From d1693a241b0ec444d7ad469681e4ba81c1b398df Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 09:50:39 +0200
Subject: [PATCH 01/11] certs: E1 / E5 -> ISRG Root X2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In the beginning of Let's Encrypt their root certificate ISRG Root X1
was not widely trusted, at least some older and/or mobile platforms were
missing that certificate in their root certificate store.
At that time Let's Encrypt was using an alternative chain of trust,
where a certificate was cross-signed with DST Root CA X3.

To make sure a valid chain of trust is available under all circumstances
a set of all certificates had to be supplied: both root vertificates
ISRG Root X1 & DST Root CA X3, and an intermediate certificate.
This was still true after DST Root CA X3 expired, as it could still be
used as a root anchor and was shipped by Let's Encrypt when requested. 🤪

This time is finally over, and we have a clean chain for trust ending in
ISRG Root X1 (or ISRG Root X2).
Well, actually it is the other way round... Let's Encrypt signs with
different tantamount intermediate certificates. There is not only E5, but
also E6 - and we can not know beforehand which one is used on renew.

So let's jetzt drop the intermediate certificates now, and rely on root
certificates only. We are perfectly fine with this these days.

Follow-up commits will do the same for *all* certificates.

The certificate is downloaded with:

    curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
---
 INITIAL-COMMANDS.md             |   9 ++-
 README.d/01-download-certs.avif | Bin 4578 -> 4596 bytes
 README.d/02-import-certs.avif   | Bin 3606 -> 3605 bytes
 README.d/03-check-certs.avif    | Bin 12118 -> 8932 bytes
 README.md                       |  20 +++---
 certs/E1.pem                    | 124 --------------------------------
 certs/E5.pem                    | 119 ------------------------------
 certs/ISRG-Root-X2.pem          |  21 ++++++
 global-config.rsc               |   6 +-
 global-functions.rsc            |   2 +-
 10 files changed, 38 insertions(+), 263 deletions(-)
 delete mode 100644 certs/E1.pem
 delete mode 100644 certs/E5.pem
 create mode 100644 certs/ISRG-Root-X2.pem

diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md
index 889192d..b3eff35 100644
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@@ -17,13 +17,13 @@ Initial commands
 Run the complete base installation:
 
     {
-      /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/E5.pem" dst-path="letsencrypt-E5.pem" as-value;
+      /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="ISRG-Root-X2.pem" as-value;
       :delay 1s;
-      /certificate/import file-name=letsencrypt-E5.pem passphrase="";
-      :if ([ :len [ /certificate/find where fingerprint="e788d14b0436b5120bbee3f15c15badf08c1407fe72568a4f16f9151c380e1e3" or fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470" ] ] != 2) do={
+      /certificate/import file-name=ISRG-Root-X2.pem passphrase="";
+      :if ([ :len [ /certificate/find where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470" ] ] != 1) do={
         :error "Something is wrong with your certificates!";
       };
-      /file/remove [ find where name="letsencrypt-E5.pem" ];
+      /file/remove [ find where name="ISRG-Root-X2.pem" ];
       :delay 1s;
       /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ];
       :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={
@@ -34,7 +34,6 @@ Run the complete base installation:
       /system/scheduler/remove [ find where name="global-scripts" ];
       /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
       :global CertificateNameByCN;
-      $CertificateNameByCN "E5";
       $CertificateNameByCN "ISRG Root X2";
     };
 
diff --git a/README.d/01-download-certs.avif b/README.d/01-download-certs.avif
index b543aff2848235791b59fc0805e850a748f17a23..4a074eb59dce96fbf79c0b50dfdf028f7eff9d4f 100644
GIT binary patch
delta 2976
zcma);cQ+f30zhL&jas!z?UCAADynu6u{S|g?Y-KXNeQKXs8O?a)m{;snzepy%or_E
zvq;StrAFTS0`Hu6&b@!#FL2j{PJ~h;Sit}Qbr*mf005Bv7dQYwyPTFXN>-9#P4=41
z0<%CCNsc52`INB}72_38V^o+*EG|4K(y7UWYuZ!_29NkZz!FzE&tGn?LRGM_EPCrP
z5lIyN>v;n=xSqwfJ(;$dV?NwX$R+GD&ck<TMuSX%>%IFexbWq=Xo*p^Rg+S|trUCg
zZvwW!#1>ZFTvyW4d^>JHahATU#s$^Ps8$DWLQd8<^kP0?rk(Sam%9G7(nChZEvCT5
z_8Z4GUhe7nhExsc2Cikx#TYDFtP-K?75?@_&q=*J-&{B!$Hg;s$XiyLXW(Z=CJwzq
zSVJY~<FOleL#2leQr8X%Qr(ZL7Jo)%83MbrBa%EnbD1ilhj*_kN;Xi$OPsl9iT0Wd
zl5u%pv?-m4YEjn_%UT!WI$cjhWK<5m2<G`)h<<fvs5=J8%Vi-9;S1c3x)XRaAC4>h
zwQM6|b(EhzD(p-rdgl$7k&bezvFi2XIf9`C>wV_;9rZV7&&Ns~v0n3h3%}U}ghL1Q
z(|T}#AUbMcvW%NUr438S%vNXftG3Alq=PFM%EHe7Vi>qLVeGY(_OL60y(NC=ok(_?
