Merge branch 'builtin-trust-store' into next

README: add a line break before command
doc/mod/notification-matrix: define certificate use
2026-03-04 21:19:36 +00:00 · 2025-11-10 12:16:22 +01:00 · 2025-11-10 12:16:22 +01:00 · 2025-11-10 12:16:22 +01:00 · 2025-11-10 12:16:22 +01:00 · 2025-11-10 12:16:22 +01:00
13 changed files with 37 additions and 24 deletions
--- a/CERTIFICATES.md
+++ b/CERTIFICATES.md
@ -61,7 +61,7 @@ Import a certificate by CommonName
 Running the function `$CertificateAvailable` with that name as parameter
 makes sure the certificate is available in the device's store:

-    $CertificateAvailable "ISRG Root X2";
+    $CertificateAvailable "ISRG Root X2" "fetch";

 If the certificate is actually available already nothing happens, and there
 is no output. Otherwise the certificate is downloaded and imported.
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@ -22,8 +22,11 @@ Run the complete base installation:
      :local CertFileName "ISRG-Root-X2.pem";
      :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";

-      :if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
-           [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
+      :local CertSettings [ /certificate/settings/get ];
+      :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+              ($CertSettings->"builtin-trust-store") ~ "fetch" || \
+              ($CertSettings->"builtin-trust-store") = "all") && \
+             [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
        :put "Importing certificate...";
        /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value;
        :delay 1s;
--- a/README.md
+++ b/README.md
@ -77,8 +77,11 @@ download the certificates.
 > 💡️ **Hint**: RouterOS 7.19 comes with a builtin certificate store. You
 > can skip the steps regarding certificate download and import and jump
 > to [installation of scripts](#installation-of-scripts) if you set the
-> trust for these builtin trust anchors:
-> `/certificate/settings/set builtin-trust-anchors=trusted;`
+> trust for these builtin trust anchors:  
+> `/certificate/settings/set builtin-trust-anchors=trusted;`  
+> With RouterOS 7.21 the functionality was changed. Set this at minimum,
+> but make sure not to drop other targets:  
+> `/certificate/settings/set builtin-trust-store=fetch;`

 If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
@ -173,7 +176,7 @@ This last step is required when ever you make changes to your configuration.

 > ℹ️ **Info**: It is recommended to edit the configuration using the command
 > line interface. If using Winbox on Windows OS, the line endings may be
-> missing. To fix this run:
+> missing. To fix this run:  
 > `/system/script/set source=[ :tocrlf [ get global-config-overlay source ] ] global-config-overlay;`

 Updating scripts
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@ -21,7 +21,7 @@
  :global CertWarnTime;
  :global Identity;

-  :global CertificateAvailable
+  :global CertificateAvailable;
  :global EscapeForRegEx;
  :global IfThenElse;
  :global LogPrint;
@ -189,7 +189,7 @@
          fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
        :local CertNewVal [ /certificate/get $CertNew ];

-        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
+        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={
          $LogPrint warning $ScriptName ("The certificate chain is not available!");
        }

--- a/contrib/general/style.css
+++ b/contrib/general/style.css
@ -1,8 +1,9 @@
 /* stylesheet for RouterOS Scripts */
 body {
+  background-color: transparent;
  font-family: fira-sans, sans-serif;
  font-size: 10pt;
-  background-color: transparent;
+  line-height: 1.6;
 }
@media only screen and (orientation: landscape) {
  body {
--- a/doc/mod/notification-matrix.md
+++ b/doc/mod/notification-matrix.md
@ -49,7 +49,7 @@ your server in device's certificate store.
 The example below is for `matrix.org`, which uses a trust chain from *Google
 Trust Services*. Run this to import the required certificate:

-    $CertificateAvailable "GTS Root R4";
+    $CertificateAvailable "GTS Root R4" "fetch";

 Replace the CA certificate name with what ever is needed for your server.
 You may want to find the
--- a/fw-addr-lists.rsc
+++ b/fw-addr-lists.rsc
@ -74,7 +74,7 @@

      :if ([ :len ($List->"cert") ] > 0) do={
        :set CheckCertificate true;
-        :if ([ $CertificateAvailable ($List->"cert") ] = false) do={
+        :if ([ $CertificateAvailable ($List->"cert") "fetch" ] = false) do={
          $LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \
              " / " . $List->"url" . ") failed, trying anyway.");
        }
--- a/global-functions.rsc
+++ b/global-functions.rsc
@ -106,11 +106,15 @@
 # check and download required certificate
 :set CertificateAvailable do={
  :local CommonName [ :tostr $1 ];
+  :local UseFor     [ :tostr $2 ];

