# Script: check-ssl-certificates.ps1
# Locatie: D:\kit\ssl\check-ssl-certificates.ps1
# Scop: Verifica certificatele SSL IIS si forteaza reinstalarea daca expira in < 14 zile
# Rulare: Task Scheduler zilnic sau manual

param(
    [int]$DaysBeforeExpiry = 14,
    [switch]$Force,
    [switch]$Verbose
)

$ErrorActionPreference = "Stop"
$LogFile = "C:\Tools\win-acme\ssl-check.log"

function Write-Log {
    param([string]$Message)
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $logMessage = "[$timestamp] $Message"
    Add-Content -Path $LogFile -Value $logMessage
    if ($Verbose) { Write-Host $logMessage }
}

# Domenii de verificat
$domains = @(
    @{ SiteId = 1; Domain = "roa.romfast.ro" },
    @{ SiteId = 2; Domain = "dokploy.romfast.ro" },
    @{ SiteId = 3; Domain = "gitea.romfast.ro" },
    @{ SiteId = 4; Domain = "roa2web.romfast.ro" }
)

Write-Log "========== Verificare certificate SSL =========="

$renewedCount = 0
$errorCount = 0

foreach ($site in $domains) {
    $domain = $site.Domain
    $siteId = $site.SiteId

    try {
        # Verifica certificatul curent via HTTPS
        $request = [System.Net.HttpWebRequest]::Create("https://$domain")
        $request.AllowAutoRedirect = $false
        $request.Timeout = 10000
        $request.ServerCertificateValidationCallback = { $true }

        try {
            $response = $request.GetResponse()
            $response.Close()
        } catch [System.Net.WebException] {
            # Ignoram erorile HTTP, ne intereseaza certificatul
        }

        $cert = $request.ServicePoint.Certificate
        if ($null -eq $cert) {
            Write-Log "EROARE: Nu s-a putut obtine certificatul pentru $domain"
            $errorCount++
            continue
        }

        $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cert
        $expiryDate = $cert2.NotAfter
        $daysLeft = ($expiryDate - (Get-Date)).Days

        Write-Log "$domain - Expira: $expiryDate (inca $daysLeft zile)"

        # Verifica daca trebuie reinnoirea
        if ($daysLeft -lt $DaysBeforeExpiry -or $Force) {
            Write-Log "ACTIUNE: Fortez reinstalare certificat pentru $domain (Site ID: $siteId)"

            Push-Location "C:\Tools\win-acme"
            $output = & .\wacs.exe --target iis --siteid $siteId --installation iis --force 2>&1
            Pop-Location

            if ($LASTEXITCODE -eq 0) {
                Write-Log "SUCCES: Certificat reinstalat pentru $domain"
                $renewedCount++
            } else {
                Write-Log "EROARE: Reinstalare esuata pentru $domain"
                Write-Log $output
                $errorCount++
            }
        }
    } catch {
        Write-Log "EXCEPTIE pentru ${domain}: $($_.Exception.Message)"
        $errorCount++
    }
}

# Restart IIS daca am reinoit certificate
if ($renewedCount -gt 0) {
    Write-Log "Restart IIS..."
    iisreset /restart | Out-Null
    Write-Log "IIS restartat"
}

Write-Log "========== Sumar: $renewedCount reinnoite, $errorCount erori =========="

# Exit code pentru monitorizare
if ($errorCount -gt 0) {
    exit 1
} else {
    exit 0
}