z^jA}M;FvH-ECo(^G|?(S8QK8XGvjR7NK_d4%J(lV4OsPR_R=;iYQ(~;eI!$4(Rs6A
zv%bhHjnHXtZ3Yq50JzB!lk2I$tL=UyfPQX^8ZFeF7534<4`C6=69=H<mfm-67s&yi
zZsq-Q?Z|V_-3U5(aFCX;`9XL~?QLZZXN`w;!KpHXn#Ghax14AeCi1dOKIvU28(Drn
z{V1OJ@@U97qUt=%_ZOylCfb}C(oT0wBPzN?$3p_pr9?a`*Z3t~E`&*@jvzxq*;`8C
z_BZRg<~~d-1~n4d@}M!XM$5i?waYEoDRtgA=(Q;7v#B-A;c2(DDH|(Gz1}bsgjzTm
zaf||GD{sZs&)ON^me+6RdV9uDoKm7kdAhaqVnijAjcmrw`-dcV?H?A8)Mge9w7HY-
zyAdU4YYNH}%4^y(L)}5MWqU9lzmwkCUA4J59NAdOhDt7@zg{{zA@8Ubr*OB%h2&bY
z>dX|5*)YqdU16`~VuExLg)PYtwpxyiFF;$0odx?0e%fb9f{K`E4W+eA#Sgf_zy^7W
z4ezo&D*1CGyeBxxA|RA-Gd}!la2M^HTInXe8f~flJO6ky>DusF|3^a5_B?mDEV!{P
zAj5zMP#XXk4!+WA3m-3b!*TB-5IKIeQhASInR!p870l)LDXRd_IXQQ(eyfLKDIK3)
z3H>#_X!Ao7JGLWk)Cz){O{mXG*4%np3zwfLPfvqO^>WmK<8urd6Jnc$DC4SHZt-IB
z#Q$FgjWu2q!Qu{+5>w=?n6{<m1kcL-cLRlm;&Uv4%FE8`ul$G^^%}^NGd5F8tW>?r
zwwZtK(9_A3^)K9?@bf?1JC8*Ml5*zTjO3Coabi}VJ*CRztGwN0*q@s>XQT(Fgq@Zq
zVs$`xL7ZU0G;XI>0fsvK>d@+2FD*R><&9o~hq(W>=7QXTP_db+|4%{xBl3~HvjA?<
zDv30y`tS=BPs`V2h|}>SMIY*q;gzTv<TxgCn;9I4BWYoo{pChX?_uX(gn8*`$_HrH
zPF9?DyffsK&<yt-Hu!`ihR8jhckfjtciKv^zojm3s)1l9Q-9>6pM4*n{+P}V?!g#l
z)xBK!<KIZYL64>lDPvmrsyMwy+rQ<L2h6WY!bLUs;(HrV-y|O){b-+m!?PC(ViqnP
zC<TW=-*(u`$1{)}OD{0MJ-f-Tk>h=yamFE^B4a6V&@}h2V*LDX*{?uS?0ZHQ``)cy
zFarUB{JjG;J&fnJM|qDyIU{WLAz2b-SKn@e`XPTfbt@X8{*PZ&@FA*+)KTMHr4Xd}
zQa~GLN?MYqnt&kBe{%4>A#~kUm5Mq#cZA6r95y=1jB>k`|G*_LYxKWQw@TJ|o#`j6
zK`7Y;1S%>IaTh#MNSxDfs$(HoAdaFS;S?K83tnA+(0b-5xq8p20TsA1E$P=5Vg?lj
z6DmH1Y7MGdU86i3EsvPyLzSNfPne`Rr-^>2svz^j2_qXquoiC+G!0J7J@cO8U5Hx%
zN!|0QeWS2XDoSUn9ziMk4}ut7Dvdw*x&HjCAfEZ1mHtb8&Fr1M!WiFCIi}nvMqM;U
zF5<TW*JHVz=uddvHpC?FH^C%{Jb&VwyxS(oRa!fE%<jCAZM{wU=qj2|-14^oJqJcJ
zk5!Y5$VZS;SBBiW5T+g^^61LX%on@>@C4j*;4%8)4>z~w#E38^f;b-#`lzWll=s$v
z`ZTbtuySUem;*ZHeA4K!JLOtmyLRUF@7%lGseokgLa@cURO_mjuxYIRgzhoIGF<2A
zLaB7LOKDnuhbkmnhV;dB%AN8u*5xjlSu9~O7YPLO7C`js#&EfKuk(EHU3AmF&HE3i
zm9I&EP+^_tQ{Iky3AL_NI-xBa{rUzh)k2lpr^ZaVQ-WjM;{o01FPnWs`(85>GOi7C
z3{{A28$Tx@;y>8J(2P>ES`L<*%U336RmARp>tc&)OLqye9<zrnPfg!AbL^|mcQJ;o
zBLk}LR!KbkRIxvIX^AqBJx>|TG~^F_T`l1q=hz_)6#BS62N0;8?bc1z%380XS6BJn
