diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md index e033b576..df64aa7e 100644 --- a/INITIAL-COMMANDS.md +++ b/INITIAL-COMMANDS.md @@ -18,9 +18,9 @@ Run the complete base installation: { :local BaseUrl "https://rsc.eworm.de/main/"; - :local CertCommonName "Root YE"; - :local CertFileName "Root-YE.pem"; - :local CertFingerprint "e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666"; + :local CertCommonName "ISRG Root X2"; + :local CertFileName "ISRG-Root-X2.pem"; + :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; :local CertSettings [ /certificate/settings/get ]; :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \ diff --git a/README.d/01-download-certs.avif b/README.d/01-download-certs.avif index e4d8755c..f2afeb54 100644 Binary files a/README.d/01-download-certs.avif and b/README.d/01-download-certs.avif differ diff --git a/README.d/03-check-certs.avif b/README.d/03-check-certs.avif index 6610ac47..1f03ad2c 100644 Binary files a/README.d/03-check-certs.avif and b/README.d/03-check-certs.avif differ diff --git a/README.md b/README.md index 0bcd7083..f7143ddf 100644 --- a/README.md +++ b/README.md @@ -126,18 +126,18 @@ If you intend to download the scripts from a different location (for example from github.com) install the corresponding certificate chain. - /tool/fetch "https://rsc.eworm.de/main/certs/Root-YE.pem" dst-path="root-ye.pem"; + /tool/fetch "https://rsc.eworm.de/main/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem"; ![screenshot: download certs](README.d/01-download-certs.avif) > ℹ️ **Info**: Note that the command above does *not* verify server > certificate, so if you want to be safe download with your workstations's > browser from CA's website and transfer the file to your MikroTik device: -> *Let's Encrypt* / *ISRG* [Root YE ↗️](https://letsencrypt.org/certs/gen-y/root-ye.pem) +> *Let's Encrypt* / *ISRG* [ISRG Root X2 ↗️](https://letsencrypt.org/certs/isrg-root-x2.pem) Then we import the certificate. - /certificate/import file-name="root-ye.pem" passphrase=""; + /certificate/import file-name="isrg-root-x2.pem" passphrase=""; Do not worry that the command is not shown - that happens because it contains a sensitive property, the passphrase. @@ -145,11 +145,11 @@ a sensitive property, the passphrase. ![screenshot: import certs](README.d/02-import-certs.avif) For basic verification we rename the certificate and print it by -fingerprint. Make sure exactly this one certificate ("*Root-YE*") +fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*") is shown. - /certificate/set name="Root-YE" [ find where common-name="Root YE" ]; - /certificate/print proplist=name,fingerprint where fingerprint="e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666"; + /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ]; + /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; ![screenshot: check certs](README.d/03-check-certs.avif) diff --git a/backup-email.rsc b/backup-email.rsc index fcafff45..70b18c06 100644 --- a/backup-email.rsc +++ b/backup-email.rsc @@ -16,6 +16,7 @@ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50; :local ScriptName [ :jobname ]; + :global BackupFileNameDate; :global BackupPassword; :global BackupRandomDelay; :global BackupSendBinary; @@ -73,7 +74,9 @@ # filename based on identity :local DirName ("tmpfs/" . $ScriptName); - :local FileName [ $CleanName ($Identity . "." . $Domain) ]; + :local Clock [ /system/clock/get ]; + :local FileName [ $CleanName ($Identity . "." . $Domain . [ $IfThenElse \ + ($BackupFileNameDate = true) ("-" . $Clock->"date" . "-" . $Clock->"time") "" ] ) ]; :local FilePath ($DirName . "/" . $FileName); :local BackupFile "none"; :local