From 0fffb5198eafe53a02c48a701ec7309244be5242 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Fri, 16 Jan 2026 13:51:37 +0100
Subject: [PATCH] netwatch-dns: support multiple certificates

Some services use certificates issued by differnt CA certificates,
depending on geolocation. One example is dns.google, which may require
either of 'GTS Root R1' or 'GTS Root R4'.

    /tool/netwatch/add comment="doh, dns, name=google-dns-ipv4, doh-cert=GTS Root R1:GTS Root R4" host=8.8.8.8 type=simple;
---
 netwatch-dns.rsc | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc
index 2edbdf8c..06a15f95 100644
--- a/netwatch-dns.rsc
+++ b/netwatch-dns.rsc
@@ -17,6 +17,7 @@
   :local ScriptName [ :jobname ];
 
   :global CertificateAvailable;
+  :global CharacterReplace;
   :global EitherOr;
   :global IsDNSResolving;
   :global LogPrint;
@@ -103,10 +104,12 @@
   }
 
   :foreach DohServer in=$DohServers do={
-    :if ([ :len ($DohServer->"doh-cert") ] > 0) do={
-      :if ([ $CertificateAvailable ($DohServer->"doh-cert") "fetch" ] = false || \
-           [ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={
-        $LogPrint warning $ScriptName ("Downloading certificate failed, trying without.");
+    :foreach DohCert in=[ :toarray [ $CharacterReplace ($DohServer->"doh-cert") ":" "," ] ] do={
+      :if ([ :len $DohCert ] > 0) do={
+        :if ([ $CertificateAvailable $DohCert "fetch" ] = false || \
+             [ $CertificateAvailable $DohCert "dns" ] = false) do={
+          $LogPrint warning $ScriptName ("Downloading certificate '" . $DohCert . "' failed, trying without.");
+        }
       }
     }