fw-addr-lists: www.dshield.org requires 'GTS Root R4'

fw-addr-lists: lists.blocklist.de requires 'GTS Root R4'
fw-addr-lists: rsc.eworm.de requires 'Root YE'
2026-03-03 12:39:35 +00:00 · 2026-01-15 16:06:03 +01:00 · 2026-01-15 16:06:03 +01:00 · 2026-01-15 16:06:03 +01:00 · 2026-01-15 15:58:14 +01:00 · 2026-01-15 15:58:14 +01:00
8 changed files with 38 additions and 19 deletions
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@ -18,9 +18,9 @@ Run the complete base installation:

    {
      :local BaseUrl "https://rsc.eworm.de/main/";
-      :local CertCommonName "ISRG Root X2";
-      :local CertFileName "ISRG-Root-X2.pem";
-      :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+      :local CertCommonName "Root YE";
+      :local CertFileName "Root-YE.pem";
+      :local CertFingerprint "e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";

      :local CertSettings [ /certificate/settings/get ];
      :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \
--- a/README.d/01-download-certs.avif
+++ b/README.d/01-download-certs.avif
--- a/README.d/03-check-certs.avif
+++ b/README.d/03-check-certs.avif
--- a/README.md
+++ b/README.md
@ -112,7 +112,7 @@ If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.

-    /tool/fetch "https://rsc.eworm.de/main/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
+    /tool/fetch "https://rsc.eworm.de/main/certs/Root-YE.pem" dst-path="root-ye.pem";

 ![screenshot: download certs](README.d/01-download-certs.avif)

@ -120,11 +120,11 @@ Note that the commands above do *not* verify server certificate, so if you
 want to be safe download with your workstations's browser and transfer the
 file to your MikroTik device.

-* [ISRG Root X2 ↗️](https://letsencrypt.org/certs/isrg-root-x2.pem)
+* Let's Encrypt [Root YE ↗️](https://letsencrypt.org/certs/gen-y/root-ye.pem)

 Then we import the certificate.

-    /certificate/import file-name="isrg-root-x2.pem" passphrase="";
+    /certificate/import file-name="root-ye.pem" passphrase="";

 Do not worry that the command is not shown - that happens because it contains
 a sensitive property, the passphrase.
@ -132,11 +132,11 @@ a sensitive property, the passphrase.
 ![screenshot: import certs](README.d/02-import-certs.avif)

 For basic verification we rename the certificate and print it by
-fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
+fingerprint. Make sure exactly this one certificate ("*Root-YE*")
 is shown.

-    /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
-    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+    /certificate/set name="Root-YE" [ find where common-name="Root YE" ];
+    /certificate/print proplist=name,fingerprint where fingerprint="e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";

 ![screenshot: check certs](README.d/03-check-certs.avif)

