diff --git a/certs/Makefile b/certs/Makefile
index b0f029ab..c9a33798 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -16,7 +16,7 @@ DOMAINS_DUAL = \
 	gitlab.com/USERTrust-RSA-Certification-Authority \
 	lists.blocklist.de/GTS-Root-R4 \
 	matrix.org/GTS-Root-R4 \
-	raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \
+	raw.githubusercontent.com/ISRG-Root-X1 \
 	rsc.eworm.de/Root-YE \
 	upgrade.mikrotik.com/ISRG-Root-X1
 DOMAINS_IPV4 = \
diff --git a/check-certificates.rsc b/check-certificates.rsc
index 0122122a..e5683514 100644
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@@ -60,8 +60,8 @@
               http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
               ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
         } do={
-          :if ($Err != "Fetch failed with status 404") do={
-            $LogPrint warning $0 ("Failed fetching certificate: " . $Err);
+          :if (!($Err ~ "[Ss]tatus 404")) do={
+            $LogPrint warning $0 ("Failed fetching certificate by '" . $FetchName . "': " . $Err);
           }
           :error false;
         }
@@ -177,9 +177,11 @@
       $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'.");
 
       :local ImportSuccess false;
-      :set LastName ($CertVal->"common-name");
-      :set FetchName $LastName;
-      :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+      :if ([ :len ($CertVal->"common-name") ] > 0) do={
+        :set LastName ($CertVal->"common-name");
+        :set FetchName $LastName;
+        :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+      }
       :foreach SAN in=($CertVal->"subject-alt-name") do={
         :if ($ImportSuccess = false) do={
           :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ];
diff --git a/doc/check-certificates.md b/doc/check-certificates.md
index 1e69af46..c6db7c88 100644
--- a/doc/check-certificates.md
+++ b/doc/check-certificates.md
@@ -85,7 +85,7 @@ Given you have a certificate on you server, you can use `check-certificates`
 for the initial import. Just create a *dummy* certificate with short lifetime
 that matches criteria to be renewed:
 
-    /certificate/add name=example.com common-name=example.com days-valid=1;
+    /certificate/add name="example.com" common-name="example.com" subject-alt-name="DNS:example.com" days-valid=1;
     /certificate/sign example.com;
     /system/script/run check-certificates;
 
diff --git a/global-config.rsc b/global-config.rsc
index e8a86aac..1425764c 100644
--- a/global-config.rsc
+++ b/global-config.rsc
@@ -115,7 +115,7 @@
 #      cert="Root YE" };
     { url="https://raw.githubusercontent.com/stamparm/ipsum/refs/heads/master/levels/4.txt";
 #     # higher level (decrease the numerical value) for more addresses, and vice versa
-      cert="USERTrust RSA Certification Authority" };
+      cert="ISRG Root X1" };
     { url="https://www.dshield.org/block.txt"; cidr="/24";
       cert="GTS Root R4" };
     { url="https://lists.blocklist.de/lists/strongips.txt";
diff --git a/global-functions.rsc b/global-functions.rsc
index e0a73045..cb74f991 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -1290,7 +1290,9 @@
   }
 
   :foreach Script in=$Scripts do={
-    :if ([ :len [ /system/script/find where name=$Script ] ] = 0) do={
+    :if ([ :len [ /system/script/find where name=$Script ] ] > 0) do={
+      $LogPrint warning $0 ("Requested to add script '" . $Script . "', but that exists already!");
+    } else={
       $LogPrint info $0 ("Adding new script: " . $Script);
       /system/script/add name=$Script owner=$Script source="#!rsc by RouterOS\n" comment=$NewComment;
     }