groove/routeros-scripts-main
1
0
Fork 0
mirror of https://github.com/eworm-de/routeros-scripts.git synced 2025-12-06 09:59:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'builtin-trust-store' into next

Browse source
This commit is contained in:
Christian Hesse 2025-11-10 12:14:10 +01:00
commit b7fb8737e9
12 changed files with 32 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CERTIFICATES.md
View file

@ -61,7 +61,7 @@ Import a certificate by CommonName
Running the function `$CertificateAvailable` with that name as parameter Running the function `$CertificateAvailable` with that name as parameter
makes sure the certificate is available in the device's store: makes sure the certificate is available in the device's store:
$CertificateAvailable "ISRG Root X2"; $CertificateAvailable "ISRG Root X2" "fetch";
If the certificate is actually available already nothing happens, and there If the certificate is actually available already nothing happens, and there
is no output. Otherwise the certificate is downloaded and imported. is no output. Otherwise the certificate is downloaded and imported.

7
INITIAL-COMMANDS.md
View file

@ -22,8 +22,11 @@ Run the complete base installation:
:local CertFileName "ISRG-Root-X2.pem"; :local CertFileName "ISRG-Root-X2.pem";
:local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
:if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ :local CertSettings [ /certificate/settings/get ];
[[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={ :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \
($CertSettings->"builtin-trust-store") ~ "fetch" || \
($CertSettings->"builtin-trust-store") = "all") && \
[[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
:put "Importing certificate..."; :put "Importing certificate...";
/tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value; /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value;
:delay 1s; :delay 1s;

3
README.md
View file

@ -79,6 +79,9 @@ download the certificates.
> to [installation of scripts](#installation-of-scripts) if you set the > to [installation of scripts](#installation-of-scripts) if you set the
> trust for these builtin trust anchors: > trust for these builtin trust anchors:
> `/certificate/settings/set builtin-trust-anchors=trusted;` > `/certificate/settings/set builtin-trust-anchors=trusted;`
> With RouterOS 7.21 the functionality was changed. Set this at minimum,
> but make sure not to drop other targets:
> `/certificate/settings/set builtin-trust-store=fetch;`
If you intend to download the scripts from a If you intend to download the scripts from a
different location (for example from github.com) install the corresponding different location (for example from github.com) install the corresponding

2
check-certificates.rsc
View file

@ -189,7 +189,7 @@
fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ]; fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
:local CertNewVal [ /certificate/get $CertNew ]; :local CertNewVal [ /certificate/get $CertNew ];
:if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={ :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={
$LogPrint warning $ScriptName ("The certificate chain is not available!"); $LogPrint warning $ScriptName ("The certificate chain is not available!");
} }

2
doc/mod/notification-matrix.md
View file

@ -49,7 +49,7 @@ your server in device's certificate store.
The example below is for `matrix.org`, which uses a trust chain from *Google The example below is for `matrix.org`, which uses a trust chain from *Google
Trust Services*. Run this to import the required certificate: Trust Services*. Run this to import the required certificate:
$CertificateAvailable "GTS Root R4"; $CertificateAvailable "GTS Root R4" "fetch";
Replace the CA certificate name with what ever is needed for your server. Replace the CA certificate name with what ever is needed for your server.
You may want to find the You may want to find the

2
fw-addr-lists.rsc
View file

@ -74,7 +74,7 @@
:if ([ :len ($List->"cert") ] > 0) do={ :if ([ :len ($List->"cert") ] > 0) do={
:set CheckCertificate true; :set CheckCertificate true;
:if ([ $CertificateAvailable ($List->"cert") ] = false) do={ :if ([ $CertificateAvailable ($List->"cert") "fetch" ] = false) do={
$LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \ $LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \
" / " . $List->"url" . ") failed, trying anyway."); " / " . $List->"url" . ") failed, trying anyway.");
} }

