INITIAL-COMMANDS.md

@@ -18,9 +18,9 @@ Run the complete base installation:
 
     {
       :local BaseUrl "https://rsc.eworm.de/main/";
-      :local CertCommonName "ISRG Root X2";
-      :local CertFileName "ISRG-Root-X2.pem";
-      :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+      :local CertCommonName "Root YE";
+      :local CertFileName "Root-YE.pem";
+      :local CertFingerprint "e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
 
       :local CertSettings [ /certificate/settings/get ];
       :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \

README.md

@@ -126,18 +126,18 @@ If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
 
-    /tool/fetch "https://rsc.eworm.de/main/certs/ISRG-Root-X2.pem" dst-path="isrg-root-x2.pem";
+    /tool/fetch "https://rsc.eworm.de/main/certs/Root-YE.pem" dst-path="root-ye.pem";
 
 ![screenshot: download certs](README.d/01-download-certs.avif)
 
 > ℹ️ **Info**: Note that the command above does *not* verify server
 > certificate, so if you want to be safe download with your workstations's
 > browser from CA's website and transfer the file to your MikroTik device:
-> *Let's Encrypt* / *ISRG* [ISRG Root X2 ↗️](https://letsencrypt.org/certs/isrg-root-x2.pem)
+> *Let's Encrypt* / *ISRG* [Root YE ↗️](https://letsencrypt.org/certs/gen-y/root-ye.pem)
 
 Then we import the certificate.
 
-    /certificate/import file-name="isrg-root-x2.pem" passphrase="";
+    /certificate/import file-name="root-ye.pem" passphrase="";
 
 Do not worry that the command is not shown - that happens because it contains
 a sensitive property, the passphrase.
@@ -145,11 +145,11 @@ a sensitive property, the passphrase.
 ![screenshot: import certs](README.d/02-import-certs.avif)
 
 For basic verification we rename the certificate and print it by
-fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
+fingerprint. Make sure exactly this one certificate ("*Root-YE*")
 is shown.
 
-    /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
-    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+    /certificate/set name="Root-YE" [ find where common-name="Root YE" ];
+    /certificate/print proplist=name,fingerprint where fingerprint="e14ffcad5b0025731006caa43a121a22d8e9700f4fb9cf852f02a708aa5d5666";
 
 ![screenshot: check certs](README.d/03-check-certs.avif)
 

backup-email.rsc

@@ -16,7 +16,6 @@
       do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
   :local ScriptName [ :jobname ];
 
-  :global BackupFileNameDate;
   :global BackupPassword;
   :global BackupRandomDelay;
   :global BackupSendBinary;
@@ -74,9 +73,7 @@
 
   # filename based on identity
   :local DirName ("tmpfs/" . $ScriptName);
-  :local Clock [ /system/clock/get ];
-  :local FileName [ $CleanName ($Identity . "." . $Domain . [ $IfThenElse \
-      ($BackupFileNameDate = true) ("-" . $Clock->"date" . "-" . $Clock->"time") "" ] ) ];
+  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
   :local FilePath ($DirName . "/" . $FileName);
   :local BackupFile "none";
   :local ExportFile "none";

backup-upload.rsc

@@ -17,7 +17,6 @@
       do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
   :local ScriptName [ :jobname ];
 
-  :global BackupFileNameDate;
   :global BackupPassword;
   :global BackupRandomDelay;
   :global BackupSendBinary;
@@ -73,9 +72,7 @@
 