  :global CertificateDownload;
+  :global EitherOr;
  :global LogPrint;
  :global ParseKeyValueStore;

+  :set UseFor [ $EitherOr $UseFor "undefined" ];
+
  :if ([ /system/resource/get free-hdd-space ] < 8388608 && \
       [ /certificate/settings/get crl-download ] = true && \
       [ /certificate/settings/get crl-store ] = "system") do={
@ -123,7 +127,10 @@
    :return false;
  }

-  :if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
+  :local CertSettings [ /certificate/settings/get ];
+  :if ((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+        ($CertSettings->"builtin-trust-store") ~ $UseFor || \
+        ($CertSettings->"builtin-trust-store") = "all") && \
       [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={
    :return true;
  }
@ -161,7 +168,6 @@
  :global ScriptUpdatesBaseUrl;
  :global ScriptUpdatesUrlSuffix;

-  :global CertificateAvailable;
  :global CertificateNameByCN;
  :global CleanName;
  :global FetchUserAgentStr;
@ -398,7 +404,7 @@
    :return true;
  }

-  :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={
    $LogPrint error $0 ("Downloading required certificate failed.");
    :return false;
  }
@ -634,7 +640,7 @@
  }

  :do {
-    :if ([ $CertificateAvailable "GTS Root R4" ] = false) do={
+    :if ([ $CertificateAvailable "GTS Root R4" "fetch" ] = false) do={
      $LogPrint warning $0 ("Downloading required certificate failed.");
      :error false;
    }
@ -1242,7 +1248,7 @@
  :global SymbolForNotification;
  :global ValidateSyntax;

-  :if ([ $CertificateAvailable "ISRG Root X2" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false) do={
    $LogPrint warning $0 ("Downloading certificate failed, trying without.");
  }

@ -1293,7 +1299,7 @@
      }

      :if ([ :len ($ScriptInfo->"certificate") ] > 0) do={
-        :if ([ $CertificateAvailable ($ScriptInfo->"certificate") ] = false) do={
+        :if ([ $CertificateAvailable ($ScriptInfo->"certificate") "fetch" ] = false) do={
          $LogPrint warning $0 ("Downloading certificate failed, trying without.");
        }
      }
--- a/mod/notification-ntfy.rsc
+++ b/mod/notification-ntfy.rsc
@ -109,7 +109,7 @@

  :onerror Err {
    :if ($Server = "ntfy.sh") do={
-      :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
+      :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={
        $LogPrint warning $0 ("Downloading required certificate failed.");
        :error false;
      }
--- a/mod/notification-telegram.rsc
+++ b/mod/notification-telegram.rsc
@ -30,7 +30,7 @@
    :return false;
  }

-  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
    $LogPrint warning $0 ("Downloading required certificate failed.");
    :return false;
  }
@ -72,7 +72,7 @@
  :global CertificateAvailable;
  :global LogPrint;

-  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
    $LogPrint warning $0 ("Downloading required certificate failed.");
    :return false;
  }
@ -197,7 +197,7 @@
      "&reply_to_message_id=" . ($Notification->"replyto") . "&message_thread_id=" . $ThreadId . \
      "&disable_web_page_preview=true&parse_mode=MarkdownV2");
  :onerror Err {
-    :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+    :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
      $LogPrint warning $0 ("Downloading required certificate failed.");
      :error false;
    }
--- a/netwatch-dns.rsc
+++ b/netwatch-dns.rsc
@ -112,7 +112,7 @@

  :foreach DohServer in=$DohServers do={
    :if ([ :len ($DohServer->"doh-cert") ] > 0) do={
-      :if ([ $CertificateAvailable ($DohServer->"doh-cert") ] = false) do={
+      :if ([ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={
        $LogPrint warning $ScriptName ("Downloading certificate failed, trying without.");
      }
    }
--- a/telegram-chat.rsc
+++ b/telegram-chat.rsc
@ -61,7 +61,7 @@
    :set TelegramRandomDelay 0;
  }

-  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
    $LogPrint warning $ScriptName ("Downloading required certificate failed.");
    :set ExitOK true;
    :error false;
--- a/update-tunnelbroker.rsc
+++ b/update-tunnelbroker.rsc
@ -28,7 +28,7 @@
    :error false;
  }