17
global-functions.rsc
View file

@ -106,11 +106,15 @@
# check and download required certificate # check and download required certificate
:set CertificateAvailable do={ :set CertificateAvailable do={
:local CommonName [ :tostr $1 ]; :local CommonName [ :tostr $1 ];
:local UseFor [ :tostr $2 ];
:global CertificateDownload; :global CertificateDownload;
:global EitherOr;
:global LogPrint; :global LogPrint;
:global ParseKeyValueStore; :global ParseKeyValueStore;
:set UseFor [ $EitherOr $UseFor "undefined" ];
:if ([ /system/resource/get free-hdd-space ] < 8388608 && \ :if ([ /system/resource/get free-hdd-space ] < 8388608 && \
[ /certificate/settings/get crl-download ] = true && \ [ /certificate/settings/get crl-download ] = true && \
[ /certificate/settings/get crl-store ] = "system") do={ [ /certificate/settings/get crl-store ] = "system") do={
@ -123,7 +127,10 @@
:return false; :return false;
} }
:if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ :local CertSettings [ /certificate/settings/get ];
:if ((($CertSettings->"builtin-trust-anchors") = "trusted" || \
($CertSettings->"builtin-trust-store") ~ $UseFor || \
($CertSettings->"builtin-trust-store") = "all") && \
[[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={ [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={
:return true; :return true;
} }
@ -397,7 +404,7 @@
:return true; :return true;
} }
:if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={ :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={
$LogPrint error $0 ("Downloading required certificate failed."); $LogPrint error $0 ("Downloading required certificate failed.");
:return false; :return false;
} }
@ -633,7 +640,7 @@
} }
:do { :do {
:if ([ $CertificateAvailable "GTS Root R4" ] = false) do={ :if ([ $CertificateAvailable "GTS Root R4" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed."); $LogPrint warning $0 ("Downloading required certificate failed.");
:error false; :error false;
} }
@ -1241,7 +1248,7 @@
:global SymbolForNotification; :global SymbolForNotification;
:global ValidateSyntax; :global ValidateSyntax;
:if ([ $CertificateAvailable "ISRG Root X2" ] = false) do={ :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading certificate failed, trying without."); $LogPrint warning $0 ("Downloading certificate failed, trying without.");
} }
@ -1292,7 +1299,7 @@
} }
:if ([ :len ($ScriptInfo->"certificate") ] > 0) do={ :if ([ :len ($ScriptInfo->"certificate") ] > 0) do={
:if ([ $CertificateAvailable ($ScriptInfo->"certificate") ] = false) do={ :if ([ $CertificateAvailable ($ScriptInfo->"certificate") "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading certificate failed, trying without."); $LogPrint warning $0 ("Downloading certificate failed, trying without.");
} }
} }

2
mod/notification-ntfy.rsc
View file

@ -109,7 +109,7 @@
:onerror Err { :onerror Err {
:if ($Server = "ntfy.sh") do={ :if ($Server = "ntfy.sh") do={
:if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={ :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed."); $LogPrint warning $0 ("Downloading required certificate failed.");
:error false; :error false;
} }

6
mod/notification-telegram.rsc
View file

@ -30,7 +30,7 @@
:return false; :return false;
} }
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed."); $LogPrint warning $0 ("Downloading required certificate failed.");
:return false; :return false;
} }
@ -72,7 +72,7 @@
:global CertificateAvailable; :global CertificateAvailable;
:global LogPrint; :global LogPrint;
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed."); $LogPrint warning $0 ("Downloading required certificate failed.");
:return false; :return false;
} }
@ -197,7 +197,7 @@
"&reply_to_message_id=" . ($Notification->"replyto") . "&message_thread_id=" . $ThreadId . \ "&reply_to_message_id=" . ($Notification->"replyto") . "&message_thread_id=" . $ThreadId . \
"&disable_web_page_preview=true&parse_mode=MarkdownV2"); "&disable_web_page_preview=true&parse_mode=MarkdownV2");
:onerror Err { :onerror Err {
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed."); $LogPrint warning $0 ("Downloading required certificate failed.");
:error false; :error false;
} }

2
netwatch-dns.rsc
View file

@ -112,7 +112,7 @@
:foreach DohServer in=$DohServers do={ :foreach DohServer in=$DohServers do={
:if ([ :len ($DohServer->"doh-cert") ] > 0) do={ :if ([ :len ($DohServer->"doh-cert") ] > 0) do={
:if ([ $CertificateAvailable ($DohServer->"doh-cert") ] = false) do={ :if ([ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={
$LogPrint warning $ScriptName ("Downloading certificate failed, trying without."); $LogPrint warning $ScriptName ("Downloading certificate failed, trying without.");
} }
} }

2
telegram-chat.rsc
View file

@ -61,7 +61,7 @@
:set TelegramRandomDelay 0; :set TelegramRandomDelay 0;
} }
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={ :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint warning $ScriptName ("Downloading required certificate failed."); $LogPrint warning $ScriptName ("Downloading required certificate failed.");
:set ExitOK true; :set ExitOK true;
:error false; :error false;

2
update-tunnelbroker.rsc
View file

@ -28,7 +28,7 @@
:error false; :error false;
} }
:if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" ] = false) do={ :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint error $ScriptName ("Downloading required certificate failed."); $LogPrint error $ScriptName ("Downloading required certificate failed.");
:set ExitOK true; :set ExitOK true;
:error false; :error false;