Merge branch 'lets-encrypt-old-chain' into next

Hmm... 🤨 Let's Encrypt is doing crazy things. My server was switched to
'Root YE' alredy, now it is back to 'ISRG Root X2'... 😳

So let's check for both for now.

INITIAL-COMMANDS.md

@@ -18,9 +18,9 @@ Run the complete base installation:
 
     {
       :local BaseUrl "https://rsc.eworm.de/main/";
-      :local CertCommonName "Root YE";
+      :local CertCommonName "ISRG Root X2";
-      :local CertFileName "Root-YE.pem";
+      :local CertFileName "ISRG-Root-X2.pem";
-      :local CertFingerprint "e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
+      :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
 
       :local CertSettings [ /certificate/settings/get ];
       :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \

README.md

@@ -126,18 +126,18 @@ If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
 
-    /tool/fetch "https://rsc.eworm.de/main/certs/Root-YE.pem" dst-path="root-ye.pem";
+    /tool/fetch "https://rsc.eworm.de/main/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
 
 ![screenshot: download certs](README.d/01-download-certs.avif)
 
 > ℹ️ **Info**: Note that the command above does *not* verify server
 > certificate, so if you want to be safe download with your workstations's
 > browser from CA's website and transfer the file to your MikroTik device:
-> *Let's Encrypt* / *ISRG* [Root YE ↗️](https://letsencrypt.org/certs/gen-y/root-ye.pem)
+> *Let's Encrypt* / *ISRG* [ISRG Root X2 ↗️](https://letsencrypt.org/certs/isrg-root-x2.pem)
 
 Then we import the certificate.
 
-    /certificate/import file-name="root-ye.pem" passphrase="";
+    /certificate/import file-name="isrg-root-x2.pem" passphrase="";
 
 Do not worry that the command is not shown - that happens because it contains
 a sensitive property, the passphrase.
@@ -145,11 +145,11 @@ a sensitive property, the passphrase.
 ![screenshot: import certs](README.d/02-import-certs.avif)
 
 For basic verification we rename the certificate and print it by
-fingerprint. Make sure exactly this one certificate ("*Root-YE*")
+fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
 is shown.
 
-    /certificate/set name="Root-YE" [ find where common-name="Root YE" ];
+    /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
-    /certificate/print proplist=name,fingerprint where fingerprint="e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
+    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
 
 ![screenshot: check certs](README.d/03-check-certs.avif)
 

backup-email.rsc

@@ -16,6 +16,7 @@
       do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
   :local ScriptName [ :jobname ];
 
+  :global BackupFileNameDate;
   :global BackupPassword;
   :global BackupRandomDelay;
   :global BackupSendBinary;
@@ -73,7 +74,9 @@
 
   # filename based on identity
   :local DirName ("tmpfs/" . $ScriptName);
-  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
+  :local Clock [ /system/clock/get ];
+  :local FileName [ $CleanName ($Identity . "." . $Domain . [ $IfThenElse \
+      ($BackupFileNameDate = true) ("-" . $Clock->"date" . "-" . $Clock->"time") "" ] ) ];
   :local FilePath ($DirName . "/" . $FileName);
   :local BackupFile "none";
   :local ExportFile "none";

backup-upload.rsc

@@ -17,6 +17,7 @@
       do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
   :local ScriptName [ :jobname ];
 
+  :global BackupFileNameDate;
   :global BackupPassword;
   :global BackupRandomDelay;
   :global BackupSendBinary;
@@ -72,7 +73,9 @@
 
   # filename based on identity
   :local DirName ("tmpfs/" . $ScriptName);
-  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
+  :local Clock [ /system/clock/get ];
+  :local FileName [ $CleanName ($Identity . "." . $Domain . [ $IfThenElse \
+      ($BackupFileNameDate = true) ("-" . $Clock->"date" . "-" . $Clock->"time") "" ] ) ];
   :local FilePath ($DirName . "/" . $FileName);
   :local BackupFile "none";
   :local ExportFile "none";

certs/Makefile

@@ -12,12 +12,12 @@ DOMAINS_DUAL = \
 	cloudflare-dns.com/SSL-com-Root-Certification-Authority-ECC \
 	dns.google/GTS-Root-RX \
 	dns.quad9.net/DigiCert-Global-Root-G3 \
-	git.eworm.de/Root-YE \
+	git.eworm.de/ISRG-Root-X2 \
 	gitlab.com/USERTrust-RSA-Certification-Authority \
 	lists.blocklist.de/GTS-Root-R4 \
 	matrix.org/GTS-Root-R4 \
 	raw.githubusercontent.com/ISRG-Root-X1 \
-	rsc.eworm.de/Root-YE \
+	rsc.eworm.de/ISRG-Root-X2 \
 	upgrade.mikrotik.com/ISRG-Root-X1
 DOMAINS_IPV4 = \
 	1.1.1.1/SSL-com-Root-Certification-Authority-ECC \

doc/backup-email.md

@@ -34,6 +34,7 @@ Configuration
 
 The configuration goes to `global-config-overlay`, these are the parameters:
 
+* `BackupFileNameDate`: whether to add date & time in filenames
 * `BackupSendBinary`: whether to send binary backup
 * `BackupSendExport`: whether to send configuration export
 * `BackupSendGlobalConfig`: whether to send `global-config-overlay`

doc/backup-upload.md

@@ -40,6 +40,7 @@ Configuration
 
 The configuration goes to `global-config-overlay`, these are the parameters:
 