   # filename based on identity
   :local DirName ("tmpfs/" . $ScriptName);
-  :local Clock [ /system/clock/get ];
-  :local FileName [ $CleanName ($Identity . "." . $Domain . [ $IfThenElse \
-      ($BackupFileNameDate = true) ("-" . $Clock->"date" . "-" . $Clock->"time") "" ] ) ];
+  :local FileName [ $CleanName ($Identity . "." . $Domain) ];
   :local FilePath ($DirName . "/" . $FileName);
   :local BackupFile "none";
   :local ExportFile "none";

certs/Makefile

@@ -12,12 +12,12 @@ DOMAINS_DUAL = \
 	cloudflare-dns.com/SSL-com-Root-Certification-Authority-ECC \
 	dns.google/GTS-Root-RX \
 	dns.quad9.net/DigiCert-Global-Root-G3 \
-	git.eworm.de/ISRG-Root-X2 \
+	git.eworm.de/Root-YE \
 	gitlab.com/USERTrust-RSA-Certification-Authority \
 	lists.blocklist.de/GTS-Root-R4 \
 	matrix.org/GTS-Root-R4 \
 	raw.githubusercontent.com/ISRG-Root-X1 \
-	rsc.eworm.de/ISRG-Root-X2 \
+	rsc.eworm.de/Root-YE \
 	upgrade.mikrotik.com/ISRG-Root-X1
 DOMAINS_IPV4 = \
 	1.1.1.1/SSL-com-Root-Certification-Authority-ECC \

contrib/telegram.md

@@ -95,10 +95,6 @@ Notes
 
     /save dhcpv4-server-lease Run other scripts on IPv4 DHCP server lease with [dhcpv4-server-lease](https://rsc.eworm.de/doc/dhcpv4-server-lease.md).
 
-#### dhcpv6-client-lease
-
-    /save dhcpv6-client-lease Run other scripts on IPv6 DHCP client lease with [dhcpv6-client-lease](https://rsc.eworm.de/doc/dhcpv6-client-lease.md).
-
 #### firmware-upgrade-reboot
 
     /save firmware-upgrade-reboot Automatically upgrade firmware and reboot with [firmware-upgrade-reboot](https://rsc.eworm.de/doc/firmware-upgrade-reboot.md).

doc/backup-email.md

@@ -34,7 +34,6 @@ Configuration
 
 The configuration goes to `global-config-overlay`, these are the parameters:
 
-* `BackupFileNameDate`: whether to add date & time in filenames
 * `BackupSendBinary`: whether to send binary backup
 * `BackupSendExport`: whether to send configuration export
 * `BackupSendGlobalConfig`: whether to send `global-config-overlay`

doc/backup-upload.md

@@ -40,7 +40,6 @@ Configuration
 
 The configuration goes to `global-config-overlay`, these are the parameters:
 
-* `BackupFileNameDate`: whether to add date & time in filenames
 * `BackupSendBinary`: whether to send binary backup
 * `BackupSendExport`: whether to send configuration export
 * `BackupSendGlobalConfig`: whether to send `global-config-overlay`

doc/ipv6-update.md

@@ -77,7 +77,6 @@ start with "`ipv6-pool-`" and actual pool name, followed by a comma,
 See also
 --------
 
-* [Run other scripts on IPv6 DHCP client lease](dhcpv6-client-lease.md)
 * [Run scripts on ppp connection](ppp-on-up.md)
 
 ---

doc/mod/notification-email.md

@@ -37,9 +37,7 @@ Also make sure the device has correct time configured, best is to set up
 the ntp client.
 
 Then edit `global-config-overlay`, add `EmailGeneralTo` with a valid
-recipient address. Optionally add `EmailServerCertificate` and add the CA
-certificate name if you have certificate verification enabled. Finally
-reload the configuration.
+recipient address. Finally reload the configuration.
 
 > ℹ️ **Info**: Copy relevant configuration from
 > [`global-config`](../../global-config.rsc) (the one without `-overlay`) to

doc/mod/ssh-keys-import.md

@@ -4,7 +4,7 @@ Import ssh keys for public key authentication
 [![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
 [![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
-[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.21-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.19-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
 [![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
 [![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
 
@@ -38,8 +38,9 @@ import that key:
     $SSHKeysImport "ssh-rsa AAAAB3Nza...QYZk8= user" admin;
 
 The third part of the key (`user` in this example) is inherited as
-`info` in RouterOS. Also the `MD5` fingerprint is recorded, this helps
-to audit and verify the available keys.
+`info` in RouterOS (or `key-owner` with RouterOS 7.20.x and before). Also
+the `MD5` fingerprint is recorded, this helps to audit and verify the
+available keys.
 
