From 67551e58d8d26702687aa1fd8e153788ef105adf Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 11:20:47 +0100 Subject: [PATCH 01/15] README: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7. --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 529bb4c..b77538d 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,10 @@ download the certificates. > can skip the steps regarding certificate download and import and jump > to [installation of scripts](#installation-of-scripts) if you set the > trust for these builtin trust anchors: -> `/certificate/settings/set builtin-trust-anchors=trusted;` +> `/certificate/settings/set builtin-trust-anchors=trusted;` +> With RouterOS 7.21 the functionality was changed. Set this at minimum, +> but make sure not to drop other targets: +> `/certificate/settings/set builtin-trust-store=fetch;` If you intend to download the scripts from a different location (for example from github.com) install the corresponding From 7f2cdf67cb7097c3d8731a9bbe3e0aca8072e998 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 11:38:31 +0100 Subject: [PATCH 02/15] INITIAL-COMMANDS: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7. --- INITIAL-COMMANDS.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md index 40f609b..6e70b66 100644 --- a/INITIAL-COMMANDS.md +++ b/INITIAL-COMMANDS.md @@ -22,8 +22,11 @@ Run the complete base installation: :local CertFileName "ISRG-Root-X2.pem"; :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; - :if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ - [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={ + :local CertSettings [ /certificate/settings/get ]; + :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \ + ($CertSettings->"builtin-trust-store") ~ "fetch" || \ + ($CertSettings->"builtin-trust-store") = "all") && \ + [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={ :put "Importing certificate..."; /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value; :delay 1s; From 959f0a257fed3d6f46288f045df36f3bd4a2e480 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 11:47:55 +0100 Subject: [PATCH 03/15] global-functions: $CertificateAvailable: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7. --- global-functions.rsc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/global-functions.rsc b/global-functions.rsc index eb837aa..9f92b07 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -106,11 +106,15 @@ # check and download required certificate :set CertificateAvailable do={ :local CommonName [ :tostr $1 ]; + :local UseFor [ :tostr $2 ]; :global CertificateDownload; + :global EitherOr; :global LogPrint; :global ParseKeyValueStore; + :set UseFor [ $EitherOr $UseFor "undefined" ]; + :if ([ /system/resource/get free-hdd-space ] < 8388608 && \ [ /certificate/settings/get crl-download ] = true && \ [ /certificate/settings/get crl-store ] = "system") do={ @@ -123,7 +127,10 @@ :return false; } - :if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ + :local CertSettings [ /certificate/settings/get ]; + :if ((($CertSettings->"builtin-trust-anchors") = "trusted" || \ + ($CertSettings->"builtin-trust-store") ~ $UseFor || \ + ($CertSettings->"builtin-trust-store") = "all") && \ [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={ :return true; } From e69605ac4de2bff7850d3d85cf6f047f5bfd5255 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 11:59:28 +0100 Subject: [PATCH 04/15] global-functions: $DownloadPackage: define certificate use --- global-functions.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/global-functions.rsc b/global-functions.rsc index 9f92b07..412777c 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -404,7 +404,7 @@ :return true; } - :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={ + :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={ $LogPrint error $0 ("Downloading required certificate failed."); :return false; } From ab29a3fb82f8157af73d094e9edb70e408a1e7a2 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:01:11 +0100 Subject: [PATCH 05/15] global-functions: $GetMacVendor: define certificate use --- global-functions.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/global-functions.rsc b/global-functions.rsc index 412777c..d4c37a2 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -640,7 +640,7 @@ } :do { - :if ([ $CertificateAvailable "GTS Root R4" ] = false) do={ + :if ([ $CertificateAvailable "GTS Root R4" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :error false; } From ee77f7d72d87bdf61495589acc6f8d5f0eca2043 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:01:57 +0100 Subject: [PATCH 06/15] global-functions: $ScriptInstallUpdate: define certificate use --- global-functions.rsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/global-functions.rsc b/global-functions.rsc index d4c37a2..48aaf7f 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -1248,7 +1248,7 @@ :global SymbolForNotification; :global ValidateSyntax; - :if ([ $CertificateAvailable "ISRG Root X2" ] = false) do={ + :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading certificate failed, trying without."); } @@ -1299,7 +1299,7 @@ } :if ([ :len ($ScriptInfo->"certificate") ] > 0) do={ - :if ([ $CertificateAvailable ($ScriptInfo->"certificate") ] = false) do={ + :if ([ $CertificateAvailable ($ScriptInfo->"certificate") "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading certificate failed, trying without."); } } From 45ab635ba19df115430f7d5b9a22bc9d4c35b2cd Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:05:10 +0100 Subject: [PATCH 07/15] check-certificates: define certificate use --- check-certificates.