+* `BackupFileNameDate`: whether to add date & time in filenames
 * `BackupSendBinary`: whether to send binary backup
 * `BackupSendExport`: whether to send configuration export
 * `BackupSendGlobalConfig`: whether to send `global-config-overlay`

global-config.rsc

@@ -90,7 +90,9 @@
 # Toggle this to disable color output in terminal/cli.
 :global TerminalColorOutput true;
 
-# This defines what backups to generate and what password to use.
+# This defines whether to add date & time in filenames, what backups to generate,
+# the password to use, and what random delay (between 0 and given seconds) to apply.
+:global BackupFileNameDate false;
 :global BackupSendBinary false;
 :global BackupSendExport true;
 :global BackupSendGlobalConfig true;

global-functions.rsc

@@ -15,7 +15,7 @@
 # Git commit id & info, expected configuration version
 :global CommitId "unknown";
 :global CommitInfo "unknown";
-:global ExpectedConfigVersion 142;
+:global ExpectedConfigVersion 143;
 
 # global variables not to be changed by user
 :global GlobalFunctionsReady false;
@@ -310,7 +310,7 @@
 
   :for I from=0 to=([ :len $Input ] - 1) do={
     :local Char [ :pick $Input $I ];
-    :if ([ :typeof [ find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={
+    :if ([ :typeof [ :find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={
       :do {
         :if ([ :len $Return ] = 0) do={
           :error true;
@@ -812,10 +812,15 @@
 # check if DNS is resolving
 :set IsDNSResolving do={
   :do {
-    :resolve "low-ttl.eworm.de";
+    :local I 1;
+    :retry {
+      :set I ($I ^ 1);
+      :resolve ("low-ttl.eworm." . ({ "de"; "net" }->$I));
+    } delay=50ms max=6;
   } on-error={
     :return false;
   }
+
   :return true;
 }
 
@@ -1200,10 +1205,12 @@
   }
 
   :onerror Err {
-    /file/remove $DirName;
+    /file/remove [ find where name=$DirName ];
   } do={
-    $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err);
+    :if (!($Err ~ "no such item")) do={
-    :return false;
+      $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err);
+      :return false;
+    }
   }
   :return true;
 }
@@ -1229,10 +1236,12 @@
   }
 
   :onerror Err {
-    /file/remove $FileName;
+    /file/remove [ find where name=$FileName ];
   } do={
-    $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err);
+    :if (!($Err ~ "no such item")) do={
-    :return false;
+      $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err);
+      :return false;
+    }
   }
   :return true;
 }
@@ -1292,7 +1301,8 @@
   :global SymbolForNotification;
   :global ValidateSyntax;
 
-  :if ([ $CertificateAvailable "Root YE" "fetch" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false || \
+       [ $CertificateAvailable "Root YE" "fetch" ] = false) do={
     $LogPrint warning $0 ("Downloading certificate failed, trying without.");
   }
 

ipv6-update.rsc

@@ -54,7 +54,7 @@
   :local Pool [ /ipv6/pool/get [ find where prefix=$PdPrefix ] name ];
   :if ([ :len [ /ipv6/firewall/address-list/find where comment=("ipv6-pool-" . $Pool) ] ] = 0) do={
     /ipv6/firewall/address-list/add list=("ipv6-pool-" . $Pool) address=:: comment=("ipv6-pool-" . $Pool) dynamic=yes;
-    $LogPrint warning $ScriptName ("Added dynamic ipv6 address list entry for ipv6-pool-" . $Pool);
+    $LogPrint info $ScriptName ("Added dynamic ipv6 address list entry for ipv6-pool-" . $Pool);
   }
   :local AddrList [ /ipv6/firewall/address-list/find where comment=("ipv6-pool-" . $Pool) ];
   :local OldPrefix [ /ipv6/firewall/address-list/get ($AddrList->0) address ];

netwatch-dns.rsc

@@ -115,13 +115,15 @@
 
     :local Data false;
     :onerror Err {
+      :local I 1;
       :retry {
+        :set I ($I ^ 1);
         :set Data ([ /tool/fetch check-certificate=yes-without-crl output=user \
           http-header-field=({ "accept: application/dns-message" }) \
           url=(($DohServer->"doh-url") . "?dns=" . [ :convert to=base64 ([ :rndstr length=2 ] . \
-          "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm\02de\00" . \
+          "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm" . \
-          "\00\10" . "\00\01") ]) as-value ]->"data");
+          ({ "\02de"; "\03net" }->$I) . "\00" . "\00\10" . "\00\01") ]) as-value ]->"data");
-      } delay=1s max=3;
+      } delay=500ms max=6;
     } do={
       $LogPrint warning $ScriptName ("Request to DoH server " . ($DohServer->"doh-url") . \
           " failed: " . $Err);

news-and-changes.rsc

@@ -67,6 +67,7 @@
   140="The scripts 'lease-script' was renamed to 'dhcpv4-server-lease', configuration was updated automatically.";
   141="Introduced script 'dhcpv6-client-lease' to run several scripts on IPv6 DHCP client lease.";
   142="Added a setting for 'mod/notification-email' to check availability of certificate chain.";
+  143="Made backup scripts 'backup-email' and 'backup-upload' support date & time in filenames.";
 };
 
 # Migration steps to be applied on script updates