 > ℹ️️ **Info**: Use `ssh-keygen` to show a fingerprint of an existing public
 > key file: `ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub`

doc/ppp-on-up.md

@@ -36,7 +36,6 @@ Just install the script:
 See also
 --------
 
-* [Run other scripts on IPv6 DHCP client lease](dhcpv6-client-lease.md)
 * [Update configuration on IPv6 prefix change](ipv6-update.md)
 * [Update tunnelbroker configuration](update-tunnelbroker.md)
 

global-config.rsc

@@ -31,8 +31,6 @@
 :global EmailGeneralCc "";
 #:global EmailGeneralTo "mail@example.com";
 #:global EmailGeneralCc "another@example.com,third@example.com";
-# Add the CA certificate name here for verification.
-:global EmailServerCertificate "";
 
 # You can send Telegram notifications. Register a bot
 # and add the token and chat ids here, then install the module:
@@ -90,9 +88,7 @@
 # Toggle this to disable color output in terminal/cli.
 :global TerminalColorOutput true;
 
-# This defines whether to add date & time in filenames, what backups to generate,
-# the password to use, and what random delay (between 0 and given seconds) to apply.
-:global BackupFileNameDate false;
+# This defines what backups to generate and what password to use.
 :global BackupSendBinary false;
 :global BackupSendExport true;
 :global BackupSendGlobalConfig true;

global-functions.rsc

@@ -15,7 +15,7 @@
 # Git commit id & info, expected configuration version
 :global CommitId "unknown";
 :global CommitInfo "unknown";
-:global ExpectedConfigVersion 143;
+:global ExpectedConfigVersion 141;
 
 # global variables not to be changed by user
 :global GlobalFunctionsReady false;
@@ -111,13 +111,11 @@
   :local UseFor     [ :tostr $2 ];
 
   :global CertificateDownload;
+  :global EitherOr;
   :global LogPrint;
   :global ParseKeyValueStore;
 
-  :if ([ :len $UseFor ] = 0) do={
-    $LogPrint warning $0 ("The intended use is undefined!");
-    :set UseFor "undefined";
-  }
+  :set UseFor [ $EitherOr $UseFor "undefined" ];
 
   :if ([ /system/resource/get free-hdd-space ] < 8388608 && \
        [ /certificate/settings/get crl-download ] = true && \
@@ -191,12 +189,7 @@
     $LogPrint warning $0 ("Failed downloading certificate with CommonName '" . $CommonName . \
       "' from repository! Trying fallback to mkcert.org...");
     :do {
-      :local CertSettings [ /certificate/settings/get ];
-      :if ([ :len [ /certificate/find where common-name="ISRG Root X1" ] ] = 0 && \
-           !((($CertSettings->"builtin-trust-anchors") = "trusted" || \
-              ($CertSettings->"builtin-trust-store") ~ "fetch" || \
-              ($CertSettings->"builtin-trust-store") = "all") && \
-             [ :len [ /certificate/builtin/find where common-name="ISRG Root X1" ] ] > 0)) do={
+      :if ([ :len [ /certificate/find where common-name="ISRG Root X1" ] ] = 0) do={
         $LogPrint error $0 ("Required certificate is not available.");
         :return false;
       }
@@ -310,7 +303,7 @@
 
   :for I from=0 to=([ :len $Input ] - 1) do={
     :local Char [ :pick $Input $I ];
-    :if ([ :typeof [ :find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={
+    :if ([ :typeof [ find "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" $Char ] ] = "nil") do={
       :do {
         :if ([ :len $Return ] = 0) do={
           :error true;
@@ -812,15 +805,10 @@
 # check if DNS is resolving
 :set IsDNSResolving do={
   :do {
-    :local I 1;
-    :retry {
-      :set I ($I ^ 1);
-      :resolve ("low-ttl.eworm." . ({ "de"; "net" }->$I));
-    } delay=50ms max=6;
+    :resolve "low-ttl.eworm.de";
   } on-error={
     :return false;
   }
-
   :return true;
 }
 
