Info on Let's Encrypt change

> Let's Encrypt's Gen Y (YE and YR bulleted below) Cross-Certified > Subordinate CAs were issued in violation of CCADB policy which requires > that the serverAuth EKU extension MUST be present in cross-signed > intermediate certificates issued since June 15th 2025. Root YE and > YR were issued September 3rd 2025 and are subject to the requirements. https://community.letsencrypt.org/t/2026-05-08-gen-y-cross-certified-subordinate-cas-missing-serverauth-eku/247105
Merge branch 'lets-encrypt-old-chain' into next
2026-05-17 17:02:31 +00:00 · 2026-05-14 22:59:07 +02:00 · 2026-05-13 16:19:11 +02:00 · 2026-05-13 16:19:11 +02:00 · 2026-05-13 16:19:11 +02:00 · 2026-05-13 16:19:11 +02:00
7 changed files with 35 additions and 23 deletions
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@ -18,9 +18,9 @@ Run the complete base installation:
    {
      :local BaseUrl "https://rsc.eworm.de/main/";
-      :local CertCommonName "Root YE";
+      :local CertCommonName "ISRG Root X2";
-      :local CertFileName "Root-YE.pem";
+      :local CertFileName "ISRG-Root-X2.pem";
-      :local CertFingerprint "e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
+      :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
      :local CertSettings [ /certificate/settings/get ];
      :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \
--- a/README.d/01-download-certs.avif
+++ b/README.d/01-download-certs.avif
--- a/README.d/03-check-certs.avif
+++ b/README.d/03-check-certs.avif
--- a/README.md
+++ b/README.md
@ -126,18 +126,18 @@ If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
-    /tool/fetch "https://rsc.eworm.de/main/certs/Root-YE.pem" dst-path="root-ye.pem";
+    /tool/fetch "https://rsc.eworm.de/main/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
 ![screenshot: download certs](README.d/01-download-certs.avif)
 > ℹ️ **Info**: Note that the command above does *not* verify server
 > certificate, so if you want to be safe download with your workstations's
 > browser from CA's website and transfer the file to your MikroTik device:
-> *Let's Encrypt* / *ISRG* [Root YE ↗️](https://letsencrypt.org/certs/gen-y/root-ye.pem)
+> *Let's Encrypt* / *ISRG* [ISRG Root X2 ↗️](https://letsencrypt.org/certs/isrg-root-x2.pem)
 Then we import the certificate.
-    /certificate/import file-name="root-ye.pem" passphrase="";
+    /certificate/import file-name="isrg-root-x2.pem" passphrase="";
 Do not worry that the command is not shown - that happens because it contains
 a sensitive property, the passphrase.
@ -145,11 +145,11 @@ a sensitive property, the passphrase.
 ![screenshot: import certs](README.d/02-import-certs.avif)
 For basic verification we rename the certificate and print it by
-fingerprint. Make sure exactly this one certificate ("*Root-YE*")
+fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
 is shown.
-    /certificate/set name="Root-YE" [ find where common-name="Root YE" ];
+    /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
-    /certificate/print proplist=name,fingerprint where fingerprint="e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
+    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
 ![screenshot: check certs](README.d/03-check-certs.avif)
--- a/certs/Makefile
+++ b/certs/Makefile
@ -12,12 +12,12 @@ DOMAINS_DUAL = \
 	cloudflare-dns.com/SSL-com-Root-Certification-Authority-ECC \
 	dns.google/GTS-Root-RX \
 	dns.quad9.net/DigiCert-Global-Root-G3 \
-	git.eworm.de/Root-YE \
+	git.eworm.de/ISRG-Root-X2 \
 	gitlab.com/USERTrust-RSA-Certification-Authority \
 	lists.blocklist.de/GTS-Root-R4 \
 	matrix.org/GTS-Root-R4 \
 	raw.githubusercontent.com/ISRG-Root-X1 \
-	rsc.eworm.de/Root-YE \
+	rsc.eworm.de/ISRG-Root-X2 \
 	upgrade.mikrotik.com/ISRG-Root-X1
 DOMAINS_IPV4 = \
 	1.1.1.1/SSL-com-Root-Certification-Authority-ECC \
--- a/global-functions.rsc
+++ b/global-functions.rsc
@ -310,7 +310,7 @@
  :for I from=0 to=([ :len $Input ] - 1) do={
    :local Char [ :pick $Input $I ];
-    :if ([ :typeof [ find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={
+    :if ([ :typeof [ :find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={
      :do {
        :if ([ :len $Return ] = 0) do={
          :error true;
@ -812,10 +812,15 @@
 # check if DNS is resolving
 :set IsDNSResolving do={
  :do {
-    :resolve "low-ttl.eworm.de";
+    :local I 1;
    :retry {
      :set I ($I ^ 1);
      :resolve ("low-ttl.eworm." . ({ "de"; "net" }->$I));
    } delay=50ms max=6;
