From 3d3b270748b43362d0ec51a1e52f300e6770b469 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 28 May 2025 14:07:57 +0200 Subject: [PATCH 1/4] README: give a hint on builtin certificate store I guess this should become the default any time in future... --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2a8b2ce..bc09840 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,14 @@ including demonstation recorded live at [MUM Europe ### The long way in detail The update script does server certificate verification, so first step is to -download the certificates. If you intend to download the scripts from a +download the certificates. + +> 💡️ **Hint**: RouterOS 7.19 comes with a builtin certificate store. You +> can skip the steps regarding certificate download and import if you set +> the trust for these builtin trust anchors: +> `/certificate/settings/set builtin-trust-anchors=trusted;` + +If you intend to download the scripts from a different location (for example from github.com) install the corresponding certificate chain. From d59c4aee26788f3c5088c32a3bd54f0562b4d2b4 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 28 May 2025 14:16:57 +0200 Subject: [PATCH 2/4] README: add a paragraph and link to jump --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bc09840..243e1fc 100644 --- a/README.md +++ b/README.md @@ -75,8 +75,9 @@ The update script does server certificate verification, so first step is to download the certificates. > 💡️ **Hint**: RouterOS 7.19 comes with a builtin certificate store. You -> can skip the steps regarding certificate download and import if you set -> the trust for these builtin trust anchors: +> can skip the steps regarding certificate download and import and jump +> to [installation of scripts](#installation-of-scripts) if you set the +> trust for these builtin trust anchors: > `/certificate/settings/set builtin-trust-anchors=trusted;` If you intend to download the scripts from a @@ -113,6 +114,8 @@ is shown. Always make sure there are no certificates installed you do not know or want! +#### Installation of scripts + All following commands will verify the server certificate. For validity the certificate's lifetime is checked with local time, so make sure the device's date and time is set correctly! From bf684a7197f9ad07e23415de5779a366af7dd71b Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 28 May 2025 15:08:26 +0200 Subject: [PATCH 3/4] global-functions: $CertificateAvailable: try to use builtin certificates The builtin certificates were introduced with RouterOS 7.19, so requires this hacky :parse workaround. --- global-functions.rsc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/global-functions.rsc b/global-functions.rsc index 55dbdee..759b274 100644 --- a/global-functions.rsc +++ b/global-functions.rsc @@ -119,6 +119,11 @@ :return false; } + :if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ + [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={ + :return true; + } + :if ([ :len [ /certificate/find where common-name=$CommonName ] ] = 0) do={ $LogPrint info $0 ("Certificate with CommonName '" . $CommonName . "' not available."); :if ([ $CertificateDownload $CommonName ] = false) do={ From d69b39957278a9393762ec1653895eeb69483e9e Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 28 May 2025 16:38:50 +0200 Subject: [PATCH 4/4] INITIAL-COMMANDS: use builtin certificates if possible --- INITIAL-COMMANDS.md | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md index 79773bd..40f609b 100644 --- a/INITIAL-COMMANDS.md +++ b/INITIAL-COMMANDS.md @@ -18,17 +18,21 @@ Run the complete base installation: { :local BaseUrl "https://git.eworm.de/cgit/routeros-scripts/plain/"; + :local CertCommonName "ISRG Root X2"; :local CertFileName "ISRG-Root-X2.pem"; :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; - :put "Importing certificate..."; - /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value; - :delay 1s; - /certificate/import file-name=$CertFileName passphrase=""; - :if ([ :len [ /certificate/find where fingerprint=$CertFingerprint ] ] != 1) do={ - :error "Something is wrong with your certificates!"; + :if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \ + [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={ + :put "Importing certificate..."; + /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value; + :delay 1s; + /certificate/import file-name=$CertFileName passphrase=""; + :if ([ :len [ /certificate/find where fingerprint=$CertFingerprint ] ] != 1) do={ + :error "Something is wrong with your certificates!"; + }; + :delay 1s; }; - :delay 1s; :put "Renaming global-config-overlay, if exists..."; /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ]; :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ @@ -41,9 +45,11 @@ Run the complete base installation: :put "Scheduling to load configuration and functions..."; /system/scheduler/remove [ find where name="global-scripts" ]; /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }"; - :put "Renaming certificate by its common-name..."; - :global CertificateNameByCN; - $CertificateNameByCN $CertFingerprint; + :if ([ :len [ /certificate/find where fingerprint=$CertFingerprint ] ] > 0) do={ + :put "Renaming certificate by its common-name..."; + :global CertificateNameByCN; + $CertificateNameByCN $CertFingerprint; + }; }; Then continue setup with