From 0dc78a1a510c8944ae337731fe0b53551eb8fa46 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 11:20:47 +0100 Subject: [PATCH 01/15] README: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7. --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 529bb4c..b77538d 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,10 @@ download the certificates. > can skip the steps regarding certificate download and import and jump > to [installation of scripts](#installation-of-scripts) if you set the > trust for these builtin trust anchors: -> `/certificate/settings/set builtin-trust-anchors=trusted;` +> `/certificate/settings/set builtin-trust-anchors=trusted;` +> With RouterOS 7.21 the functionality was changed. Set this at minimum, +> but make sure not to drop other targets: +> `/certificate/settings/set builtin-trust-store=fetch;` If you intend to download the scripts from a different location (for example from github.com) install the corresponding From 3e17387d1ebdcf8bc4e135e81eb92e844c510030 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 11:38:31 +0100 Subject: [PATCH 02/15] INITIAL-COMMANDS: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7. --- INITIAL-COMMANDS.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md index 40f609b..6e70b66 100644 --- a/INITIAL-COMMANDS.md +++ b/INITIAL-COMMANDS.md @@ -22,8 +22,11 @@ Run the complete base installation: :local CertFileName "ISRG-Root-X2.pem"; :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; - :if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ - [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={ + :local CertSettings [ /certificate/settings/get ]; + :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \ + ($CertSettings->"builtin-trust-store") ~ "fetch" || \ + ($CertSettings->"builtin-trust-store") = "all") && \ + [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={ :put "Importing certificate..."; /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value; :delay 1s; From be77cf1ca5e3b29b5963a1a713d33d08d04e6426 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 11:47:55 +0100 Subject: [PATCH 03/15] global-functions: $CertificateAvailable: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7. --- global-functions.rsc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/global-functions.rsc b/global-functions.rsc index eb837aa..9f92b07 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -106,11 +106,15 @@ # check and download required certificate :set CertificateAvailable do={ :local CommonName [ :tostr $1 ]; + :local UseFor [ :tostr $2 ]; :global CertificateDownload; + :global EitherOr; :global LogPrint; :global ParseKeyValueStore; + :set UseFor [ $EitherOr $UseFor "undefined" ]; + :if ([ /system/resource/get free-hdd-space ] < 8388608 && \ [ /certificate/settings/get crl-download ] = true && \ [ /certificate/settings/get crl-store ] = "system") do={ @@ -123,7 +127,10 @@ :return false; } - :if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ + :local CertSettings [ /certificate/settings/get ]; + :if ((($CertSettings->"builtin-trust-anchors") = "trusted" || \ + ($CertSettings->"builtin-trust-store") ~ $UseFor || \ + ($CertSettings->"builtin-trust-store") = "all") && \ [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={ :return true; } From 5542294e1fd5bf3195336f5bc837123f47854a13 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 11:59:28 +0100 Subject: [PATCH 04/15] global-functions: $DownloadPackage: define certificate use --- global-functions.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/global-functions.rsc b/global-functions.rsc index 9f92b07..412777c 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -404,7 +404,7 @@ :return true; } - :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={ + :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={ $LogPrint error $0 ("Downloading required certificate failed."); :return false; } From afe8318979b043284e0bfbe084c5ab6987da5d02 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:01:11 +0100 Subject: [PATCH 05/15] global-functions: $GetMacVendor: define certificate use --- global-functions.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/global-functions.rsc b/global-functions.rsc index 412777c..d4c37a2 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -640,7 +640,7 @@ } :do { - :if ([ $CertificateAvailable "GTS Root R4" ] = false) do={ + :if ([ $CertificateAvailable "GTS Root R4" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :error false; } From cf321da4230517dfcc212547a199806e32756d11 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:01:57 +0100 Subject: [PATCH 06/15] global-functions: $ScriptInstallUpdate: define certificate use --- global-functions.rsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/global-functions.rsc b/global-functions.rsc index d4c37a2..48aaf7f 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -1248,7 +1248,7 @@ :global SymbolForNotification; :global ValidateSyntax; - :if ([ $CertificateAvailable "ISRG Root X2" ] = false) do={ + :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading certificate failed, trying without."); } @@ -1299,7 +1299,7 @@ } :if ([ :len ($ScriptInfo->"certificate") ] > 0) do={ - :if ([ $CertificateAvailable ($ScriptInfo->"certificate") ] = false) do={ + :if ([ $CertificateAvailable ($ScriptInfo->"certificate") "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading certificate failed, trying without."); } } From 4882d87c2b326515679d74462c7cf6271d654f9c Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:05:10 +0100 Subject: [PATCH 07/15] check-certificates: define certificate use --- check-certificates.