groove/routeros-scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2504 commits 4 branches 233 tags 3.7 MiB
Commit graph

26 commits

Author SHA1 Message Date
Christian Hesse
76dd069fa6 Let's Encrypt changed their intermediate certificates 
https://letsencrypt.org/2024/03/19/new-intermediate-certificates
https://letsencrypt.org/certificates/

But let's keep the old ones around for now, as some sites are still
using the old intermediate.
 2024-06-19 09:29:23 +02:00
Christian Hesse
c87a7519fe fw-addr-lists: add 'strongips' list from blocklist.de 2024-05-14 11:36:58 +02:00
Christian Hesse
cd371b69a6 global-functions: $CertificateDownload: download via clean name... 
... and rename certificates in repository.
 2024-03-16 23:34:33 +01:00
Christian Hesse
d6645e8157 certs: add new DigiCert certificates... 
... used by Cloudflare.
 2024-01-09 23:00:13 +01:00
Christian Hesse
777c388b43 global-functions: $GetMacVendor: get new certificate 
The service now uses: GTS CA 1P5 -> GTS Root R1
 2023-12-22 14:47:54 +01:00
Christian Hesse
8f75c17e0b global: switch eworm.de to new certificate chain (E1 / ISRG Root X2) 
old chain: R3 / ISRG Root X1
new chain: E1 / ISRG Root X2

No user interaction or migration is required for existing installations
as we install 'E1' and 'ISRG Root X2' for some time already.
 2023-10-26 22:15:05 +02:00
Christian Hesse
3c61cf57c4 certs: add Cloudflare certificates... 
... for later use.
 2023-06-13 20:26:55 +02:00
Christian Hesse
589492621b certs: add GlobalSign certificates... 
... for later use.
 2023-06-13 20:26:55 +02:00
Christian Hesse
e927c6b08b global-functions: $GetMacVendor: switched to Let's Encrypt (R3) 
So let's check for the correct one, and drop the other.
 2022-09-13 15:18:28 +02:00
Christian Hesse
15e60da7f0 certs: drop old chain GTS CA 1O1 / GlobalSign 2021-09-21 21:26:09 +02:00
Christian Hesse
44d2f04e0e certs: add new chain GTS CA 1C3 / GTS Root R1 
This is used by Google DNS (8.8.8.8).

$CertificateAvailable "GTS CA 1C3"
/ip dns set use-doh-server=https://8.8.8.8/dns-query verify-doh-cert=yes
 2021-09-20 20:56:55 +02:00
Christian Hesse
ec7c88a780 certs: drop old intermediate cert DigiCert ECC Secure Server CA 2021-09-20 20:54:11 +02:00
Christian Hesse
a3798ff656 certs: add new intermediate cert DigiCert TLS Hybrid ECC SHA384 2020 CA1 
This is used by Cloudflare DNS (1.1.1.1) and Quard9 (9.9.9.9).

$CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1"
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

$CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1"
/ip dns set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes
 2021-09-20 20:52:03 +02:00
Christian Hesse
f2433b8091 drop certificate DST Root CA X3 
Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root
X1") on July 8, 2019, but postponed several times.

Finally they found another solution: A certificate 'ISRG Root X1', but
cross-signed with 'DST Root CA X3' and with a livetime that exceeds that
of the root CA. This is said to work for most operating system where root
certificate authorities are just 'trust anchors'.

I doubt this is true for RouterOS, where certificates are just imported
into the certificate store. So let's migrate to 'ISRG Root X1' now.
 2021-05-18 16:32:26 +02:00
Christian Hesse
b0e52aa2d1 global-functions: $GetMacVendor: requires certificate "Cloudflare Inc ECC CA-3" now 2021-02-24 21:48:36 +01:00
Christian Hesse
97ade535d9 certs: add plain text info about certificates 
Also order certificates, so we have:
 * intermediate
 * root
 * alternative root, if any

Let's add 'ISRG Root X1' for 'E1' as there will be a valid cross-signed
chain 'E1' -> 'ISRG Root X2' -> 'ISRG Root X1'.
 2020-12-30 00:45:11 +01:00
Christian Hesse
05a9531dac certs: remove Let's Encrypt Authority X3 2020-12-18 20:32:29 +01:00
Christian Hesse
50199a57a0 certs: add new Let's Encrypt certificates 
https://letsencrypt.org/certificates/
 2020-12-17 21:58:53 +01:00
Christian Hesse
3589416840 add certificate 'GTS CA 1O1' 
This is used by DNS over HTTPS services:

https://dns.google/dns-query
 2020-06-10 11:08:18 +02:00
Christian Hesse
8a88743e9f add certificate 'DigiCert ECC Secure Server CA' 
This is used by DNS over HTTPS services:

https://cloudflare-dns.com/dns-query
https://dns9.quad9.net/dns-query (secured)
https://dns10.quad9.net/dns-query (unsecured)

https://github.com/curl/curl/wiki/DNS-over-HTTPS
 2020-03-20 12:07:11 +01:00
Christian Hesse
42834e9de1 global-functions: $CertificateAvailable: fetch by CommonName 
Now that we have a proper $UrlEncode function... Fetch certificates
by CommonName.

Also remove the PEM after import.
 2019-04-30 16:52:53 +02:00
Christian Hesse
bc36fb74c3 update-tunnelbroker: verify certificate 2019-01-02 15:02:42 +01:00
Christian Hesse
f4673928ef global-functions: make $CertificateAvailable work on CommonName 
This should prevent endless certificate switching for Let's Encrypt
cross-signed intermediate certificates.
 2018-12-20 22:21:00 +01:00
Christian Hesse
abdc9b0cbd README: add Root CA certificate DST Root CA X3 
This is used by Let's Encrypt to cross-sign.
 2018-12-20 17:25:23 +01:00
Christian Hesse
f111669673 README: download certificates from repository 2018-10-16 16:31:57 +02:00
Christian Hesse
d81e1bf195 global-functions: import certificates if required 
Signed-off-by: Christian Hesse <mail@eworm.de>
 2018-10-16 16:06:25 +02:00