mirror.MikroTik/eworm-de.routeros-scripts
1
0
Fork 0
mirror of https://github.com/eworm-de/routeros-scripts.git synced 2025-06-21 01:25:52 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'builtin-certs' into next

Browse source
This commit is contained in:
Christian Hesse 2025-05-28 16:40:36 +02:00
commit 4bc3bf40e6
3 changed files with 32 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

26
INITIAL-COMMANDS.md
View file

@ -18,17 +18,21 @@ Run the complete base installation:
{ {
:local BaseUrl "https://git.eworm.de/cgit/routeros-scripts/plain/"; :local BaseUrl "https://git.eworm.de/cgit/routeros-scripts/plain/";
:local CertCommonName "ISRG Root X2";
:local CertFileName "ISRG-Root-X2.pem"; :local CertFileName "ISRG-Root-X2.pem";
:local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"; :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
:put "Importing certificate..."; :if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
/tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value; [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
:delay 1s; :put "Importing certificate...";
/certificate/import file-name=$CertFileName passphrase=""; /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value;
:if ([ :len [ /certificate/find where fingerprint=$CertFingerprint ] ] != 1) do={ :delay 1s;
:error "Something is wrong with your certificates!"; /certificate/import file-name=$CertFileName passphrase="";
:if ([ :len [ /certificate/find where fingerprint=$CertFingerprint ] ] != 1) do={
:error "Something is wrong with your certificates!";
};
:delay 1s;
}; };
:delay 1s;
:put "Renaming global-config-overlay, if exists..."; :put "Renaming global-config-overlay, if exists...";
/system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ]; /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ];
:foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={
@ -41,9 +45,11 @@ Run the complete base installation:
:put "Scheduling to load configuration and functions..."; :put "Scheduling to load configuration and functions...";
/system/scheduler/remove [ find where name="global-scripts" ]; /system/scheduler/remove [ find where name="global-scripts" ];
/system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }"; /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
:put "Renaming certificate by its common-name..."; :if ([ :len [ /certificate/find where fingerprint=$CertFingerprint ] ] > 0) do={
:global CertificateNameByCN; :put "Renaming certificate by its common-name...";
$CertificateNameByCN $CertFingerprint; :global CertificateNameByCN;
$CertificateNameByCN $CertFingerprint;
};
}; };
Then continue setup with Then continue setup with

12
README.md
View file

@ -72,7 +72,15 @@ including demonstation recorded live at [MUM Europe
### The long way in detail ### The long way in detail
The update script does server certificate verification, so first step is to The update script does server certificate verification, so first step is to
download the certificates. If you intend to download the scripts from a download the certificates.
> 💡️ **Hint**: RouterOS 7.19 comes with a builtin certificate store. You
> can skip the steps regarding certificate download and import and jump
> to [installation of scripts](#installation-of-scripts) if you set the
> trust for these builtin trust anchors:
> `/certificate/settings/set builtin-trust-anchors=trusted;`
If you intend to download the scripts from a
different location (for example from github.com) install the corresponding different location (for example from github.com) install the corresponding
certificate chain. certificate chain.
@ -106,6 +114,8 @@ is shown.
Always make sure there are no certificates installed you do not know or want! Always make sure there are no certificates installed you do not know or want!
#### Installation of scripts
All following commands will verify the server certificate. For validity the All following commands will verify the server certificate. For validity the
certificate's lifetime is checked with local time, so make sure the device's certificate's lifetime is checked with local time, so make sure the device's
date and time is set correctly! date and time is set correctly!

5
global-functions.rsc
View file

@ -119,6 +119,11 @@
:return false; :return false;
} }
:if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
[[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={
:return true;
}
:if ([ :len [ /certificate/find where common-name=$CommonName ] ] = 0) do={ :if ([ :len [ /certificate/find where common-name=$CommonName ] ] = 0) do={
$LogPrint info $0 ("Certificate with CommonName '" . $CommonName . "' not available."); $LogPrint info $0 ("Certificate with CommonName '" . $CommonName . "' not available.");
:if ([ $CertificateDownload $CommonName ] = false) do={ :if ([ $CertificateDownload $CommonName ] = false) do={