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index f2d5c1f..3300bee 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -189,7 +189,7 @@ fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ]; :local CertNewVal [ /certificate/get $CertNew ]; - :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={ + :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={ $LogPrint warning $ScriptName ("The certificate chain is not available!"); } From 85f3e1a5f4b986a25f803668ce15c908e5ed2373 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:06:03 +0100 Subject: [PATCH 08/15] fw-addr-lists: define certificate use --- fw-addr-lists.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index c85cc8b..e5a71aa 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -74,7 +74,7 @@ :if ([ :len ($List->"cert") ] > 0) do={ :set CheckCertificate true; - :if ([ $CertificateAvailable ($List->"cert") ] = false) do={ + :if ([ $CertificateAvailable ($List->"cert") "fetch" ] = false) do={ $LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \ " / " . $List->"url" . ") failed, trying anyway."); } From 24aadcf02d9d13f9eeb9bc09872eeb307d486cb0 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:10:22 +0100 Subject: [PATCH 09/15] mod/notification-ntfy: define certificate use --- mod/notification-ntfy.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/notification-ntfy.rsc b/mod/notification-ntfy.rsc index 7114020..dd10812 100644 --- a/mod/notification-ntfy.rsc +++ b/mod/notification-ntfy.rsc @@ -109,7 +109,7 @@ :onerror Err { :if ($Server = "ntfy.sh") do={ - :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={ + :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :error false; } From 0cbc8dca745f026499c0bd1542e81bb8956883ed Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:09:43 +0100 Subject: [PATCH 10/15] mod/notification-telegram: define certificate use --- mod/notification-telegram.rsc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mod/notification-telegram.rsc b/mod/notification-telegram.rsc index ff9b4da..b1996a3 100644 --- a/mod/notification-telegram.rsc +++ b/mod/notification-telegram.rsc @@ -30,7 +30,7 @@ :return false; } - :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :return false; } @@ -72,7 +72,7 @@ :global CertificateAvailable; :global LogPrint; - :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :return false; } @@ -197,7 +197,7 @@ "&reply_to_message_id=" . ($Notification->"replyto") . "&message_thread_id=" . $ThreadId . \ "&disable_web_page_preview=true&parse_mode=MarkdownV2"); :onerror Err { - :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :error false; } From 6c2bf181fca1c17b528884d2202ba9239486a8b0 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:07:22 +0100 Subject: [PATCH 11/15] netwatch-dns: define certificate use --- netwatch-dns.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index 9e2f9bc..eee5f85 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -112,7 +112,7 @@ :foreach DohServer in=$DohServers do={ :if ([ :len ($DohServer->"doh-cert") ] > 0) do={ - :if ([ $CertificateAvailable ($DohServer->"doh-cert") ] = false) do={ + :if ([ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={ $LogPrint warning $ScriptName ("Downloading certificate failed, trying without."); } } From 31a2bbbb4c242a947aaa921daca4ef7c4a2bdb13 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:10:58 +0100 Subject: [PATCH 12/15] telegram-chat: define certificate use --- telegram-chat.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/telegram-chat.rsc b/telegram-chat.rsc index 7f7b7a7..54872fb 100644 --- a/telegram-chat.rsc +++ b/telegram-chat.rsc @@ -61,7 +61,7 @@ :set TelegramRandomDelay 0; } - :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint warning $ScriptName ("Downloading required certificate failed."); :set ExitOK true; :error false; From c273770f7d2600276fe7d15c2a9cd5942dfb7737 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:03:33 +0100 Subject: [PATCH 13/15] update-tunnelbroker: define certificate use --- update-tunnelbroker.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update-tunnelbroker.rsc b/update-tunnelbroker.rsc index 9057e1e..5372f4c 100644 --- a/update-tunnelbroker.rsc +++ b/update-tunnelbroker.rsc @@ -28,7 +28,7 @@ :error false; } - :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint error $ScriptName ("Downloading required certificate failed."); :set ExitOK true; :error false; From 5f1b17a6443d535be8e9b0ee7e1881b3c26a0019 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:11:38 +0100 Subject: [PATCH 14/15] CERTIFICATES: define certificate use --- CERTIFICATES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CERTIFICATES.md b/CERTIFICATES.md index 69d6c18..0e0a867 100644 --- a/CERTIFICATES.md +++ b/CERTIFICATES.md @@ -61,7 +61,7 @@ Import a certificate by CommonName Running the function `$CertificateAvailable` with that name as parameter makes sure the certificate is available in the device's store: - $CertificateAvailable "ISRG Root X2"; + $CertificateAvailable "ISRG Root X2" "fetch"; If the certificate is actually available already nothing happens, and there is no output. Otherwise the certificate is downloaded and imported. From 41c349a04c8c908f30de1d1006f253041bf1ff4f Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:08:49 +0100 Subject: [PATCH 15/15] doc/mod/notification-matrix: define certificate use --- doc/mod/notification-matrix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/mod/notification-matrix.md b/doc/mod/notification-matrix.md index da6d6de..ad4cf4f 100644 --- a/doc/mod/notification-matrix.md +++ b/doc/mod/notification-matrix.md @@ -49,7 +49,7 @@ your server in device's certificate store. The example below is for `matrix.org`, which uses a trust chain from *Google Trust Services*. Run this to import the required certificate: - $CertificateAvailable "GTS Root R4"; + $CertificateAvailable "GTS Root R4" "fetch"; Replace the CA certificate name with what ever is needed for your server. You may want to find the