Merge branch 'check-certificates' into next

The message used to be:

    Fetch failed with status 404

... but changed recently:

    failure: Status 404, NOT FOUND

The new string is in RouterOS 7.22, and changed in what ever
beta or rc release. Let's just match the status code and hope
for the best.

certs/Makefile

@@ -16,7 +16,7 @@ DOMAINS_DUAL = \
 	gitlab.com/USERTrust-RSA-Certification-Authority \
 	lists.blocklist.de/GTS-Root-R4 \
 	matrix.org/GTS-Root-R4 \
-	raw.githubusercontent.com/USERTrust-RSA-Certification-Authority \
+	raw.githubusercontent.com/ISRG-Root-X1 \
 	rsc.eworm.de/Root-YE \
 	upgrade.mikrotik.com/ISRG-Root-X1
 DOMAINS_IPV4 = \

check-certificates.rsc

@@ -60,8 +60,8 @@
               http-header-field=({ [ $FetchUserAgentStr $ScriptName ] }) \
               ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
         } do={
-          :if ($Err != "Fetch failed with status 404") do={
+          :if (!($Err ~ "[Ss]tatus 404")) do={
-            $LogPrint warning $0 ("Failed fetching certificate: " . $Err);
+            $LogPrint warning $0 ("Failed fetching certificate by '" . $FetchName . "': " . $Err);
           }
           :error false;
         }
@@ -177,9 +177,11 @@
       $LogPrint info $ScriptName ("Attempting to renew certificate '" . ($CertVal->"name") . "'.");
 
       :local ImportSuccess false;
-      :set LastName ($CertVal->"common-name");
+      :if ([ :len ($CertVal->"common-name") ] > 0) do={
-      :set FetchName $LastName;
+        :set LastName ($CertVal->"common-name");
-      :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+        :set FetchName $LastName;
+        :set ImportSuccess [ $CheckCertificatesDownloadImport $ScriptName $LastName $FetchName ];
+      }
       :foreach SAN in=($CertVal->"subject-alt-name") do={
         :if ($ImportSuccess = false) do={
           :set LastName [ :pick $SAN ([ :find $SAN ":" ] + 1) [ :len $SAN ] ];

doc/check-certificates.md

@@ -85,7 +85,7 @@ Given you have a certificate on you server, you can use `check-certificates`
 for the initial import. Just create a *dummy* certificate with short lifetime
 that matches criteria to be renewed:
 
-    /certificate/add name=example.com common-name=example.com days-valid=1;
+    /certificate/add name="example.com" common-name="example.com" subject-alt-name="DNS:example.com" days-valid=1;
     /certificate/sign example.com;
     /system/script/run check-certificates;
 

global-config.rsc

@@ -115,7 +115,7 @@
 #      cert="Root YE" };
     { url="https://raw.githubusercontent.com/stamparm/ipsum/refs/heads/master/levels/4.txt";
 #     # higher level (decrease the numerical value) for more addresses, and vice versa
-      cert="USERTrust RSA Certification Authority" };
+      cert="ISRG Root X1" };
     { url="https://www.dshield.org/block.txt"; cidr="/24";
       cert="GTS Root R4" };
     { url="https://lists.blocklist.de/lists/strongips.txt";

global-functions.rsc

@@ -1290,7 +1290,9 @@
   }
 
   :foreach Script in=$Scripts do={
-    :if ([ :len [ /system/script/find where name=$Script ] ] = 0) do={
+    :if ([ :len [ /system/script/find where name=$Script ] ] > 0) do={
+      $LogPrint warning $0 ("Requested to add script '" . $Script . "', but that exists already!");
+    } else={
       $LogPrint info $0 ("Adding new script: " . $Script);
       /system/script/add name=$Script owner=$Script source="#!rsc by RouterOS\n" comment=$NewComment;
     }