zSEMH0U*afulppr<p3;>M{M)x-Z8bl!^vZ-wuyW%12p+5YK<)Z4%+c9`QQcrOoQ|8;
zmGC1g?tC=}dLJSV_wr>Zc}-8!{cfykhqNJQ>V<jElETy^clsHVV}Q2H=Ob!GagO)8
z#Ug)`n;s!tSw7#gs>AeJLqR?#Wr@UXv&y+jdVb?{)ZzR`x_e~^)^Gz6t_i>!iXu`%
zVR^Q!rY<ajdgj73(@Y8=-z^=h(UplGkkAefY-*ya(<G5r7&%MB|ItLBCx72SzW1+a
zpD<&<J1LgZoyo;Dj~>@EieGQ+%B|QI2I=opIi42cZVm}Uy9DRV_|V$QR{dE^=|L)x
z3r)K(8l&rvU*OHWCS+`eL>_N5HwSu#DSB30t%>tEF+{nozE`l@eiTrlOCuMNeL!%p
zFEqg>DE)a-qAO~jLb=J^%i4=vay1CqG3bA}SO*=nD}H<5ez{LBasLb47AD_&6eeJg
zE6ic6^NZwTd&G}tF`3B83K%-}!Au7ltBqzb`l+}$W?(MR+1gqn$;lX~se(6}ynwgE
ztTPEHYtmci`#Rb<WFgysYL1n0tf}4nw0exnY$*go)Jp2Doxh;#i$~J-Gd|w?Ky;##
zAN=q683$LTgc^0aYir4>xH;k78yEJ(fzhr)1hgixLf`oDxtK+CEcxww9IusHJ|a%j
zK81cpN$t(-#{^EE`u4{F1$I5&smij_OuO!neIhLl4&y<q7|A0x)4yppl|G>81;=^z
zSK^V+p!uBFoeb0zv`Bh+n<f?uMa#h=*m>u{JFjtPW>7Lnq;1R~RabC3xWt>mrb&^C
zJ(aD{{#J0#9>G7S4TT1FaYn2`KIDI;yB!?g^a8@Ks>ylraLJt`w1jnxW>VsYM7n=<
zMIs5#-;k?Zs*b9%*dlT;+oTJVQ{rjZjHh=&c=ocR*rCe>QsZ@vkyA1BuCC6zCnhmP
z-Vm$77a<E#z=MW0i7KsxIguC2R|%xSyqgwGp#JBX!?c&04`ct>fyXDcw&h)9@B%jK
zsgDsFcC9%sjsx^8U>Siybrw#Et~2=+FCPcIKP5YMqHn2xl4Rb=@s_r9`nK_f8?Pqw
n=71oUH30O4OYpnF6X1DQU%b`Uy*oc2OFWQRiSG(+DAoKAsA{Q}

delta 2958
zcma))_dnDR1HkVPSrI4uQk+r9xU%<%E{-_k&dkop$clW7lyzniI%i9q%#4#0&dL`V
z*_5+6<3U#PeE)&x^?F{f_xq>!ukQolMd8#iPF@g*z7IqL0)fE)f&qaT+tQMI!6_M*
z;7BmMZW0_$1MFYlI?VQVg$m$$>k~}YxWC;>t&mkQX7sL{e44vLE12j_C5)^AWU&v1
z0{%~B-@VT(ihfRsmI+y@&gw#UV0wI7UM})<k86g|`V2Uo&)*t@-kN}}z%s0x;~6j8
z2vBX3{isnVC<&rfhgC>(z`eh}ZAsB8bBLjoj-%>MK-?s)hgo`scMwFul|`+246j>0
zvh$FsiV>d_$<zxO5AQu{WWkipI_?Xc1`)jF{th9D$$pE@u6j(%g}v>rj@7;lES(}y
zbX`?=w%}8Kav>tF&8qYM{w1JIe)M=I8RvPIUnNIeWTyE&e7*iGjqVhg3){%Pksw!h
zU9tjj@)<D>Wl-~Nfd63c5x}0m4scZu<d}0Y;V1@YQiM`pgp?l$qB-UIfC?m}y8mWm
z)wnq}-Dv0tsU-Bm3L0iZI%7S5ziS)PjYxNu3*QL(Os^bB_fufCiSor>z9CII$)*|i
z_qYEMw*?u;*QL*W1HxL&0wNMKx{*~L>41$j{L#nh)NTJVjo?q~y_D%jpL*a*Xu7eg
zz9=hyOLsNZp<VDJ(zt0&>37v50_tr;<7}XQMZ&Tn#ygEz>Zu%ltq)pM+7q<b%ggW1
zWB<m1!uwOfZV9zA_6G)gZzPSCZ9XyW@`r#V-H9zfGaXhZ@;u)Z);*ZvRd_KNqlO%Z
zWAu{@ODY%C*I9~$w_`zWVzhD!;kZ^mv-yn(C?>R$3jb-|W$Huo=WAblBTbJ+2PN;H
