule for LetsEncrypt HTTP port not found");
$LogPrint error $0 "Rule for LetsEncrypt HTTP port not found" true;
}
# Current certificate backup and remove
:if ([:len [/certificate/find where common-name=$CommName]] > 0) do={
/certificate/export-certificate [/certificate/get [/certificate/find where common-name=$CommName] name] \
file-name=("$0_bkp") type=pkcs12 export-passphrase=($0);
/certificate/remove [/certificate/find where common-name=$CommName];
$LogPrint debug $0 ("Backups of certificate with CN=$CommName");
}
# Ensure web service is enabled
:if ([/ip/service/get www disabled] = true) do={
$LogPrint debug $0 "Enable www service";
:set WwwDisable true;
/ip/service/set www disabled=no;
}
:do {
# Enable firewall rule to open port 80
/ip/firewall/filter/enable [/ip/firewall/filter/find where comment="IP Services HTTP"];
# Ask for a new cert to letsencrypt
/certificate/enable-ssl-certificate dns-name=$CommName;
# Disable firewall rule to open port 80
/ip/firewall/filter/disable [/ip/firewall/filter/find where comment="IP Services HTTP"];
} on-error={
# Disable firewall rule to open port 80
/ip/firewall/filter/disable [/ip/firewall/filter/find where comment="IP Services HTTP"];
# Restore previous cert from backup
/certificate/import file-name=("$0_bkp") passphrase=($0);
:set CertRenewed false;
$SendNotification ([$SymbolForNotification "cross-mark"] . "LetsEncrypt error") ("$0: Error renewing LetsEncrypt certificate. CHECK IT ASAP.");
$LogPrint error $0 "LetsEncrypt renewal failed. CHECK IT ASAP.";
}
# If cert was renewed, set it in SSTP server
:if ($CertRenewed = true) do={
/interface/sstp-server/server/set certificate=none;
:delay 5;
/interface/sstp-server/server/set certificate=[/certificate/get [/certificate/find where common-name=$CommName] name];
}
# Let www as was
:if ($WwwDisable = true) do={
/ip/service/set www disabled=yes;
$LogPrint debug $0 "Disable www service";
}
$SendNotification ([$SymbolForNotification "warning-sign"] . "LetsEncrypt renewal OK") ("LetsEncrypt ssl certificate ended for " . $CommName);
$LogPrint debug $0 "End";