-  :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" "fetch" ] = false) do={
    $LogPrint error $ScriptName ("Downloading required certificate failed.");
    :set ExitOK true;
    :error false;
Author	SHA1	Message	Date
Christian Hesse	88155d901a	Merge branch 'builtin-trust-store' into next	2025-11-10 12:16:22 +01:00
Christian Hesse	fd9c892a50	README: add a line break before command	2025-11-10 12:16:22 +01:00
Christian Hesse	a7876e9833	doc/mod/notification-matrix: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	8a45e4836a	fw-addr-lists.d/allow: use rsc.eworm.de in the list	2025-11-10 12:16:22 +01:00
Christian Hesse	617f67f2b7	CERTIFICATES: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	4b5a3f7f90	fw-addr-lists.d/{allow,block}: use short url rsc.eworm.de	2025-11-10 12:16:22 +01:00
Christian Hesse	3be8ea0fb6	update-tunnelbroker: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	780a177ae6	Makefile: clean up and add phony targets	2025-11-10 12:16:22 +01:00
Christian Hesse	1272eb2aa8	telegram-chat: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	c08ed68e86	global-functions: $ScriptInstallUpdate: extra actions on 'not found' only	2025-11-10 12:16:22 +01:00
Christian Hesse	d2ea8b8d45	netwatch-dns: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	128526536e	global-functions: $ScriptInstallUpdate: either or... ... but not both.	2025-11-10 12:16:22 +01:00
Christian Hesse	089f95d5c9	mod/notification-telegram: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	4ac9d6c09f	global-functions: $ScriptInstallUpdate: give hint on ignore Fixes: https://github.com/eworm-de/routeros-scripts/issues/112	2025-11-10 12:16:22 +01:00
Christian Hesse	90ce3db2f9	mod/notification-ntfy: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	b9a72ef9c0	contrib/checksums.sh: output to stdout... ... and let the Makefile redirect.	2025-11-10 12:16:22 +01:00
Christian Hesse	62deb6aae3	fw-addr-lists: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	a57abbc685	Merge branch 'contrib' into next	2025-11-10 12:16:22 +01:00
Christian Hesse	ec2401b5c3	check-certificates: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	ee06798d8b	global-functions: $CertificateDownload: drop unused function	2025-11-10 12:16:22 +01:00
Christian Hesse	96f61be2e2	contrib/notification: format the values italic	2025-11-10 12:16:22 +01:00
Christian Hesse	268b8b6abe	global-functions: $ScriptInstallUpdate: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	4102b49637	contrib/notification: update date format	2025-11-10 12:16:22 +01:00
Christian Hesse	dd019a71c8	global-functions: $GetMacVendor: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	ebd84d1540	contrib/{logo-color,notification}: add navigation structure	2025-11-10 12:16:22 +01:00
Christian Hesse	d845b1878b	global-functions: $DownloadPackage: define certificate use	2025-11-10 12:16:22 +01:00
Christian Hesse	8a278569e7	contrib/*: unify html code	2025-11-10 12:16:22 +01:00
Christian Hesse	d2f055a554	global-functions: $CertificateAvailable: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7.	2025-11-10 12:16:22 +01:00
Christian Hesse	9a88b6c878	contrib/html.sh: drop comman from id/anchor	2025-11-10 12:16:22 +01:00
Christian Hesse	4e1db10a6e	INITIAL-COMMANDS: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7.	2025-11-10 12:16:22 +01:00
Christian Hesse	4f55808ce0	contrib/html.sh: properly handle anchors	2025-11-10 12:16:22 +01:00
Christian Hesse	962b082672	README: support new builtin-trust-store... ... which was introduced with RouterOS 7.21beta7.	2025-11-10 12:16:22 +01:00
Christian Hesse	6887d816bf	contrib/html.sh: link the logo with relative path	2025-11-10 12:16:22 +01:00
Christian Hesse	787feedbb5	contrib/html.sh: increase default line height	2025-11-10 12:16:22 +01:00
Christian Hesse	12b1572208	contrib/html.sh: add a margin on left and right... ... for windows in landscape (wider than high).	2025-11-10 12:16:22 +01:00
Christian Hesse	0af5d516a3	contrib/html.sh: link the stylesheet from top level... ... and copy it there in Makefile.	2025-11-10 12:16:22 +01:00
Christian Hesse	ec8a38d67b	contrib/html.sh: include stylesheet via link	2025-11-10 12:16:22 +01:00
Christian Hesse	5726573933	contrib/{logo-color,notification}: use a single style	2025-11-10 12:16:22 +01:00
Christian Hesse	3776a028f8	check-certificates: add missing semicolon	2025-11-10 12:15:08 +01:00