mikrotik check cert

2025-10-27 09:30:41 +01:00
parent c42250196f
commit 561a3b23f6
1 changed files with 28 additions and 6 deletions
--- a/certpusher.py
+++ b/certpusher.py
@@ -744,25 +744,44 @@ class CertPusher:
            upload_needed = True
            
            if check_first:
-                if not ssh.check_remote_certificate(remote_cert_path, source_cert):
-                    upload_needed = False
-                elif check_url:
-                    logger.info(f"SSH check failed. Trying URL: {check_url}")
+                # Try SSH check first
+                ssh_check_passed = not ssh.check_remote_certificate(remote_cert_path, source_cert)
+                
+                # If SSH says certificates match, double-check with URL if provided
+                if ssh_check_passed and check_url:
+                    logger.info(f"SSH check passed. Verifying via URL: {check_url}")
                    remote_cert = self.cert_manager.get_cert_from_url(check_url)
-                    if remote_cert and self.cert_manager.compare_certificates(source_cert, remote_cert):
-                        logger.info("✓ Certificate up to date via URL. Skipping.")
+                    
+                    if remote_cert:
+                        if self.cert_manager.compare_certificates(source_cert, remote_cert):
+                            logger.info("✓ URL check confirms: Certificates match. Skipping.")
+                            upload_needed = False
+                        else:
+                            logger.warning("⚠ URL check disagrees with SSH check!")
+                            logger.warning("Certificates differ via URL. Upload needed.")
+                            upload_needed = True
+                    else:
+                        logger.warning("Could not retrieve cert via URL. Trusting SSH check.")
                        upload_needed = False
+                elif ssh_check_passed:
+                    # SSH check passed, no URL to verify
+                    upload_needed = False
+                else:
+                    # SSH check failed, upload needed
+                    upload_needed = True
            
            if not upload_needed:
                ssh.disconnect()
                self.stats['skipped'] += 1
                return True
            
+            # Upload certificate
            if not ssh.upload_file(source_cert_path, remote_cert_path):
                ssh.disconnect()
                self.stats['failed'] += 1
                return False
            
+            # Upload key if specified
            if self.config.has_option(section, 'remote_key_path'):
                remote_key_path = self.config.get(section, 'remote_key_path')
                source_key_path = self.get_key_path(section, source_cert_path)
@@ -770,12 +789,14 @@ class CertPusher:
                if os.path.exists(source_key_path):
                    ssh.upload_file(source_key_path, remote_key_path)
            
+            # Additional files
            if self.config.has_option(section, 'additional_files'):
                for file_pair in self.config.get(section, 'additional_files').split(','):
                    if ':' in file_pair:
                        local, remote = file_pair.strip().split(':', 1)
                        ssh.upload_file(local, remote)
            
+            # Post-upload command
            if post_upload_command:
                logger.info("Executing post-upload command")
                ssh.execute_command(post_upload_command)
@@ -789,6 +810,7 @@ class CertPusher:
            logger.error(f"Failed: {e}")
            self.stats['failed'] += 1
            return False
+
    
    def run(self):
        """Main execution"""