From 491189ece4608cb6150b99ed32671bcafe7b847d Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 11:05:24 +0100 Subject: [PATCH 1/4] doc/check-certificates: create example certificate with SAN --- doc/check-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/check-certificates.md b/doc/check-certificates.md index 1e69af46..c6db7c88 100644 --- a/doc/check-certificates.md +++ b/doc/check-certificates.md @@ -85,7 +85,7 @@ Given you have a certificate on you server, you can use `check-certificates` for the initial import. Just create a *dummy* certificate with short lifetime that matches criteria to be renewed: - /certificate/add name=example.com common-name=example.com days-valid=1; + /certificate/add name="example.com" common-name="example.com" subject-alt-name="DNS:example.com" days-valid=1; /certificate/sign example.com; /system/script/run check-certificates; From 0d5ee6cf234396bbec3db2e5d012bae436f589a1 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 11:08:25 +0100 Subject: [PATCH 2/4] check-certificates: skip common-name if not available --- check-certificates.rsc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 0122122a..ad16f802 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -177,9 +177,11 @@ $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'."); :local ImportSuccess false; - :set LastName ($CertVal->"common-name"); - :set FetchName $LastName; - :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ]; + :if ([ :len ($CertVal->"common-name") ] > 0) do={ + :set LastName ($CertVal->"common-name"); + :set FetchName $LastName; + :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ]; + } :foreach SAN in=($CertVal->"subject-alt-name") do={ :if ($ImportSuccess = false) do={ :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ]; From 22c3f70dab76fbbc78ae2f81a475457cb6ebc2ae Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 11:13:20 +0100 Subject: [PATCH 3/4] check-certificates: match status code in error message The message used to be: Fetch failed with status 404 ... but changed recently: failure: Status 404, NOT FOUND The new string is in RouterOS 7.22, and changed in what ever beta or rc release. Let's just match the status code and hope for the best. --- check-certificates.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index ad16f802..6ed82b44 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -60,7 +60,7 @@ http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \ ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; } do={ - :if ($Err != "Fetch failed with status 404") do={ + :if (!($Err ~ "[Ss]tatus 404")) do={ $LogPrint warning $0 ("Failed fetching certificate: " . $Err); } :error false; From 6aebf5720d34d87043720d34efb78d32b775955a Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 11:16:38 +0100 Subject: [PATCH 4/4] check-certificates: give the name used for fetch --- check-certificates.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 6ed82b44..e5683514 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -61,7 +61,7 @@ ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; } do={ :if (!($Err ~ "[Ss]tatus 404")) do={ - $LogPrint warning $0 ("Failed fetching certificate: " . $Err); + $LogPrint warning $0 ("Failed fetching certificate by '" . $FetchName . "': " . $Err); } :error false; }