From 302fc0bb82f7a10403a7d029cd06598e20bd2942 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 15 Jan 2026 16:00:08 +0100 Subject: [PATCH 1/4] fw-addr-lists: lists.blocklist.de requires 'GTS Root R4' --- certs/Makefile | 2 +- global-config.rsc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index 3ccad6e2..35a50c81 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -13,7 +13,7 @@ DOMAINS_DUAL = \ dns.google/GTS-Root-R4 \ dns.quad9.net/DigiCert-Global-Root-G3 \ git.eworm.de/ISRG-Root-X2 \ - lists.blocklist.de/Certum-Trusted-Network-CA \ + lists.blocklist.de/GTS-Root-R4 \ matrix.org/GTS-Root-R4 \ raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \ rsc.eworm.de/ISRG-Root-X2 \ diff --git a/global-config.rsc b/global-config.rsc index 25254123..19787a8d 100644 --- a/global-config.rsc +++ b/global-config.rsc @@ -119,7 +119,7 @@ { url="https://www.dshield.org/block.txt"; cidr="/24"; cert="ISRG Root X1" }; { url="https://lists.blocklist.de/lists/strongips.txt"; - cert="Certum Trusted Network CA" }; + cert="GTS Root R4" }; # { url="https://www.spamhaus.org/drop/drop_v4.json"; # cert="GTS Root R4" }; # { url="https://www.spamhaus.org/drop/drop_v6.json"; From 156b0e4aaf02b6ad5edf734945253e48d90f2c58 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 15 Jan 2026 16:03:38 +0100 Subject: [PATCH 2/4] fw-addr-lists: www.dshield.org requires 'GTS Root R4' --- certs/Makefile | 2 +- global-config.rsc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index 35a50c81..da681d09 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -27,7 +27,7 @@ DOMAINS_IPV4 = \ ipv4.tunnelbroker.net/Starfield-Root-Certificate-Authority-G2 \ mkcert.org/ISRG-Root-X1 \ ntfy.sh/ISRG-Root-X1 \ - www.dshield.org/ISRG-Root-X1 \ + www.dshield.org/GTS-Root-R4 \ www.spamhaus.org/GTS-Root-R4 DOMAINS_IPV6 = \ [2606\:4700\:4700\:\:1111]/DigiCert-Global-Root-G2 \ diff --git a/global-config.rsc b/global-config.rsc index 19787a8d..9c35d13f 100644 --- a/global-config.rsc +++ b/global-config.rsc @@ -117,7 +117,7 @@ # # higher level (decrease the numerical value) for more addresses, and vice versa cert="USERTrust RSA Certification Authority" }; { url="https://www.dshield.org/block.txt"; cidr="/24"; - cert="ISRG Root X1" }; + cert="GTS Root R4" }; { url="https://lists.blocklist.de/lists/strongips.txt"; cert="GTS Root R4" }; # { url="https://www.spamhaus.org/drop/drop_v4.json"; From b72a79824e947871bae437e6ad8095b5cc01b045 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 15 Jan 2026 23:04:07 +0100 Subject: [PATCH 3/4] certs: add 'SSL.com Root Certification Authority ECC'... ... to use with Cloudflare DNS. curl -d '["SSL.com Root Certification Authority ECC"]' https://mkcert.org/generate/ | grep -v '^$' > certs/SSL-com-Root-Certification-Authority-ECC.pem --- certs/Makefile | 6 ++--- ...L-com-Root-Certification-Authority-ECC.pem | 23 +++++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 certs/SSL-com-Root-Certification-Authority-ECC.pem diff --git a/certs/Makefile b/certs/Makefile index da681d09..4114b3ff 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -9,7 +9,7 @@ CURL = curl \ DOMAINS_DUAL = \ api.macvendors.com/GTS-Root-R4 \ api.telegram.org/Go-Daddy-Root-Certificate-Authority-G2 \ - cloudflare-dns.com/DigiCert-Global-Root-G2 \ + cloudflare-dns.com/SSL-com-Root-Certification-Authority-ECC \ dns.google/GTS-Root-R4 \ dns.quad9.net/DigiCert-Global-Root-G3 \ git.eworm.de/ISRG-Root-X2 \ @@ -19,7 +19,7 @@ DOMAINS_DUAL = \ rsc.eworm.de/ISRG-Root-X2 \ upgrade.mikrotik.com/ISRG-Root-X1 DOMAINS_IPV4 = \ - 1.1.1.1/DigiCert-Global-Root-G2 \ + 1.1.1.1/SSL-com-Root-Certification-Authority-ECC \ 8.8.8.8/GTS-Root-R1 \ 9.9.9.9/DigiCert-Global-Root-G3 \ api.mullvad.net/ISRG-Root-X1 \ @@ -30,7 +30,7 @@ DOMAINS_IPV4 = \ www.dshield.org/GTS-Root-R4 \ www.spamhaus.org/GTS-Root-R4 DOMAINS_IPV6 = \ - [2606\:4700\:4700\:\:1111]/DigiCert-Global-Root-G2 \ + [2606\:4700\:4700\:\:1111]/SSL-com-Root-Certification-Authority-ECC \ [2001\:4860\:4860\:\:8888]/GTS-Root-R1 \ [2620\:fe\:\:9]/DigiCert-Global-Root-G3 \ ipv6.showipv6.de/ISRG-Root-X1 diff --git a/certs/SSL-com-Root-Certification-Authority-ECC.pem b/certs/SSL-com-Root-Certification-Authority-ECC.pem new file mode 100644 index 00000000..f1166839 --- /dev/null +++ b/certs/SSL-com-Root-Certification-Authority-ECC.pem @@ -0,0 +1,23 @@ +# Issuer: CN=SSL.com Root Certification Authority ECC O=SSL Corporation +# Subject: CN=SSL.com Root Certification Authority ECC O=SSL Corporation +# Label: "SSL.com Root Certification Authority ECC" +# Serial: 8495723813297216424 +# MD5 Fingerprint: 2e:da:e4:39:7f:9c:8f:37:d1:70:9f:26:17:51:3a:8e +# SHA1 Fingerprint: c3:19:7c:39:24:e6:54:af:1b:c4:ab:20:95:7a:e2:c3:0e:13:02:6a +# SHA256 Fingerprint: 34:17:bb:06:cc:60:07:da:1b:96:1c:92:0b:8a:b4:ce:3f:ad:82:0e:4a:a3:0b:9a:cb:c4:a7:4e:bd:ce:bc:65 +-----BEGIN CERTIFICATE----- +MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMC +VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T +U0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNDAzWhcNNDEwMjEyMTgxNDAz +WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0 +b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBS +b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuB +BAAiA2IABEVuqVDEpiM2nl8ojRfLliJkP9x6jh3MCLOicSS6jkm5BBtHllirLZXI +7Z4INcgn64mMU1jrYor+8FsPazFSY0E7ic3s7LaNGdM0B9y7xgZ/wkWV7Mt/qCPg +CemB+vNH06NjMGEwHQYDVR0OBBYEFILRhXMw5zUE044CkvvlpNHEIejNMA8GA1Ud +EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUgtGFczDnNQTTjgKS++Wk0cQh6M0wDgYD +VR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2cAMGQCMG/n61kRpGDPYbCWe+0F+S8T +kdzt5fxQaxFGRrMcIQBiu77D5+jNB5n5DQtdcj7EqgIwH7y6C+IwJPt8bYBVCpk+ +gA0z5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl +-----END CERTIFICATE----- From ad455c8f1d011ba0bbfcfc25f5b5f7f722b2da51 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Thu, 15 Jan 2026 23:10:33 +0100 Subject: [PATCH 4/4] doc/netwatch-dns: cloudflare uses a new CA for certificates --- doc/netwatch-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/netwatch-dns.md b/doc/netwatch-dns.md index 23190b12..c81ca8c9 100644 --- a/doc/netwatch-dns.md +++ b/doc/netwatch-dns.md @@ -62,7 +62,7 @@ manually! Importing a certificate automatically is possible. You may want to find the [certificate name from browser](../CERTIFICATES.md). - /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root G2" host=1.1.1.1; + /tool/netwatch/add comment="doh, doh-cert=SSL.com Root Certification Authority ECC" host=1.1.1.1; /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root G3" host=9.9.9.9; /tool/netwatch/add comment="doh, doh-cert=GTS Root R1" host=8.8.8.8;