  } on-error={
    :return false;
  }
  :return true;
 }
@ -1200,11 +1205,13 @@
  }
  :onerror Err {
-    /file/remove $DirName;
+    /file/remove [ find where name=$DirName ];
  } do={
    :if (!($Err ~ "no such item")) do={
      $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err);
      :return false;
    }
  }
  :return true;
 }
@ -1229,11 +1236,13 @@
  }
  :onerror Err {
-    /file/remove $FileName;
+    /file/remove [ find where name=$FileName ];
  } do={
    :if (!($Err ~ "no such item")) do={
      $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err);
      :return false;
    }
  }
  :return true;
 }
@ -1292,7 +1301,8 @@
  :global SymbolForNotification;
  :global ValidateSyntax;
-  :if ([ $CertificateAvailable "Root YE" "fetch" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false || \
       [ $CertificateAvailable "Root YE" "fetch" ] = false) do={
    $LogPrint warning $0 ("Downloading certificate failed, trying without.");
  }
--- a/netwatch-dns.rsc
+++ b/netwatch-dns.rsc
@ -115,13 +115,15 @@
    :local Data false;
    :onerror Err {
      :local I 1;
      :retry {
        :set I ($I ^ 1);
        :set Data ([ /tool/fetch check-certificate=yes-without-crl output=user \
          http-header-field=({ "accept: application/dns-message" }) \
          url=(($DohServer->"doh-url") . "?dns=" . [ :convert to=base64 ([ :rndstr length=2 ] . \
-          "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm\02de\00" . \
+          "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm" . \
-          "\00\10" . "\00\01") ]) as-value ]->"data");
+          ({ "\02de"; "\03net" }->$I) . "\00" . "\00\10" . "\00\01") ]) as-value ]->"data");
-      } delay=1s max=3;
+      } delay=500ms max=6;
    } do={
      $LogPrint warning $ScriptName ("Request to DoH server " . ($DohServer->"doh-url") . \
          " failed: " . $Err);
Author	SHA1	Message	Date
Christian Hesse	d586205a70	Info on Let's Encrypt change > Let's Encrypt's Gen Y (YE and YR bulleted below) Cross-Certified > Subordinate CAs were issued in violation of CCADB policy which requires > that the serverAuth EKU extension MUST be present in cross-signed > intermediate certificates issued since June 15th 2025. Root YE and > YR were issued September 3rd 2025 and are subject to the requirements. https://community.letsencrypt.org/t/2026-05-08-gen-y-cross-certified-subordinate-cas-missing-serverauth-eku/247105	2026-05-14 22:59:07 +02:00
Christian Hesse	71c190b478	Merge branch 'lets-encrypt-old-chain' into next	2026-05-13 16:19:11 +02:00
Christian Hesse	a3de8aa081	global-functions: $CleanName: add missing colon	2026-05-13 16:19:11 +02:00
Christian Hesse	2a6567135e	INITIAL-COMMANDS: Let's Encrypt switched back to old chain	2026-05-13 16:19:11 +02:00
Christian Hesse	7ad60ac704	README: Let's Encrypt switched back to old chain	2026-05-13 16:19:11 +02:00
Christian Hesse	59e0c4460e	certs: Let's Encrypt switched back to old chain	2026-05-13 16:19:11 +02:00
Christian Hesse	6f2eb69ee0	global-functions: $ScriptInstallUpdate: Check for both LE certificates Hmm... 🤨 Let's Encrypt is doing crazy things. My server was switched to 'Root YE' alredy, now it is back to 'ISRG Root X2'... 😳 So let's check for both for now.	2026-05-13 16:19:11 +02:00
Christian Hesse	73f15a2df0	global-functions: $RmFile: ignore "no such item"... ... as this is still racy.	2026-05-07 15:58:07 +02:00
Christian Hesse	57385b5934	global-functions: $RmDir: ignore "no such item"... ... as this is still racy.	2026-05-07 15:58:07 +02:00
Christian Hesse	74d3fc2933	global-functions: $RmFile: remove with find... ... as this is still racy.	2026-05-07 15:58:07 +02:00
Christian Hesse	875df5da76	global-functions: $RmDir: remove with find... ... as this is still racy.	2026-05-07 15:58:07 +02:00
Christian Hesse	3aaba1f408	netwatch-dns: check with eworm.de and eworm.net This should prevent against DENIC outages... https://blog.denic.de/en/denic-reports-resolved-dnssec-disruption-affecting-de-domains/	2026-05-06 16:15:17 +02:00
Christian Hesse	0ef11bf11d	global-functions: $IsDNSResolving: check with :retry	2026-05-06 16:15:17 +02:00
Christian Hesse	811df5abf2	global-functions: $IsDNSResolving: check with eworm.de and eworm.net This should prevent against DENIC outages... https://blog.denic.de/en/denic-reports-resolved-dnssec-disruption-affecting-de-domains/	2026-05-06 10:01:39 +02:00
Christian Hesse	cd4052ba6b	Merge branch 'backup-filename-date' into next	2026-04-28 16:37:09 +02:00