z_0-S=aoW0C`Y<qH*15<^KQe6~Rj;_~Vtow}m+3|cTK*Q)J;>lY-_ZA6QxHZtdd0OZ
z_GMHISCXS|kTwv3#uKr{ENl;k#y?fM`9a^hdP_ZE-D{pltfuoUQFth7719YtVojs&
z6M1I{-*AFz!Bn;LD)a(m|J+#tZSLDK^w`cX{n)8dNl}eQY?LcY&uz=e)AoF8^|aO7
zlk_F$(SmhM+x(DoJE#gt8!6wI8ulZsIoQq1CE1u>q8`=Fq{6S~PrhH6v3%K@cB4`t
zLyOT7ptcGHu02C!*RM&g#QMDFaSmc@EsUwZQzQ8IZ7xIdr>!j?FZFNNrkGwm-sa&l
zH*OwMw;CGzA;70zCXMy0(4oy`_Mkz?_|nw0)AA1OU76cdj><LhtT{P#Y^nb2PL;Os
z2yYsH_^s*Rxsn{5%JvCh3jAs)u$!`ee`Ssc^sg4|9RCgM|E|eD{W?D9bUG~LU=v}m
z5`WVXB&=d}52=dJDnC>&t#&VrWD@`Xy~_|6sF@JGtR1U&0W!y3MOmr_M1Is@dLB|_
zW!SYD8V{Z$_8T_?45O2#dY16d%^3xTZEjqEwn_^7ldNESkG#!+EG9W8yE(;f`5hA+
z`mp$OYJUmgU8^<Lc*NMSTWR%2!tJ{}WzP~#5`qzCrPbroY@Jd;Q=glfh}I%O41V6<
z@#{7&5EKMrst5XC-uhnwxR~MqF)=E_YSq1jZsd>1HD?$w3jr$o_D$_$0b=>PO!oPq
zN4R0=7}cu5A-v38G#c(mc>IQbAVT(y)g^b;kH%aj{>_#0zYdhAIv~W^F$gb~n_%}~
zfS#3B&GT_KtoR0L|3Nv>6lZUEkaI{=uIK7anGDO+zYK`{W<PCwJ)Qx(4@%_kNbSSO
z{0D}T2eN+G0vCCD_CGCDa6K5A<OxeC%GkrI=%us6Tr{}1Gxbl4xRTtZL#|j7G6;4V
zw!|rLFt@#+@QT-d7q!+|5?`QyydV?&2UQ=&sG@Z`N4h=#5R!YlA6F|q-0L9BvA<o1
zRZKkVbE#WMqkI^`-|MTs_0omG%HBqNG)xv5mqf7w4A%+e1x|#&u|}LsdlFZavFlf_
z;2Lyo$#!s8)Q(DXHVFTsLlvX!YIK(V*ESPI>U%~eO4ckNp4XW4|I{f|P~CLIVduXW
z8+_;V=zya{L{hKJ>>Qd}J0vPRFyB2Q^H7&2G-I0>L<5J~Tv`?314U+|iSl<e^yA{I
z-z5OMnzh;n*OzRO%O_d_?M?%^3R?37j+;|^g=JPyt;!D(2idj1CVt-Vy~q<)+IXpx
z>0hcw_x>?tlJ9=i9VZJ73;ddNB}ytMxL&lpDQUd1@4zy4tC8WOqT@JdiSXS;V$;KR
zNjf|fJj0_h*PGJ=o)CTPrM-HZoW~BtJt_yvn~A(>`_`~u?8h8crx%f?s$0LG#F6SH
z-o5iHYEkl!AKv<HOQ9HYmQBCWHZyOve0E|Y8iOW_2$FBi_OOm;w*ch3eYKa`4%qiT
zjn?L(v&=X>$t4odOYrPmgPTsy3p#Q)59smW$SN+#SddFt)@^oOsynTM9UC1NS|6D8
zi%!TtNKLK$hmvd|5un5`Du%PhOkX2D?@ZAC!?!^FM&N%kMKt3=EY_d>kkF2Jd)Z8n
zRX@6(8UqLD1|6-sxpe#E6-tib!8?4;14gP=SEI|Og4whn#g}%IJ%Fr0ByIj=2gXw3
zb@#f`#jwFy3+Xl1_#$qCexZhR1bj#zVHS%@oC@(BIKVfSxzk0~gw+w2gGcV275`$(
zvbZ2IWTj5hNSP$NZC55dy<fcIAU{rrZ-01jz^?Xax%RMfHR(77W#!`~(DyRXH@!Rj
z@UDT~<$QeWH_iG7-7n-L+>S0oKFCo=F1Vj#|M{?z=0-piPFa`WckAGP2te?XU7+1z
zxDxa{PKV=UII6M+ZF`)DDL>UUJV)kbsn{r-*)!znl|oWQ_);|AC)?lFf-Ly^GDyZ&
z>Iz|Ag9di0SQxtf^xtkUh4)@LOTgqHS!$hH__D=X`NL#{-y+Uj5tXg)WZ!b3#E>gm
