diff --git a/certs/Makefile b/certs/Makefile index 3ccad6e2..4114b3ff 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -9,17 +9,17 @@ CURL = curl \ DOMAINS_DUAL = \ api.macvendors.com/GTS-Root-R4 \ api.telegram.org/Go-Daddy-Root-Certificate-Authority-G2 \ - cloudflare-dns.com/DigiCert-Global-Root-G2 \ + cloudflare-dns.com/SSL-com-Root-Certification-Authority-ECC \ dns.google/GTS-Root-R4 \ dns.quad9.net/DigiCert-Global-Root-G3 \ git.eworm.de/ISRG-Root-X2 \ - lists.blocklist.de/Certum-Trusted-Network-CA \ + lists.blocklist.de/GTS-Root-R4 \ matrix.org/GTS-Root-R4 \ raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \ rsc.eworm.de/ISRG-Root-X2 \ upgrade.mikrotik.com/ISRG-Root-X1 DOMAINS_IPV4 = \ - 1.1.1.1/DigiCert-Global-Root-G2 \ + 1.1.1.1/SSL-com-Root-Certification-Authority-ECC \ 8.8.8.8/GTS-Root-R1 \ 9.9.9.9/DigiCert-Global-Root-G3 \ api.mullvad.net/ISRG-Root-X1 \ @@ -27,10 +27,10 @@ DOMAINS_IPV4 = \ ipv4.tunnelbroker.net/Starfield-Root-Certificate-Authority-G2 \ mkcert.org/ISRG-Root-X1 \ ntfy.sh/ISRG-Root-X1 \ - www.dshield.org/ISRG-Root-X1 \ + www.dshield.org/GTS-Root-R4 \ www.spamhaus.org/GTS-Root-R4 DOMAINS_IPV6 = \ - [2606\:4700\:4700\:\:1111]/DigiCert-Global-Root-G2 \ + [2606\:4700\:4700\:\:1111]/SSL-com-Root-Certification-Authority-ECC \ [2001\:4860\:4860\:\:8888]/GTS-Root-R1 \ [2620\:fe\:\:9]/DigiCert-Global-Root-G3 \ ipv6.showipv6.de/ISRG-Root-X1 diff --git a/certs/SSL-com-Root-Certification-Authority-ECC.pem b/certs/SSL-com-Root-Certification-Authority-ECC.pem new file mode 100644 index 00000000..f1166839 --- /dev/null +++ b/certs/SSL-com-Root-Certification-Authority-ECC.pem @@ -0,0 +1,23 @@ +# Issuer: CN=SSL.com Root Certification Authority ECC O=SSL Corporation +# Subject: CN=SSL.com Root Certification Authority ECC O=SSL Corporation +# Label: "SSL.com Root Certification Authority ECC" +# Serial: 8495723813297216424 +# MD5 Fingerprint: 2e:da:e4:39:7f:9c:8f:37:d1:70:9f:26:17:51:3a:8e +# SHA1 Fingerprint: c3:19:7c:39:24:e6:54:af:1b:c4:ab:20:95:7a:e2:c3:0e:13:02:6a +# SHA256 Fingerprint: 34:17:bb:06:cc:60:07:da:1b:96:1c:92:0b:8a:b4:ce:3f:ad:82:0e:4a:a3:0b:9a:cb:c4:a7:4e:bd:ce:bc:65 +-----BEGIN CERTIFICATE----- +MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMC +VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T +U0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNDAzWhcNNDEwMjEyMTgxNDAz +WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0 +b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBS +b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuB +BAAiA2IABEVuqVDEpiM2nl8ojRfLliJkP9x6jh3MCLOicSS6jkm5BBtHllirLZXI +7Z4INcgn64mMU1jrYor+8FsPazFSY0E7ic3s7LaNGdM0B9y7xgZ/wkWV7Mt/qCPg +CemB+vNH06NjMGEwHQYDVR0OBBYEFILRhXMw5zUE044CkvvlpNHEIejNMA8GA1Ud +EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUgtGFczDnNQTTjgKS++Wk0cQh6M0wDgYD +VR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2cAMGQCMG/n61kRpGDPYbCWe+0F+S8T +kdzt5fxQaxFGRrMcIQBiu77D5+jNB5n5DQtdcj7EqgIwH7y6C+IwJPt8bYBVCpk+ +gA0z5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl +-----END CERTIFICATE----- diff --git a/check-certificates.rsc b/check-certificates.rsc index 1dd61299..9aa11c10 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -194,11 +194,13 @@ :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $FetchName ] ] . "\\.(p12|pem)_[0-9]+\$") \ (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \ - fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ]; + fingerprint!=[ :tostr ($CertVal->"fingerprint") ] ]; :local CertNewVal [ /certificate/get $CertNew ]; - :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={ - $LogPrint warning $ScriptName ("The certificate chain is not available!"); + :if (($CertVal->"expires-after") > ($CertNewVal->"expires-after")) do={ + /certificate/remove $CertNew; + $LogPrint warning $ScriptName ("Old certificate is newer than the new one. Aborting renew."); + :error false; } :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={ @@ -207,6 +209,10 @@ :error false; } + :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={ + $LogPrint warning $ScriptName ("The certificate chain is not available!"); + } + /ip/service/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ]; /ip/ipsec/identity/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ]; diff --git a/doc/netwatch-dns.md b/doc/netwatch-dns.md index 23190b12..75933645 100644 --- a/doc/netwatch-dns.md +++ b/doc/netwatch-dns.md @@ -37,11 +37,11 @@ The DNS and DoH servers to be checked have to be added to netwatch with specific comment: /tool/netwatch/add comment="doh" host=1.1.1.1; - /tool/netwatch/add