@@ -1205,12 +1193,10 @@
   }
 
   :onerror Err {
-    /file/remove [ find where name=$DirName ];
+    /file/remove $DirName;
   } do={
-    :if (!($Err ~ "no such item")) do={
-      $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err);
-      :return false;
-    }
+    $LogPrint error $0 ("Removing directory '" . $DirName . "' failed: " . $Err);
+    :return false;
   }
   :return true;
 }
@@ -1236,12 +1222,10 @@
   }
 
   :onerror Err {
-    /file/remove [ find where name=$FileName ];
+    /file/remove $FileName;
   } do={
-    :if (!($Err ~ "no such item")) do={
-      $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err);
-      :return false;
-    }
+    $LogPrint error $0 ("Removing file '" . $FileName . "' failed: " . $Err);
+    :return false;
   }
   :return true;
 }
@@ -1301,8 +1285,7 @@
   :global SymbolForNotification;
   :global ValidateSyntax;
 
-  :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false || \
-       [ $CertificateAvailable "Root YE" "fetch" ] = false) do={
+  :if ([ $CertificateAvailable "Root YE" "fetch" ] = false) do={
     $LogPrint warning $0 ("Downloading certificate failed, trying without.");
   }
 

ipv6-update.rsc

@@ -4,7 +4,6 @@
 # https://rsc.eworm.de/COPYING.md
 #
 # requires RouterOS, version=7.19
-# provides: dhcpv6-client-lease, order=40
 #
 # update firewall and dns settings on IPv6 prefix change
 # https://rsc.eworm.de/doc/ipv6-update.md
@@ -16,19 +15,16 @@
       do={ :error ("Global config and/or functions not ready."); }; } delay=500ms max=50;
   :local ScriptName [ :jobname ];
 
-  :global EitherOr;
   :global LogPrint;
   :global ParseKeyValueStore;
   :global ScriptLock;
 
-  :global DHCPv6ClientLeaseVars;
+  :local NaAddress $"na-address";
+  :local NaValid $"na-valid";
+  :local PdPrefix $"pd-prefix";
+  :local PdValid $"pd-valid";
 
-  :local NaAddress [ $EitherOr $"na-address" ($DHCPv6ClientLeaseVars->"na-address") ];
-  :local NaValid [ $EitherOr $"na-valid" ($DHCPv6ClientLeaseVars->"na-valid") ];
-  :local PdPrefix [ $EitherOr $"pd-prefix" ($DHCPv6ClientLeaseVars->"pd-prefix") ];
-  :local PdValid [ $EitherOr $"pd-valid" ($DHCPv6ClientLeaseVars->"pd-valid") ];
-
-  :if ([ $ScriptLock $ScriptName 10 ] = false) do={
+  :if ([ $ScriptLock $ScriptName ] = false) do={
     :set ExitOK true;
     :error false;
   }
@@ -54,7 +50,7 @@
   :local Pool [ /ipv6/pool/get [ find where prefix=$PdPrefix ] name ];
   :if ([ :len [ /ipv6/firewall/address-list/find where comment=("ipv6-pool-" . $Pool) ] ] = 0) do={
     /ipv6/firewall/address-list/add list=("ipv6-pool-" . $Pool) address=:: comment=("ipv6-pool-" . $Pool) dynamic=yes;
-    $LogPrint info $ScriptName ("Added dynamic ipv6 address list entry for ipv6-pool-" . $Pool);
+    $LogPrint warning $ScriptName ("Added dynamic ipv6 address list entry for ipv6-pool-" . $Pool);
   }
   :local AddrList [ /ipv6/firewall/address-list/find where comment=("ipv6-pool-" . $Pool) ];
   :local OldPrefix [ /ipv6/firewall/address-list/get ($AddrList->0) address ];

mod/notification-email.rsc

@@ -37,9 +37,7 @@
 # flush e-mail queue
 :set FlushEmailQueue do={ :onerror Err {
   :global EmailQueue;
-  :global EmailServerCertificate;
 