zu&8{4($q1DjRNkAM8}3rAhU;lmQ5CaXl;5jn?3xb-AQD+?jd<3l15lJiMhq4X3I{I
zcI#Le+uJbg#lhCaz$=2j)Bh{N1y=FPprpzt%8XWxb#$GctHCFopF}6#`-BkBc5C}9
zbaAG2wp9Dap|QV7uk$Yt7#}pw3u8_<q;hulG$qdBuy)A)l}?Z%fG|GI&^-JOCrUBW
z;)s&nh=}khC-jw$%~+ln5Ybo#$D&DvAh+6^y?iua#wBK#RqWVwx|SLJAi`7fvXTaW
zyiu|3EO^pl?kk-}jE>LUvsp&L8Zw@VbOMk@&;$0uogSs0cyG>;6ZW=`;yY1w;?VVr
z#f&y2ciPkZ6Ioyf)A}&*>)iII1?76#@%Cd;RMWZC*t)LDv(4J8b*OiVn2l48#d2EK
zWlp^|q;`~m2PdbO8)lo|NqiaJKjs@2^G89W^r@cL&4Pf$mTWC4L)cD>z~3~2lTZSZ
zW-xzHO?<CGENsI^<CGL|@EqLru*J;Igu37xJ0ucFM+Ks@O|Nno!Tww<XEbA-sFh!q
z(AdRWjV?Yk0@r(#xd*~)Dk6+C?O6PrHSX(rX}z50o0()z@>Yjw=-?AgKReH-d7y#{
z4VsL0R5QtLy1{-ebrpUyMoBbM<=ZA`1`GF)F1*(DL3_Ju$a?LoP@4kPOK5F<zd)bK
z_H#?FC7@Y+M^$tfE31w-ncdBK+#B`k6WFG>L5;5Wr@3X@y%9#G?3v8Y5c8cj>lQuf
zh{=xYCl#GWSMQ}A>=nicJW7FQj{aC6i<LK=uy8I;HCDR}E0R9=jMV(n8P`KYq!jjL
z@WL`=hh_e{MCSB}@QY2sa#89L33ryyybis6DCTpEB+%r2pHp9l;y&DuiWqJmY-bm0
VdMLTOlyoS(<Qx|i@Cb7w?!T7{q@e%+

diff --git a/README.d/02-import-certs.avif b/README.d/02-import-certs.avif
index d42994b961cd6c9e7d5949853f9bd5b155bd5b4c..bf7d5771a7cd38463b8c97f0630609ac093bb63f 100644
GIT binary patch
delta 1459
zcma*c`9ISQ0KoAtbIrr!Xi-LClQj=Avn=wc93#p(SI)U@i9JMULsBEP5Kp8YxmGk`
zW{zYrd+@mBDsqHJt~o*}&+`xTdi8pJ-amaFC}%6*i#t#O03yMFFaQ8T|K|Y!5)SkX
zz7RLlMTjcIuO1OH6`>5e)Ve4ojE}vyApEJv0gE37G74H<&d-QVsE04}S(pz-Woa5!
zyQ)mX)#Pt0vD0NcEu@@Qna`eP-aLX$Hzv}QXJRJ~NCGW|Gz9R|YS1w?qfA;Tg)I|K
zwEHfAyp$fNN{3SjG3WX9kD_+nU<vf+YWVBohGQ4>3nG?ROi{#m-SW`rqr~bORQrgQ
zbZex3`X(Rtsm&^UiWF5`8}l0;pPiU0qfFb&SN2abaU4#j^;I<vXrt3Dr#)>wIx`i*
zUa3OoU@I$L7bfNz$5=<*`-v1*m`8<CoBMr*tTz2d64o{TEt0IB?u&y1?+Q}$sg}{(
zlffyMYg`|?foy!kvW<qAFfKhq%%Wu^nLYr?!Cb8h8*|sZ@uVi|(XS%Z<3@=<6;;tV
zVQK4-${nrF3f=A+y&a}=7P`3!j$I$VRvQ_SE|*UoMgA&k6+wQYLb2$W_Lf~_cjf3Q
zkYSA57bmZ@k+a910>Uw>p8=@7#H@!Kl&cV=CTnD!qB+UML4DyLUH5_4H_3Dw{$(h1
z!eZ^t^D$c;(ueo*qKNWxFidy5y2rXyj8WVk9`;LE{R8KU!7NUWzqM4}EvV)D))=12
zJ^)H~DDJ-HYZXWlTrSx-n^DR0&n0Q-y&>+N@!{}dR2GEqrUl-2opD1OZVt#f2_3T>
zGx1XdK$D#19s|X@(tiu|^BNH4v+IuA_EwDq6>?(Fl-*8J99FJ>*t2QS$-2S3C0-V?