ExportFile "none"; diff --git a/backup-upload.rsc b/backup-upload.rsc index bded570c..b89d123d 100644 --- a/backup-upload.rsc +++ b/backup-upload.rsc @@ -17,6 +17,7 @@ do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50; :local ScriptName [ :jobname ]; + :global BackupFileNameDate; :global BackupPassword; :global BackupRandomDelay; :global BackupSendBinary; @@ -72,7 +73,9 @@ # filename based on identity :local DirName ("tmpfs/" . $ScriptName); - :local FileName [ $CleanName ($Identity . "." . $Domain) ]; + :local Clock [ /system/clock/get ]; + :local FileName [ $CleanName ($Identity . "." . $Domain . [ $IfThenElse \ + ($BackupFileNameDate = true) ("-" . $Clock->"date" . "-" . $Clock->"time") "" ] ) ]; :local FilePath ($DirName . "/" . $FileName); :local BackupFile "none"; :local ExportFile "none"; diff --git a/certs/Makefile b/certs/Makefile index c9a33798..8b516e4d 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -12,12 +12,12 @@ DOMAINS_DUAL = \ cloudflare-dns.com/SSL-com-Root-Certification-Authority-ECC \ dns.google/GTS-Root-RX \ dns.quad9.net/DigiCert-Global-Root-G3 \ - git.eworm.de/Root-YE \ + git.eworm.de/ISRG-Root-X2 \ gitlab.com/USERTrust-RSA-Certification-Authority \ lists.blocklist.de/GTS-Root-R4 \ matrix.org/GTS-Root-R4 \ raw.githubusercontent.com/ISRG-Root-X1 \ - rsc.eworm.de/Root-YE \ + rsc.eworm.de/ISRG-Root-X2 \ upgrade.mikrotik.com/ISRG-Root-X1 DOMAINS_IPV4 = \ 1.1.1.1/SSL-com-Root-Certification-Authority-ECC \ diff --git a/doc/backup-email.md b/doc/backup-email.md index cf334697..e55a0d7b 100644 --- a/doc/backup-email.md +++ b/doc/backup-email.md @@ -34,6 +34,7 @@ Configuration The configuration goes to `global-config-overlay`, these are the parameters: +* `BackupFileNameDate`: whether to add date & time in filenames * `BackupSendBinary`: whether to send binary backup * `BackupSendExport`: whether to send configuration export * `BackupSendGlobalConfig`: whether to send `global-config-overlay` diff --git a/doc/backup-upload.md b/doc/backup-upload.md index 221cb721..bbf5227b 100644 --- a/doc/backup-upload.md +++ b/doc/backup-upload.md @@ -40,6 +40,7 @@ Configuration The configuration goes to `global-config-overlay`, these are the parameters: +* `BackupFileNameDate`: whether to add date & time in filenames * `BackupSendBinary`: whether to send binary backup * `BackupSendExport`: whether to send configuration export * `BackupSendGlobalConfig`: whether to send `global-config-overlay` diff --git a/global-config.rsc b/global-config.rsc index 12c85916..0bb572b5 100644 --- a/global-config.rsc +++ b/global-config.rsc @@ -90,7 +90,9 @@ # Toggle this to disable color output in terminal/cli. :global TerminalColorOutput true; -# This defines what backups to generate and what password to use. +# This defines whether to add date & time in filenames, what backups to generate, +# the password to use, and what random delay (between 0 and given seconds) to apply. +:global BackupFileNameDate false; :global BackupSendBinary false; :global BackupSendExport true; :global BackupSendGlobalConfig true; diff --git a/global-functions.rsc b/global-functions.rsc index 413517f3..30b0ccbc 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -15,7 +15,7 @@ # Git commit id & info, expected configuration version :global CommitId "unknown"; :global CommitInfo "unknown"; -:global ExpectedConfigVersion 142; +:global ExpectedConfigVersion 143; # global variables not to be changed by user :global GlobalFunctionsReady false; @@ -310,7 +310,7 @@ :for I from=0 to=([ :len $Input ] - 1) do={ :local Char [ :pick $Input $I ]; - :if ([ :typeof [ find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={ + :if ([ :typeof [ :find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={ :do { :if ([ :len $Return ] = 0) do={ :error true; @@ -812,10 +812,15 @@ # check if DNS is resolving :set IsDNSResolving do={ :do { - :resolve "low-ttl.eworm.de"; + :local I 1; + :retry { + :set I ($I ^ 1); + :resolve ("low-ttl.eworm." . ({ "de"; "net" }->$I)); + } delay=50ms max=6; } on-error={ :return false; } + :return true; } @@ -1200,10 +1205,12 @@ } :onerror Err { - /file/remove $DirName; + /file/remove [ find where name=$DirName ]; } do={ - $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err); - :return false; + :if (!($Err ~ "no such item")) do={ + $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err); + :return false; + } } :return true; } @@ -1229,10 +1236,12 @@ } :onerror Err { - /file/remove $FileName; + /file/remove [ find where name=$FileName ]; } do={ - $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err); - :return false; + :if (!($Err ~ "no such item")) do={ + $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err); + :return false; + } } :return true; } @@ -1292,7 +1301,8 @@ :global SymbolForNotification; :global ValidateSyntax; - :if ([ $CertificateAvailable "Root YE" "fetch" ] = false) do={ + :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false || \ + [ $CertificateAvailable "Root YE" "fetch" ] = false) do={ $LogPrint warning $0 ("Downloading certificate failed, trying without."); } diff --git a/ipv6-update.rsc b/ipv6-update.rsc index dadca54c..f93e2786 100644 --- a/ipv6-update.rsc +++ b/ipv6-update.rsc @@ -54,7 +54,7 @@ :local Pool [ /ipv6/pool/get [ find where prefix=$PdPrefix ] name ]; :if ([ :len [ /ipv6/firewall/address-list/find where comment=("ipv6-pool-" . $Pool) ] ] = 0) do={ /ipv6/firewall/address-list/add list=("ipv6-pool-" . $Pool) address=:: comment=("ipv6-pool-" . $Pool) dynamic=yes; - $LogPrint warning $ScriptName ("Added dynamic ipv6 address list entry for ipv6-pool-" . $Pool); + $LogPrint info $ScriptName ("Added dynamic ipv6 address list entry for ipv6-pool-" . $Pool); } :local AddrList [ /ipv6/firewall/address-list/find where comment=("ipv6-pool-" . $Pool) ]; :local OldPrefix [ /ipv6/firewall/address-list/get ($AddrList->0) address ]; diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc index 9531d4ad..7c6a7b5b 100644 --- a/netwatch-dns.rsc +++ b/netwatch-dns.rsc @@ -115,13 +115,15 @@ :local Data false; :onerror Err { + :local I 1; :retry { + :set I ($I ^ 1); :set Data ([ /tool/fetch check-certificate=yes-without-crl output=user \ http-header-field=({ "accept: application/dns-message" }) \ url=(($DohServer->"doh-url") . "?dns=" . [ :convert to=base64 ([ :rndstr length=2 ] . \ - "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm\02de\00" . \ - "\00\10" . "\00\01") ]) as-value ]->"data"); - } delay=1s max=3; + "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm" . \ + ({ "\02de"; "\03net" }->$I) . "\00" . "\00\10" . "\00\01") ]) as-value ]->"data"); + } delay=500ms max=6; } do={ $LogPrint warning $ScriptName ("Request to DoH server " . ($DohServer->"doh-url") . \ " failed: " . $Err); diff --git a/news-and-changes.rsc b/news-and-changes.rsc index 2c1a0272..ed60a6c2 100644 --- a/news-and-changes.rsc +++ b/news-and-changes.rsc @@ -67,6 +67,7 @@ 140="The scripts 'lease-script' was renamed to 'dhcpv4-server-lease', configuration was updated automatically."; 141="Introduced script 'dhcpv6-client-lease' to run several scripts on IPv6 DHCP client lease."; 142="Added a setting for 'mod/notification-email' to check availability of certificate chain."; + 143="Made backup scripts 'backup-email' and 'backup-upload' support date & time in filenames."; }; # Migration steps to be applied on script updates