-  :global CertificateAvailable;
   :global EitherOr;
   :global EMailGenerateFrom;
   :global FileExists;
@@ -92,14 +90,6 @@
     :return false;
   }
 
-  :if (([ /tool/e-mail/get ]->"certificate-verification") ~ "^yes" && \
-       [ :len $EmailServerCertificate ] > 0) do={
-    :if ([ $CertificateAvailable $EmailServerCertificate "email" ] = false) do={
-      $LogPrint warning $0 ("Downloading required certificate failed.");
-      :return false;
-    }
-  }
-
   /system/scheduler/set interval=($QueueLen . "m") comment="Sending..." \
     [ find where name="_FlushEmailQueue" ];
 

mod/ssh-keys-import.rsc

@@ -3,7 +3,7 @@
 # Copyright (c) 2020-2026 Christian Hesse <mail@eworm.de>
 # https://rsc.eworm.de/COPYING.md
 #
-# requires RouterOS, version=7.21
+# requires RouterOS, version=7.19
 #
 # import ssh keys for public key authentication
 # https://rsc.eworm.de/doc/mod/ssh-keys-import.md
@@ -40,8 +40,9 @@
 
   :local FingerPrintMD5 [ :convert from=base64 transform=md5 to=hex ($KeyVal->1) ];
 
+  :local RegEx ("\\bmd5=" . $FingerPrintMD5 . "\\b");
   :if ([ :len [ /user/ssh-keys/find where user=$User \
-       info~("\\bmd5=" . $FingerPrintMD5 . "\\b") ] ] > 0) do={
+       (key-owner~$RegEx or info~$RegEx) ] ] > 0) do={
     $LogPrint warning $0 ("The ssh public key (MD5:" . $FingerPrintMD5 . \
       ") is already available for user '" . $User . "'.");
     :return false;

netwatch-dns.rsc

@@ -115,15 +115,13 @@
 
     :local Data false;
     :onerror Err {
-      :local I 1;
       :retry {
-        :set I ($I ^ 1);
         :set Data ([ /tool/fetch check-certificate=yes-without-crl output=user \
           http-header-field=({ "accept: application/dns-message" }) \
           url=(($DohServer->"doh-url") . "?dns=" . [ :convert to=base64 ([ :rndstr length=2 ] . \
-          "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm" . \
-          ({ "\02de"; "\03net" }->$I) . "\00" . "\00\10" . "\00\01") ]) as-value ]->"data");
-      } delay=500ms max=6;
+          "\01\00" . "\00\01" . "\00\00" . "\00\00" . "\00\00" . "\09doh-check\05eworm\02de\00" . \
+          "\00\10" . "\00\01") ]) as-value ]->"data");
+      } delay=1s max=3;
     } do={
       $LogPrint warning $ScriptName ("Request to DoH server " . ($DohServer->"doh-url") . \
           " failed: " . $Err);

news-and-changes.rsc

@@ -66,8 +66,6 @@
   139="Certificate Authorities will reduce the leaf certificate validity times soon. Thus the defaults for renewal and warning in 'check-certificates' were decreased.";
   140="The scripts 'lease-script' was renamed to 'dhcpv4-server-lease', configuration was updated automatically.";
   141="Introduced script 'dhcpv6-client-lease' to run several scripts on IPv6 DHCP client lease.";
-  142="Added a setting for 'mod/notification-email' to check availability of certificate chain.";
-  143="Made backup scripts 'backup-email' and 'backup-upload' support date & time in filenames.";
 };
 
 # Migration steps to be applied on script updates