From 2d475ba169bfcf69361bc05d542168b255e9f2f5 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Tue, 10 Mar 2026 16:20:26 +0100 Subject: [PATCH 1/7] global-functions: $ScriptInstallUpdate: warn when script exists... ... but is requested to be added. --- global-functions.rsc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/global-functions.rsc b/global-functions.rsc index e0a73045..cb74f991 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -1290,7 +1290,9 @@ } :foreach Script in=$Scripts do={ - :if ([ :len [ /system/script/find where name=$Script ] ] = 0) do={ + :if ([ :len [ /system/script/find where name=$Script ] ] > 0) do={ + $LogPrint warning $0 ("Requested to add script '" . $Script . "', but that exists already!"); + } else={ $LogPrint info $0 ("Adding new script: " . $Script); /system/script/add name=$Script owner=$Script source="#!rsc by RouterOS\n" comment=$NewComment; } From 76ae9686cf862b4f803494bff967118c459a76d1 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 10:54:10 +0100 Subject: [PATCH 2/7] fw-addr-lists: raw.githubusercontent.com requires 'ISRG Root X1' now --- certs/Makefile | 2 +- global-config.rsc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index b0f029ab..c9a33798 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -16,7 +16,7 @@ DOMAINS_DUAL = \ gitlab.com/USERTrust-RSA-Certification-Authority \ lists.blocklist.de/GTS-Root-R4 \ matrix.org/GTS-Root-R4 \ - raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \ + raw.githubusercontent.com/ISRG-Root-X1 \ rsc.eworm.de/Root-YE \ upgrade.mikrotik.com/ISRG-Root-X1 DOMAINS_IPV4 = \ diff --git a/global-config.rsc b/global-config.rsc index e8a86aac..1425764c 100644 --- a/global-config.rsc +++ b/global-config.rsc @@ -115,7 +115,7 @@ # cert="Root YE" }; { url="https://raw.githubusercontent.com/stamparm/ipsum/refs/heads/master/levels/4.txt"; # # higher level (decrease the numerical value) for more addresses, and vice versa - cert="USERTrust RSA Certification Authority" }; + cert="ISRG Root X1" }; { url="https://www.dshield.org/block.txt"; cidr="/24"; cert="GTS Root R4" }; { url="https://lists.blocklist.de/lists/strongips.txt"; From 538071631dfd22a0bf24d054c58e9dddda23bced Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Tue, 10 Mar 2026 16:20:26 +0100 Subject: [PATCH 3/7] global-functions: $ScriptInstallUpdate: warn when script exists... ... but is requested to be added. --- global-functions.rsc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/global-functions.rsc b/global-functions.rsc index e0a73045..cb74f991 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -1290,7 +1290,9 @@ } :foreach Script in=$Scripts do={ - :if ([ :len [ /system/script/find where name=$Script ] ] = 0) do={ + :if ([ :len [ /system/script/find where name=$Script ] ] > 0) do={ + $LogPrint warning $0 ("Requested to add script '" . $Script . "', but that exists already!"); + } else={ $LogPrint info $0 ("Adding new script: " . $Script); /system/script/add name=$Script owner=$Script source="#!rsc by RouterOS\n" comment=$NewComment; } From 491189ece4608cb6150b99ed32671bcafe7b847d Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 11:05:24 +0100 Subject: [PATCH 4/7] doc/check-certificates: create example certificate with SAN --- doc/check-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/check-certificates.md b/doc/check-certificates.md index 1e69af46..c6db7c88 100644 --- a/doc/check-certificates.md +++ b/doc/check-certificates.md @@ -85,7 +85,7 @@ Given you have a certificate on you server, you can use `check-certificates` for the initial import. Just create a *dummy* certificate with short lifetime that matches criteria to be renewed: - /certificate/add name=example.com common-name=example.com days-valid=1; + /certificate/add name="example.com" common-name="example.com" subject-alt-name="DNS:example.com" days-valid=1; /certificate/sign example.com; /system/script/run check-certificates; From 0d5ee6cf234396bbec3db2e5d012bae436f589a1 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 11:08:25 +0100 Subject: [PATCH 5/7] check-certificates: skip common-name if not available --- check-certificates.rsc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 0122122a..ad16f802 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -177,9 +177,11 @@ $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'."); :local ImportSuccess false; - :set LastName ($CertVal->"common-name"); - :set FetchName $LastName; - :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ]; + :if ([ :len ($CertVal->"common-name") ] > 0) do={ + :set LastName ($CertVal->"common-name"); + :set FetchName $LastName; + :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ]; + } :foreach SAN in=($CertVal->"subject-alt-name") do={ :if ($ImportSuccess = false) do={ :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ]; From 22c3f70dab76fbbc78ae2f81a475457cb6ebc2ae Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 11:13:20 +0100 Subject: [PATCH 6/7] check-certificates: match status code in error message The message used to be: Fetch failed with status 404 ... but changed recently: failure: Status 404, NOT FOUND The new string is in RouterOS 7.22, and changed in what ever beta or rc release. Let's just match the status code and hope for the best. --- check-certificates.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index ad16f802..6ed82b44 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -60,7 +60,7 @@ http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \ ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; } do={ - :if ($Err != "Fetch failed with status 404") do={ + :if (!($Err ~ "[Ss]tatus 404")) do={ $LogPrint warning $0 ("Failed fetching certificate: " . $Err); } :error false; From 6aebf5720d34d87043720d34efb78d32b775955a Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 12 Mar 2026 11:16:38 +0100 Subject: [PATCH 7/7] check-certificates: give the name used for fetch --- check-certificates.rsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check-certificates.rsc b/check-certificates.rsc index 6ed82b44..e5683514 100644 --- a/check-certificates.rsc +++ b/check-certificates.rsc @@ -61,7 +61,7 @@ ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; } do={ :if (!($Err ~ "[Ss]tatus 404")) do={ - $LogPrint warning $0 ("Failed fetching certificate: " . $Err); + $LogPrint warning $0 ("Failed fetching certificate by '" . $FetchName . "': " . $Err); } :error false; }