From 6fd28bf8f7cb00dc509037fe8920f6d2313725bf Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Tue, 13 Jan 2026 21:39:54 +0100
Subject: [PATCH] netwatch-dns: check the certificate is available for fetch

That trust is not needed for DNS functionality (that was checked before),
but for our hacky check with fetch.
---
 netwatch-dns.rsc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc
index 4172d28e..2edbdf8c 100644
--- a/netwatch-dns.rsc
+++ b/netwatch-dns.rsc
@@ -104,7 +104,8 @@
 
   :foreach DohServer in=$DohServers do={
     :if ([ :len ($DohServer->"doh-cert") ] > 0) do={
-      :if ([ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={
+      :if ([ $CertificateAvailable ($DohServer->"doh-cert") "fetch" ] = false || \
+           [ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={
         $LogPrint warning $ScriptName ("Downloading certificate failed, trying without.");
       }
     }