--- a/certs/Makefile
+++ b/certs/Makefile
@ -12,11 +12,11 @@ DOMAINS_DUAL = \
 	cloudflare-dns.com/DigiCert-Global-Root-G2 \
 	dns.google/GTS-Root-R4 \
 	dns.quad9.net/DigiCert-Global-Root-G3 \
-	git.eworm.de/ISRG-Root-X2 \
-	lists.blocklist.de/Certum-Trusted-Network-CA \
+	git.eworm.de/Root-YE \
+	lists.blocklist.de/GTS-Root-R4 \
 	matrix.org/GTS-Root-R4 \
 	raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \
-	rsc.eworm.de/ISRG-Root-X2 \
+	rsc.eworm.de/Root-YE \
 	upgrade.mikrotik.com/ISRG-Root-X1
 DOMAINS_IPV4 = \
 	1.1.1.1/DigiCert-Global-Root-G2 \
@ -27,7 +27,7 @@ DOMAINS_IPV4 = \
 	ipv4.tunnelbroker.net/Starfield-Root-Certificate-Authority-G2 \
 	mkcert.org/ISRG-Root-X1 \
 	ntfy.sh/ISRG-Root-X1 \
-	www.dshield.org/ISRG-Root-X1 \
+	www.dshield.org/GTS-Root-R4 \
 	www.spamhaus.org/GTS-Root-R4
 DOMAINS_IPV6 = \
 	[2606\:4700\:4700\:\:1111]/DigiCert-Global-Root-G2 \
--- a/certs/Root-YE.pem
+++ b/certs/Root-YE.pem
@ -0,0 +1,19 @@
+# Issuer: C=US, O=ISRG, CN=Root YE
+# Subject: C=US, O=ISRG, CN=Root YE
+# Label: "Root YE"
+# Serial: A4026BA2EF6C7C20D4047E5E65A69380
+# MD5 Fingerprint: 93:61:B1:AC:E4:DC:A4:8B:C6:FF:A4:A2:2B:D4:64:64
+# SHA1 Fingerprint: A9:57:15:57:A7:7D:B7:8F:FA:C2:E9:7B:57:B8:98:56:90:39:C3:40
+# SHA256 Fingerprint: E1:4F:FC:AD:5B:00:25:73:10:06:CA:A4:3A:12:1A:22:D8:E9:70:0F:4F:B9:CF:85:2F:02:A7:08:AA:5D:56:66
+-----BEGIN CERTIFICATE-----
+MIIB2TCCAWCgAwIBAgIRAKQCa6LvbHwg1AR+XmWmk4AwCgYIKoZIzj0EAwMwLjEL
+MAkGA1UEBhMCVVMxDTALBgNVBAoTBElTUkcxEDAOBgNVBAMTB1Jvb3QgWUUwHhcN
+MjUwOTAzMDAwMDAwWhcNNDUwOTAyMjM1OTU5WjAuMQswCQYDVQQGEwJVUzENMAsG
+A1UEChMESVNSRzEQMA4GA1UEAxMHUm9vdCBZRTB2MBAGByqGSM49AgEGBSuBBAAi
+A2IABDwS/6vhrcVqcbBo+wgdI3fwn9x7DNJJOY/lTOti0vkwuRN87RhEhTH17E7X
+yFjWsPYhIPt/wzOqxTd2b+4ZJNy9ID04YywF9U5zasDVyGSNErVNtz8uSGh5izW8
+7j77GaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFKPIJlqOoUzQNWP8myPIOq5W809WMAoGCCqGSM49BAMDA2cAMGQCMHhMr8N9
+LdL1VQKs9BdV81r76eXRB6mtjuNjzk6/lBsPNToWLTDzGYgtQKO1jl63uAIwGV7m
+onyF377c+MM1oqVNs17sgu7F9YKZwgLmVbeOMDbKAXHtKMDLbiGllCcs8f47
+-----END CERTIFICATE-----
--- a/global-config.rsc
+++ b/global-config.rsc
@ -108,18 +108,18 @@
 :global FwAddrLists {
 #  "allow"={
 #    { url="https://rsc.eworm.de/main/fw-addr-lists.d/allow";
-#      cert="ISRG Root X2"; timeout=1w };
+#      cert="Root YE"; timeout=1w };
 #  };
  "block"={
 #    { url="https://rsc.eworm.de/main/fw-addr-lists.d/block";
-#      cert="ISRG Root X2" };
+#      cert="Root YE" };
    { url="https://raw.githubusercontent.com/stamparm/ipsum/refs/heads/master/levels/4.txt";
 #     # higher level (decrease the numerical value) for more addresses, and vice versa
      cert="USERTrust RSA Certification Authority" };
    { url="https://www.dshield.org/block.txt"; cidr="/24";
-      cert="ISRG Root X1" };
+      cert="GTS Root R4" };
    { url="https://lists.blocklist.de/lists/strongips.txt";
-      cert="Certum Trusted Network CA" };
+      cert="GTS Root R4" };
 #    { url="https://www.spamhaus.org/drop/drop_v4.json";
 #      cert="GTS Root R4" };
 #    { url="https://www.spamhaus.org/drop/drop_v6.json";
@ -127,7 +127,7 @@
  };
 #  "mikrotik"={
 #    { url="https://rsc.eworm.de/main/fw-addr-lists.d/mikrotik";
-#      cert="ISRG Root X2"; timeout=1w };
+#      cert="Root YE"; timeout=1w };
 #  };
 };
 :global FwAddrListTimeOut 1d;
--- a/global-functions.rsc
+++ b/global-functions.rsc
@ -1265,7 +1265,7 @@
  :global SymbolForNotification;
  :global ValidateSyntax;

-  :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false) do={
+  :if ([ $CertificateAvailable "Root YE" "fetch" ] = false) do={
    $LogPrint warning $0 ("Downloading certificate failed, trying without.");
  }
Author	SHA1	Message	Date
Christian Hesse	9e060a746c	fw-addr-lists: www.dshield.org requires 'GTS Root R4'	2026-01-15 16:06:03 +01:00
Christian Hesse	df3d8073a3	fw-addr-lists: lists.blocklist.de requires 'GTS Root R4'	2026-01-15 16:06:03 +01:00
Christian Hesse	7e624081f9	fw-addr-lists: rsc.eworm.de requires 'Root YE'	2026-01-15 16:06:03 +01:00
Christian Hesse	a0a3fa7f13	INITIAL-COMMANDS: update for new Let's Encrypt Root YE	2026-01-15 15:58:14 +01:00
Christian Hesse	7f731cc58f	README: update for new Let's Encrypt Root YE	2026-01-15 15:58:14 +01:00
Christian Hesse	05c60eadba	global-functions: $ScriptInstallUpdate: get new root certificate	2026-01-15 15:58:14 +01:00
Christian Hesse	ef7874c582	certs: update *.eworm.de for new Let's Encrypt Root YE	2026-01-15 15:58:14 +01:00
Christian Hesse	9fb1c95d32	certs: add Let's Encrypt 'Root YE' for future use https://letsencrypt.org/2025/11/24/gen-y-hierarchy https://letsencrypt.org/certificates/#root-cas	2026-01-15 14:55:29 +01:00