ℹ️ Info: This script can not be used on its own but requires the base installation. See main README for details.
This script tries to download and renew certificates, then notifies about certificates that are still about to expire.
Just install the script:
$ScriptInstallUpdate check-certificates;
For automatic download and renewal of certificates you need configuration
in global-config-overlay, these are the parameters:
CertRenewPass: an array of passphrases to tryCertRenewTime: on what remaining time to try a renewCertRenewUrl: the url to download certificates fromCertWarnTime: on what remaining time to warn via notification
ℹ️ Info: Copy relevant configuration from
global-config(the one without-overlay) to your localglobal-config-overlayand modify it to your specific needs.
Certificates on the web server should be named by their common name, like
CN.pem (PEM format) orCN.p12 (PKCS#12 format). Alternatively any
subject alternative name (aka Subject Alt Name or SAN) can be used.
Also notification settings are required for e-mail, matrix, ntfy and/or telegram.
Just run the script:
/system/script/run check-certificates;
... or create a scheduler for periodic execution:
/system/scheduler/add interval=1d name=check-certificates on-event="/system/script/run check-certificates;" start-time=startup;
The script checks for full connectivity before acting, so scheduling at startup is perfectly valid:
/system/scheduler/add name=check-certificates@startup on-event="/system/script/run check-certificates;" start-time=startup;
Given you have a certificate on you server, you can use check-certificates
for the initial import. Just create a dummy certificate with short lifetime
that matches criteria to be renewed:
/certificate/add name=example.com common-name=example.com days-valid=1;
/certificate/sign example.com;
/system/script/run check-certificates;