Compare commits

...

11 commits

Author SHA1 Message Date
Christian Hesse
656b7057b5 Merge branch 'toarray-delimiter' into next 2026-05-13 16:47:16 +02:00
Christian Hesse
63b8660f94 check-health: use :toarray's new delimiter= to split cert names 2026-05-13 16:46:07 +02:00
Christian Hesse
e4a07419fc fw-addr-lists: get both Let's Encrypt certificates for rsc.eworm.de 2026-05-13 16:37:36 +02:00
Christian Hesse
ab5ff7b1c1 fw-addr-lists: support giving several certificates...
... by delimiting with a colon.
2026-05-13 16:37:36 +02:00
Christian Hesse
ea5f4aff27 netwatch-dns: use :toarray's new delimiter= to split cert names
The new delimiter= parameter for :toarray with introduced in
RouterOS 7.21.
2026-05-13 16:29:47 +02:00
Christian Hesse
71c190b478 Merge branch 'lets-encrypt-old-chain' into next 2026-05-13 16:19:11 +02:00
Christian Hesse
a3de8aa081 global-functions: $CleanName: add missing colon 2026-05-13 16:19:11 +02:00
Christian Hesse
2a6567135e INITIAL-COMMANDS: Let's Encrypt switched back to old chain 2026-05-13 16:19:11 +02:00
Christian Hesse
7ad60ac704 README: Let's Encrypt switched back to old chain 2026-05-13 16:19:11 +02:00
Christian Hesse
59e0c4460e certs: Let's Encrypt switched back to old chain 2026-05-13 16:19:11 +02:00
Christian Hesse
6f2eb69ee0 global-functions: $ScriptInstallUpdate: Check for both LE certificates
Hmm... 🤨 Let's Encrypt is doing crazy things. My server was switched to
'Root YE' alredy, now it is back to 'ISRG Root X2'... 😳

So let's check for both for now.
2026-05-13 16:19:11 +02:00
16 changed files with 36 additions and 36 deletions

View file

@ -18,9 +18,9 @@ Run the complete base installation:
{
:local BaseUrl "https://rsc.eworm.de/main/";
:local CertCommonName "Root YE";
:local CertFileName "Root-YE.pem";
:local CertFingerprint "e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
:local CertCommonName "ISRG Root X2";
:local CertFileName "ISRG-Root-X2.pem";
:local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
:local CertSettings [ /certificate/settings/get ];
:if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \

Binary file not shown.

Before

Width:  |  Height:  |  Size: 2.6 KiB

After

Width:  |  Height:  |  Size: 2.7 KiB

Before After
Before After

Binary file not shown.

Before

Width:  |  Height:  |  Size: 4.9 KiB

After

Width:  |  Height:  |  Size: 5 KiB

Before After
Before After

View file

@ -126,18 +126,18 @@ If you intend to download the scripts from a
different location (for example from github.com) install the corresponding
certificate chain.
/tool/fetch "https://rsc.eworm.de/main/certs/Root-YE.pem" dst-path="root-ye.pem";
/tool/fetch "https://rsc.eworm.de/main/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
![screenshot: download certs](README.d/01-download-certs.avif)
> **Info**: Note that the command above does *not* verify server
> certificate, so if you want to be safe download with your workstations's
> browser from CA's website and transfer the file to your MikroTik device:
> *Let's Encrypt* / *ISRG* [Root YE ↗️](https://letsencrypt.org/certs/gen-y/root-ye.pem)
> *Let's Encrypt* / *ISRG* [ISRG Root X2 ↗️](https://letsencrypt.org/certs/isrg-root-x2.pem)
Then we import the certificate.
/certificate/import file-name="root-ye.pem" passphrase="";
/certificate/import file-name="isrg-root-x2.pem" passphrase="";
Do not worry that the command is not shown - that happens because it contains
a sensitive property, the passphrase.
@ -145,11 +145,11 @@ a sensitive property, the passphrase.
![screenshot: import certs](README.d/02-import-certs.avif)
For basic verification we rename the certificate and print it by
fingerprint. Make sure exactly this one certificate ("*Root-YE*")
fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
is shown.
/certificate/set name="Root-YE" [ find where common-name="Root YE" ];
/certificate/print proplist=name,fingerprint where fingerprint="e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
/certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
/certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
![screenshot: check certs](README.d/03-check-certs.avif)

View file

@ -12,12 +12,12 @@ DOMAINS_DUAL = \
cloudflare-dns.com/SSL-com-Root-Certification-Authority-ECC \
dns.google/GTS-Root-RX \
dns.quad9.net/DigiCert-Global-Root-G3 \
git.eworm.de/Root-YE \
git.eworm.de/ISRG-Root-X2 \
gitlab.com/USERTrust-RSA-Certification-Authority \
lists.blocklist.de/GTS-Root-R4 \
matrix.org/GTS-Root-R4 \
raw.githubusercontent.com/ISRG-Root-X1 \
rsc.eworm.de/Root-YE \
rsc.eworm.de/ISRG-Root-X2 \
upgrade.mikrotik.com/ISRG-Root-X1
DOMAINS_IPV4 = \
1.1.1.1/SSL-com-Root-Certification-Authority-ECC \

View file

@ -3,7 +3,7 @@
# Copyright (c) 2019-2026 Christian Hesse <mail@eworm.de>
# https://rsc.eworm.de/COPYING.md
#
# requires RouterOS, version=7.19
# requires RouterOS, version=7.21
#
# check for RouterOS health state - state plugin
# https://rsc.eworm.de/doc/check-health.md