zHv(H*isi{TD$?dF>xPwVF<<6BzvDga<^%?5DyOpzpHQT%5rtIApL9|@#Xvz0wQKI5
zfdvIng?bGav9EpegC1J0m6RU7hic1GB~UI2+GpDQ?49yS&rW1%VZBiJ&3zy#JoLK!
zAiBbG3Drr0j~jQHeXQ%&?>#~(9T=`OI7?EWme4MVwq+kcBLHI3UtoUwH?#`sn!pKB
z-k-e{$gtiHKgZ~gSJZhLHho;93FqJEheD~xCOLreLG-(v)#1{Eoi5H(R&#0R1WN5%
zg-tJ%wPX*GuD@b+3_&3F=D-hV{b&G`{ZV;95^SikZitbU?F~VVRM&x1gelrAyjUKY
zn_F8i(`<8Ul<U=wu@A`NgcKbqjNbd^d@9kmFNHyS!A0hW&d8Iy*m$s1yzY=A2(xhi
zNLOT4Y3BT#=vtK$N%y3tYvw5=ob@^~NLIS2Oy^Uo<c(F($oLsbHM@Ah4C!zn>U`Ix
zCa~VK8~U70|EGhk9s!M@h{J?Cg2nm;3=3vgnzn0f9b?QJ4&LNcKGyRnJ3(lEmJpy_
zUTmiPV#jYTnhi^)?6Hxp44pJu$GJM4;v(y$B2}9<JE}nuK_Y*CQ2_C2L@bnLm6+UA
zgWvv|Q%_u~ya-3C&ZKHW5L=6X#Kckm{bENP%=J67uUR`JL!bofo@QZsk^E+}mzIx9
z55?iGwP?R3nIlH=KHmdY-{RNuDyLTZPS7uQjBjj|6Lwi4=4)HCuOg)SaZInk2JHBq
zwbMCUkU0Uu9;}C$T^LST6gI;ePccW9cIVtrN|(3HVy{ABK2~pvIm@vFiuQ$YTG`Qk
zroJdT`mk_=3#f}VGhKz7v-9X(y|OA&W()~g<+tQodiR*>e&yBFFYodEaJsnPBLWGY
v6AxLT2LpoCn6B^KE^+4-CCMJ+U$KG$VAX*k6%!x5arK#GJ@R8$|JKfbcmJgf

delta 1460
zcma*c|3A|S0LSr<?~EymRveRt43}@qmwYMTnPv0cR1V`1nQ*b(d@Z^8)_gY;a=x^2
zM97q~u{e?tmNxRGL%x42;`#&bagQF4_w)VBD_1^GK8tXy1^@&@0e%1g_`VMd0HUbu
z3^rdE*_|(*uj}y`pSd9MZ4}sO#o_6m{>)YHb_>7oup<^(wsn7WgBg}wPIho;=Wl3P
z2i*F_t9Y)+-un#}dM(zgKJ^TuD3M!n`Y{R-F?qn_k3aWoc^aVhqv&7-O+?6a5xt8;
z<Qz9+SZP>9^8~Qmu@BPgT2)tmceCaC2eVyE69y1u(maJg$dV{l6kj}5a+jm=S)ySZ
z)P<KPeKgS#{kn$1?qaV5g;K?3aw~m)>FPQCTvg;GG&5(5H{Eo-Ua!wlS!y@m*=>D>
zRkV^S{3Ug-J)hjtwqQrM8Eq=o^cp2DqSo9Vrc`PpSL9G`iu!33b_E0@2Ao$dn}<qG
zcI-?jVd=6edFF2+UbCpJ5ccXrzl7|+qM<X9ELeZZQqgway(u-#p8_ospdb{_T;qYz
zYej;IwTPen`l7=IUE+862oC)7ik;-`<_~lV#ZNF0im*>gz<7Iq5<xe%67!ix^bOeG
zRuuMvuk+4(ZSUFW>P~<vY7#Fze92ID)Ot0gkZmbBRA#rcdS7_V&d|+lRf#g=n@jV$
zvy;tG4&Ej^6yG{;nP3lx^V{})TiO_^c~KjL=S;kuSgy<siGpe2#-)=~riI_^;1#qp
zpLg<xYi^c9FrEx-4P%g4LDMc&k+VaFb4;B)wD44sSfFBh{9&HKsH3Eb9@7=D%ihi`
zNa+N2mI*ietv+@|+(ynV_reV?<a`^(+<^3W^KS0Cm_n%omXXcxZbZpQ*S!h9CMaZv
z5ZyOcz$Xo}rrVaZ^t;K9&)Pa#w5vDjJPTj-C~FR=2}q}@Js|RbzaIg9G398LjC_Xn
zRL(FT_W>d$jWWU^fhXs(_s`aJ`%5(7L?PUF7x24l9yzY6a=|1RXuzG6+hN8lo+wRj
z2E);N5{(=?#A{tC!!TXarbx}^))Lr>SZv#xC>~To4rTU(06A#&r3mdqz)=KAWw?Ui
zdX;gWwU`dh;6h}nP+#@LZkpW<%t<{D5-FAHlM_D=%=j%6w*Fy7jEvmE#FP*2TQ~H6
zst>sfVhYP$tEWdaTL~RUoBtox|B8x-<A5{(5;K6U8z7Dz9SqW$e9RC_;U~Hg11e->