comment="dns" host=8.8.8.8; /tool/netwatch/add comment="doh, dns" host=9.9.9.9; + /tool/netwatch/add comment="dns" host=8.8.8.8; This will configure *cloudflare-dns* for DoH (`https://1.1.1.1/dnsquery`), and -*google-dns* and *quad-nine* for regular DNS (`8.8.8.8,9.9.9.9`) if up. +*quad-nine* and *google-dns* for regular DNS (`9.9.9.9,8.8.8.8`) if up. If *cloudflare-dns* is down the script will fall back to *quad-nine* for DoH. Giving a specific query url for DoH is possible: @@ -55,20 +55,26 @@ resolves to the same address. /ip/dns/static/add name="cloudflare-dns.com" address=1.1.1.1; /tool/netwatch/add comment="doh" host=1.1.1.1; + /ip dns static add name=dns.quad9.net address=9.9.9.9; + /tool/netwatch/add comment="doh" host=9.9.9.9; + /ip/dns/static/add name=dns.google address=8.8.8.8; + /tool/netwatch/add comment="doh" host=8.8.8.8; Be aware that you have to keep the ip address in sync with real world manually! Importing a certificate automatically is possible. You may want to find the -[certificate name from browser](../CERTIFICATES.md). +[certificate name from browser](../CERTIFICATES.md). Sometimes a service +randomly switches the CA used to issue the certificate, or it just depends +geolocation - give several certificate delimited with colon (`:`) then. - /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root G2" host=1.1.1.1; + /tool/netwatch/add comment="doh, doh-cert=SSL.com Root Certification Authority ECC" host=1.1.1.1; /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root G3" host=9.9.9.9; - /tool/netwatch/add comment="doh, doh-cert=GTS Root R1" host=8.8.8.8; + /tool/netwatch/add comment="doh, doh-cert=GTS Root R1:GTS Root R4" host=8.8.8.8; > ⚠️ **Warning**: Combining these techniques can cause some confusion and > troubles! Chances are that a service uses different certificates based -> on indicated server name. +> on indicated server name (or ip address). Sometimes using just one specific (possibly internal) DNS server may be desired, with fallback in case it fails. This is possible as well: diff --git a/global-config.rsc b/global-config.rsc index 25254123..9c35d13f 100644 --- a/global-config.rsc +++ b/global-config.rsc @@ -117,9 +117,9 @@ # # higher level (decrease the numerical value) for more addresses, and vice versa cert="USERTrust RSA Certification Authority" }; { url="https://www.dshield.org/block.txt"; cidr="/24"; - cert="ISRG Root X1" }; + cert="GTS Root R4" }; { url="https://lists.blocklist.de/lists/strongips.txt"; - cert="Certum Trusted Network CA" }; + cert="GTS Root R4" }; # { url="https://www.spamhaus.org/drop/drop_v4.json"; # cert="GTS Root R4" }; # { url="https://www.spamhaus.org/drop/drop_v6.json"; diff --git a/global-functions.rsc b/global-functions.rsc index 5c70a463..5d2a5044 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -150,9 +150,9 @@ :local CertVal [ /certificate/get [ find where common-name=$CommonName ] ]; :while (($CertVal->"akid") != "" && ($CertVal->"akid") != ($CertVal->"skid")) do={ :if ([ :len [ /certificate/find where skid=($CertVal->"akid") ] ] = 0) do={ - $LogPrint info $0 ("Certificate chain for '" . $CommonName . \ - "' is incomplete, missing '" . ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN") . "'."); - :if ([ $CertificateDownload $CommonName ] = false) do={ + :local IssuerCN ([ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN"); + $LogPrint info $0 ("Certificate chain for '" . $CommonName . "' is incomplete, missing '" . $IssuerCN . "'."); + :if ([ $CertificateDownload $IssuerCN ] = false) do={ :return false; } } diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index 2edbdf8c..06a15f95 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -17,6 +17,7 @@ :local ScriptName [ :jobname ]; :global CertificateAvailable; + :global CharacterReplace; :global EitherOr; :global IsDNSResolving; :global LogPrint; @@ -103,10 +104,12 @@ } :foreach DohServer in=$DohServers do={ - :if ([ :len ($DohServer->"doh-cert") ] > 0) do={ - :if ([ $CertificateAvailable ($DohServer->"doh-cert") "fetch" ] = false || \ - [ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={ - $LogPrint warning $ScriptName ("Downloading certificate failed, trying without."); + :foreach DohCert in=[ :toarray [ $CharacterReplace ($DohServer->"doh-cert") ":" "," ] ] do={ + :if ([ :len $DohCert ] > 0) do={ + :if ([ $CertificateAvailable $DohCert "fetch" ] = false || \ + [ $CertificateAvailable $DohCert "dns" ] = false) do={ + $LogPrint warning $ScriptName ("Downloading certificate '" . $DohCert . "' failed, trying without."); + } } }