groove/routeros-scripts-main
1
0
Fork 0
mirror of https://github.com/eworm-de/routeros-scripts.git synced 2025-12-06 09:59:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'builtin-trust-store' into next

Browse source
This commit is contained in:
Christian Hesse 2025-11-10 12:14:10 +01:00
commit b7fb8737e9
12 changed files with 32 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
CERTIFICATES.md
View file

@ -61,7 +61,7 @@ Import a certificate by CommonName
Running the function `$CertificateAvailable` with that name as parameter
makes sure the certificate is available in the device's store:
$CertificateAvailable "ISRG Root X2";
$CertificateAvailable "ISRG Root X2" "fetch";
If the certificate is actually available already nothing happens, and there
is no output. Otherwise the certificate is downloaded and imported.

7
INITIAL-COMMANDS.md
View file

@ -22,8 +22,11 @@ Run the complete base installation:
:local CertFileName "ISRG-Root-X2.pem";
:local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
:if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
[[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
:local CertSettings [ /certificate/settings/get ];
:if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \
($CertSettings->"builtin-trust-store") ~ "fetch" || \
($CertSettings->"builtin-trust-store") = "all") && \
[[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
:put "Importing certificate...";
/tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value;
:delay 1s;

3
README.md
View file

@ -79,6 +79,9 @@ download the certificates.
> to [installation of scripts](#installation-of-scripts) if you set the
> trust for these builtin trust anchors:
> `/certificate/settings/set builtin-trust-anchors=trusted;`
> With RouterOS 7.21 the functionality was changed. Set this at minimum,
> but make sure not to drop other targets:
> `/certificate/settings/set builtin-trust-store=fetch;`
If you intend to download the scripts from a
different location (for example from github.com) install the corresponding

2
check-certificates.rsc
View file

@ -189,7 +189,7 @@
fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
:local CertNewVal [ /certificate/get $CertNew ];
:if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
:if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={
$LogPrint warning $ScriptName ("The certificate chain is not available!");
}

2
doc/mod/notification-matrix.md
View file

@ -49,7 +49,7 @@ your server in device's certificate store.
The example below is for `matrix.org`, which uses a trust chain from *Google
Trust Services*. Run this to import the required certificate:
$CertificateAvailable "GTS Root R4";
$CertificateAvailable "GTS Root R4" "fetch";
Replace the CA certificate name with what ever is needed for your server.
You may want to find the

2
fw-addr-lists.rsc
View file

@ -74,7 +74,7 @@
:if ([ :len ($List->"cert") ] > 0) do={
:set CheckCertificate true;
:if ([ $CertificateAvailable ($List->"cert") ] = false) do={
:if ([ $CertificateAvailable ($List->"cert") "fetch" ] = false) do={
$LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \
" / " . $List->"url" . ") failed, trying anyway.");
}

17
global-functions.rsc
View file

@ -106,11 +106,15 @@
# check and download required certificate
:set CertificateAvailable do={
:local CommonName [ :tostr $1 ];
:local UseFor [ :tostr $2 ];
:global CertificateDownload;
:global EitherOr;
:global LogPrint;
:global ParseKeyValueStore;
:set UseFor [ $EitherOr $UseFor "undefined" ];
:if ([ /system/resource/get free-hdd-space ] < 8388608 && \
[ /certificate/settings/get crl-download ] = true && \
[ /certificate/settings/get crl-store ] = "system") do={
@ -123,7 +127,10 @@
:return false;
}
:if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
:local CertSettings [ /certificate/settings/get ];
:if ((($CertSettings->"builtin-trust-anchors") = "trusted" || \
($CertSettings->"builtin-trust-store") ~ $UseFor || \
($CertSettings->"builtin-trust-store") = "all") && \
[[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={
:return true;
}
@ -397,7 +404,7 @@
:return true;
}
:if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
:if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={
$LogPrint error $0 ("Downloading required certificate failed.");
:return false;
}
@ -633,7 +640,7 @@
}
:do {
:if ([ $CertificateAvailable "GTS Root R4" ] = false) do={
:if ([ $CertificateAvailable "GTS Root R4" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed.");
:error false;
}
@ -1241,7 +1248,7 @@
:global SymbolForNotification;
:global ValidateSyntax;
:if ([ $CertificateAvailable "ISRG Root X2" ] = false) do={
:if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading certificate failed, trying without.");
}
@ -1292,7 +1299,7 @@
}
:if ([ :len ($ScriptInfo->"certificate") ] > 0) do={
:if ([ $CertificateAvailable ($ScriptInfo->"certificate") ] = false) do={
:if ([ $CertificateAvailable ($ScriptInfo->"certificate") "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading certificate failed, trying without.");
}
}

2
mod/notification-ntfy.rsc
View file

@ -109,7 +109,7 @@
:onerror Err {
:if ($Server = "ntfy.sh") do={
:if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
:if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed.");
:error false;
}

6
mod/notification-telegram.rsc
View file

@ -30,7 +30,7 @@
:return false;
}
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed.");
:return false;
}
@ -72,7 +72,7 @@
:global CertificateAvailable;
:global LogPrint;
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed.");
:return false;
}
@ -197,7 +197,7 @@
"&reply_to_message_id=" . ($Notification->"replyto") . "&message_thread_id=" . $ThreadId . \
"&disable_web_page_preview=true&parse_mode=MarkdownV2");
:onerror Err {
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading required certificate failed.");
:error false;
}

2
netwatch-dns.rsc
View file

@ -112,7 +112,7 @@
:foreach DohServer in=$DohServers do={
:if ([ :len ($DohServer->"doh-cert") ] > 0) do={
:if ([ $CertificateAvailable ($DohServer->"doh-cert") ] = false) do={
:if ([ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={
$LogPrint warning $ScriptName ("Downloading certificate failed, trying without.");
}
}

2
telegram-chat.rsc
View file

@ -61,7 +61,7 @@
:set TelegramRandomDelay 0;
}
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
:if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint warning $ScriptName ("Downloading required certificate failed.");
:set ExitOK true;
:error false;

2
update-tunnelbroker.rsc
View file

@ -28,7 +28,7 @@
:error false;
}
:if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" ] = false) do={
:if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" "fetch" ] = false) do={
$LogPrint error $ScriptName ("Downloading required certificate failed.");
:set ExitOK true;
:error false;