zFBl3ldjq$g1rFJEv(0>^(&Q+H@O1FeWSg@t>iG#2fPN8PXPnFvk~^eV&gy)OO9HwZ
zQUXvV_qe5W%kp&9&)k56J{qQ4HUkR(KoLBI#nm}c8n|cdo0TN13bhNcJ0eV)`6E;S
z71t6oz*4<Us@R$#9uX#nni^exq=9^5&jeX+-oI>>zAR9}I+%TThxN*uV}rv=-V;J`
z`qUAS+WW?09`ywUiI7Ph^x>B<*G%1le(Q-TNVg1Nu;ALTOz3_Pv6x+$XzlQNKDq3e
z?Xb&Nq=1X21wxVLKFQ}u6-#l-Lg?TORhm2+5LjH%uB*?I0g)-W33}e2__8P;Hdua2
zUo2LkReU+9XaB^Uaml*TlY`9nheKbgeM^%*VfM?`ou$Z}fZDk8SmvKuHma#UC8kkr
zp(~Y3v{|cSq~)0wMyQ9BeDj>AQ#~ML+o<bY09Wzq?QPGAsk^>11+<e3&UN8#!R)z8
z>Yq`gRSWH7-jm5;5|^Xs?wv)JXHotpBwBnbbTxnJ2uOizp0VhE$6M#{MC()R2qC@F
z4UnLb3*y*bC#rx&ciq9aJux295$MsHZ+b5hVo4-Cwo$$5kqfam@9M$qOW1bYzxvXq
AY5)KL

diff --git a/README.d/03-check-certs.avif b/README.d/03-check-certs.avif
index f24c6b567a0696bfd30899f66157ec7c23248212..46b7220f1df02c8379e95113aeb13bf91859de0f 100644
GIT binary patch
delta 7712
zcmV+*9^c{CUgSlPdK41z000m300IC2009610b2k75tfmTegTw|4FMSeAd@EnE&?Hu
zlUD&a0WXt~0Y?H15tG>gumLZ#iUQC9f97bDJibM~1Zul~)gjAmILjQr&CVESrAI7U
zf0s5i8?`|v-N($QzkK5#hHF;UEre?XzAB7K<;D?}VhDgKPzfh2K#d1ujCbOZuB;vb
zGi!5}BpFxEhd=7P%&*In^I>s;&1$C<t@<O+sfVp9j!EhMCRFh(7R%xiAH!2wf5qgC
z!w?zW>+&7A$KzQuMyq3{0c0a4@=?8!0e&L+2qc~|PtC{A>0MRiI&}AseRJZ&HNi!W
zCK5zSsp=aZhmt_)>r_)n(q@BCihmPZMT0DX3de+$;0?iY0Ky?8lb(YW%^1l^x3Sk4
zNlmx6t1yx{zqWM+I%BGW*tW+pe=gzbdgG2eo-xHvkU{pVVFrV6#7Q3i05w|;$<GAf
zXO5(fwY_hl=_xe#Q~0*tONk^U*<_7N^dRJxz|M2;jyTOe>rT=oxwd%xP8uk-HpZF|
zRE7CSJqFT9zzv=&qB2QpV^)nxO}M>1U+7`m#GX_HX#tb>L7kN{-+zuze^bZ59QLML
z!DqHyXqQbPSvHnKwO3)sR^*OPY~W)RrYyAi?x0Ig5v{sLR5MN?!j(e905HfNV=o!x
z9ODBvXSUOAgB9^AJ*ipDu|#2Jb_m2A@%Qkf7(H-LO0IaBJT+}>*1l}#u41*@H<P1W
zMG#@T%*l1*<;G5by`RFVe>`zCk!`V*MzWIWgSnUG$o2mK_19+&rjd3gd(RRTVGv-=
zaSltcLU5oSm_L^uwM8_231%$5Bt?zlk(qa?DImZ+<K_g8005DKJJWN6k1PC<>0$X{
zL)p~b?`?k<sf`%Y$uS)w>E%WOK#Wcgrv{SQj5>|G!=y@<!esN3e?;HrF7BT&z~dvY
zdg&n3d_M=7CAWyf%OvVqjFH8)cIQ7ZIV7>^$79gti>KH@B+$d+Xnx49n|^3_wiNVj
z+=0M39P!(l;FT#UHyu}-XD=m6bCaa>^K7vmxuF>X4+@88U4V;Nh*N^O`tBLYJ-T<S
z`wNXa;?3ii!dDYTe=Xa($pj2op;5I%1CVkv!2=z+rGm>#icORFjYz_rM$wJU=a5@J
zFaQD@2a}$_VwrWS4H;~q(KV^vCXCA4o;DCM##D@BqK+~#iqSc(WosK#Q*EhR$g8Za
zj21uW-Ws~JRg{wVaY#Cj6t>_-20px=D@(*t%`8XzE5pXsf0j?)1ht8oM!<3MWRJWU
z<bM*5G0!!B;*D!mhsnLZX`<X;V<O<6Tw<MT;;m}UoWXp{=05lN7v?`NxBCnERkeK?