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index f2d5c1f..3300bee 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -189,7 +189,7 @@ fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ]; :local CertNewVal [ /certificate/get $CertNew ]; - :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={ + :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={ $LogPrint warning $ScriptName ("The certificate chain is not available!"); } From 8603acd4a413d70fc6db950063c45907b22b7b91 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:06:03 +0100 Subject: [PATCH 08/15] fw-addr-lists: define certificate use --- fw-addr-lists.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc index c85cc8b..e5a71aa 100644 --- a/fw-addr-lists.rsc +++ b/fw-addr-lists.rsc @@ -74,7 +74,7 @@ :if ([ :len ($List->"cert") ] > 0) do={ :set CheckCertificate true; - :if ([ $CertificateAvailable ($List->"cert") ] = false) do={ + :if ([ $CertificateAvailable ($List->"cert") "fetch" ] = false) do={ $LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \ " / " . $List->"url" . ") failed, trying anyway."); } From 153fcbd69d28d86c258239157a57c30819ef2c33 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:10:22 +0100 Subject: [PATCH 09/15] mod/notification-ntfy: define certificate use --- mod/notification-ntfy.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/notification-ntfy.rsc b/mod/notification-ntfy.rsc index 7114020..dd10812 100644 --- a/mod/notification-ntfy.rsc +++ b/mod/notification-ntfy.rsc @@ -109,7 +109,7 @@ :onerror Err { :if ($Server = "ntfy.sh") do={ - :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={ + :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :error false; } From a1da673f951076b9d00fb1d3b516b0282d1c502d Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:09:43 +0100 Subject: [PATCH 10/15] mod/notification-telegram: define certificate use --- mod/notification-telegram.rsc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mod/notification-telegram.rsc b/mod/notification-telegram.rsc index ff9b4da..b1996a3 100644 --- a/mod/notification-telegram.rsc +++ b/mod/notification-telegram.rsc @@ -30,7 +30,7 @@ :return false; } - :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :return false; } @@ -72,7 +72,7 @@ :global CertificateAvailable; :global LogPrint; - :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :return false; } @@ -197,7 +197,7 @@ "&reply_to_message_id=" . ($Notification->"replyto") . "&message_thread_id=" . $ThreadId . \ "&disable_web_page_preview=true&parse_mode=MarkdownV2"); :onerror Err { - :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading required certificate failed."); :error false; } From 64b1b6f4449cda6610ea1b600687965532efadb2 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:07:22 +0100 Subject: [PATCH 11/15] netwatch-dns: define certificate use --- netwatch-dns.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index 9e2f9bc..eee5f85 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -112,7 +112,7 @@ :foreach DohServer in=$DohServers do={ :if ([ :len ($DohServer->"doh-cert") ] > 0) do={ - :if ([ $CertificateAvailable ($DohServer->"doh-cert") ] = false) do={ + :if ([ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={ $LogPrint warning $ScriptName ("Downloading certificate failed, trying without."); } } From 5fcaf2ef07b596019da1542c0109323554297022 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:10:58 +0100 Subject: [PATCH 12/15] telegram-chat: define certificate use --- telegram-chat.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/telegram-chat.rsc b/telegram-chat.rsc index 7f7b7a7..54872fb 100644 --- a/telegram-chat.rsc +++ b/telegram-chat.rsc @@ -61,7 +61,7 @@ :set TelegramRandomDelay 0; } - :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint warning $ScriptName ("Downloading required certificate failed."); :set ExitOK true; :error false; From bd8c54d1cd4102356261c05a9131b77a91fc68b1 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:03:33 +0100 Subject: [PATCH 13/15] update-tunnelbroker: define certificate use --- update-tunnelbroker.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update-tunnelbroker.rsc b/update-tunnelbroker.rsc index 9057e1e..5372f4c 100644 --- a/update-tunnelbroker.rsc +++ b/update-tunnelbroker.rsc @@ -28,7 +28,7 @@ :error false; } - :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" ] = false) do={ + :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" "fetch" ] = false) do={ $LogPrint error $ScriptName ("Downloading required certificate failed."); :set ExitOK true; :error false; From beae09620a2e96b747579638e0d6ff613d1148a1 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:11:38 +0100 Subject: [PATCH 14/15] CERTIFICATES: define certificate use --- CERTIFICATES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CERTIFICATES.md b/CERTIFICATES.md index 69d6c18..0e0a867 100644 --- a/CERTIFICATES.md +++ b/CERTIFICATES.md @@ -61,7 +61,7 @@ Import a certificate by CommonName Running the function `$CertificateAvailable` with that name as parameter makes sure the certificate is available in the device's store: - $CertificateAvailable "ISRG Root X2"; + $CertificateAvailable "ISRG Root X2" "fetch"; If the certificate is actually available already nothing happens, and there is no output. Otherwise the certificate is downloaded and imported. From 7a28834374a8a2447b095d85d2b9db78a54080c9 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 10 Nov 2025 12:08:49 +0100 Subject: [PATCH 15/15] doc/mod/notification-matrix: define certificate use --- doc/mod/notification-matrix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/mod/notification-matrix.md b/doc/mod/notification-matrix.md index da6d6de..ad4cf4f 100644 --- a/doc/mod/notification-matrix.md +++ b/doc/mod/notification-matrix.md @@ -49,7 +49,7 @@ your server in device's certificate store. The example below is for `matrix.org`, which uses a trust chain from *Google Trust Services*. Run this to import the required certificate: - $CertificateAvailable "GTS Root R4"; + $CertificateAvailable "GTS Root R4" "fetch"; Replace the CA certificate name with what ever is needed for your server. You may want to find the