View file

@ -3,7 +3,7 @@
# Copyright (c) 2019-2026 Christian Hesse <mail@eworm.de>
# https://rsc.eworm.de/COPYING.md
#
# requires RouterOS, version=7.19
# requires RouterOS, version=7.21
#
# check for RouterOS health state - temperature plugin
# https://rsc.eworm.de/doc/check-health.md
@ -30,8 +30,7 @@
}
:local TempToNum do={
:global CharacterReplace;
:local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
:local T [ :toarray delimiter="." $1 ];
:return ($T->0 * 10 + $T->1);
}

View file

@ -3,7 +3,7 @@
# Copyright (c) 2019-2026 Christian Hesse <mail@eworm.de>
# https://rsc.eworm.de/COPYING.md
#
# requires RouterOS, version=7.19
# requires RouterOS, version=7.21
#
# check for RouterOS health state - voltage plugin
# https://rsc.eworm.de/doc/check-health.md

View file

@ -3,7 +3,7 @@
# Copyright (c) 2019-2026 Christian Hesse <mail@eworm.de>
# https://rsc.eworm.de/COPYING.md
#
# requires RouterOS, version=7.19
# requires RouterOS, version=7.21
#
# check for RouterOS health state
# https://rsc.eworm.de/doc/check-health.md
@ -31,8 +31,7 @@
:global ValidateSyntax;
:local TempToNum do={
:global CharacterReplace;
:local T [ :toarray [ $CharacterReplace $1 "." "," ] ];
:local T [ :toarray delimiter="." $1 ];
:return ($T->0 * 10 + $T->1);
}

View file

@ -4,7 +4,7 @@ Notify about health state
[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.21-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)

View file

@ -4,7 +4,7 @@ Download, import and update firewall address-lists
[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.21-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)

View file

@ -4,7 +4,7 @@ Manage DNS and DoH servers from netwatch
[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.21-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)

View file

@ -3,7 +3,7 @@
# Copyright (c) 2023-2026 Christian Hesse <mail@eworm.de>
# https://rsc.eworm.de/COPYING.md
#
# requires RouterOS, version=7.19
# requires RouterOS, version=7.21
#
# download, import and update firewall address-lists
# https://rsc.eworm.de/doc/fw-addr-lists.md
@ -72,11 +72,13 @@
:local Data false;
:local TimeOut [ $EitherOr [ :totime ($List->"timeout") ] $FwAddrListTimeOut ];
:if ([ :len ($List->"cert") ] > 0) do={
:set CheckCertificate true;
:if ([ $CertificateAvailable ($List->"cert") "fetch" ] = false) do={
$LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \
" / " . $List->"url" . ") failed, trying anyway.");
:foreach Cert in=[ :toarray delimiter=":" ($List->"cert") ] do={
:if ([ :len ($Cert) ] > 0) do={
:set CheckCertificate true;
:if ([ $CertificateAvailable $Cert "fetch" ] = false) do={
$LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \
" / " . $List->"url" . ") failed, trying anyway.");
}
}
}

View file

@ -112,11 +112,11 @@
:global FwAddrLists {
# "allow"={
# { url="https://rsc.eworm.de/main/fw-addr-lists.d/allow";
# cert="Root YE"; timeout=1w };
# cert="ISRG Root X2:Root YE"; timeout=1w };
# };
"block"={
# { url="https://rsc.eworm.de/main/fw-addr-lists.d/block";
# cert="Root YE" };
# cert="ISRG Root X2:Root YE" };
{ url="https://raw.githubusercontent.com/stamparm/ipsum/refs/heads/master/levels/4.txt";
# # higher level (decrease the numerical value) for more addresses, and vice versa
cert="ISRG Root X1" };
@ -131,7 +131,7 @@
};
# "mikrotik"={
# { url="https://rsc.eworm.de/main/fw-addr-lists.d/mikrotik";
# cert="Root YE"; timeout=1w };
# cert="ISRG Root X2:Root YE"; timeout=1w };
# };
};
:global FwAddrListTimeOut 1d;

View file

@ -310,7 +310,7 @@
:for I from=0 to=([ :len $Input ] - 1) do={
:local Char [ :pick $Input $I ];
:if ([ :typeof [ find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={
:if ([ :typeof [ :find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={
:do {
:if ([ :len $Return ] = 0) do={
:error true;
@ -1301,7 +1301,8 @@
:global SymbolForNotification;
:global ValidateSyntax;
:if ([ $CertificateAvailable "Root YE" "fetch" ] = false) do={
:if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false || \
[ $CertificateAvailable "Root YE" "fetch" ] = false) do={
$LogPrint warning $0 ("Downloading certificate failed, trying without.");
}

View file

@ -3,7 +3,7 @@
# Copyright (c) 2022-2026 Christian Hesse <mail@eworm.de>
# https://rsc.eworm.de/COPYING.md
#
# requires RouterOS, version=7.19
# requires RouterOS, version=7.21
# requires device-mode, fetch
#
# monitor and manage dns/doh with netwatch
@ -17,7 +17,6 @@
:local ScriptName [ :jobname ];
:global CertificateAvailable;
:global CharacterReplace;
:global EitherOr;
:global IsDNSResolving;
:global LogPrint;
@ -104,7 +103,7 @@
}
:foreach DohServer in=$DohServers do={
:foreach DohCert in=[ :toarray [ $CharacterReplace ($DohServer->"doh-cert") ":" "," ] ] do={
:foreach DohCert in=[ :toarray delimiter=":" ($DohServer->"doh-cert") ] do={
:if ([ :len $DohCert ] > 0) do={
:if ([ $CertificateAvailable $DohCert "fetch" ] = false || \
[ $CertificateAvailable $DohCert "dns" ] = false) do={