zY1>pq{f(-55l8)xdSnjFPuZL12WSJPdV~4Z!KY0we9ac<5Ltloie-0gz#MKlDljuk
zKaF*(i@SN6e{>Psx;%F3pSxX*7z}mBR35&yNcf9ZH-hZmH=ZLAhuXX-VBi6aaKIY4
zO~Yd0RmW?6#ffc2gwi$klR7=jW$j~S+kiJI%Kb;zjQi8%x3o#)14O&ow{wiKBo)ZU
z53UVRxz{xt%b0F%E=$b_AsnKD0VI*rk&=HiNcz^Je<Cuq(-mM;j1Gij)6%)B!g8N7
z>*m+waaN~NbsXaN^K0-%u8D1@&pcL_S~bk~Pb89T3|BF21OQ7Y7{d}s=Ofddi7os(
z=;q(TTB8C(E5{>9pb)GERfx{hpTvDDj5>wcm`rA4AdRBV2i#>UN8$+|jcMurE!Fhp
zDHQ1Oe-%~o<Umwy3Ka2<Kvn#zCrYE$KgF5UqgCpk;>~eqr+;clTf!Qr*i2t41((cM
z$mco6F`vZLlUiu4V7^a;^)Iy*WF#|zymcja5~Gof{<Vm{FV`0KOVfPMa`5>AMo>zw
z@cay8IUQ=8dfufCqguyw!WJ${;Br`DxyE@Ef4!AQyZl%xHEx~u^Jc!88^@~2YjLI_
z!w6!xm1870l?wn{8@N^-d*h+5qgJy^%PY7od@B{al3S^YOk1H`V=a)}51D#;_2gHc
zHmiL1%X-%gXGuK8Yzzj@atBVn)o}Q$TQUhg-ur`ZA1dQ_JmVPe`VT>lh$fYp+}-ti
zf1RK9HM6djZ+YPhgD2U%vd}Uhk<|uSnOqN3^I)9&bDeKsr^H6^cxA<eP^2$yC`I|g
zfLknZbF`d}z50@Q_&i&#TO?@>_m;7%Dg}uK(0YN#em@~d{wmg_m(7y*e1VmNJV;0*
zI3pvrPv=%6Q(DsXJx|WOvC)mLpBjS8f8<9C0tZr{=bqT>kU2ebZ?s)S;#-u`u47a3
z5#()SwG(q~9OEZB#yRU!H;sHm`}b;Z^ZoDLr#$D=*P5#@i8XoTk><QInF9v%BUT4?
z%<x7(<(hs~JgWCAncBpU;azDJ$+H<obt)!8*-@4OLu8OK!1Wazz8lq{f#sIhf6G*e
z%F6Phuu+VXr02Nf9mOf}HnaAhv<v4F{{VSaNAWB6AKpbjg-3g@>UxB49o5$Kei#H*
z&nkJq{{UfsAyi4(#cim*qVnA6cK4R^%9sr{V~nCcP~}hey)X$K$fxTXbk`6_EW8*X
zjSB{lv?{@{RHzs^!6O{x;CDH!e_s;nVmsRyd_Ajb(n0oAX%*&|D>uv=0OO2frxml|
zeMdyP&?bKnYx>&XiEybLv$E~V^YY|ma(@Bzpbl-UbwszZ@cj0wvc357_sj?^;XqOW
z;B%b+0JLkn@P~u^RpIS!9Yu7z2~zD*MX9{<lzhR4at?mu3=E!6YUg}ye=drG#%~Vl
znw7-MAZGhZ&*meH;gqt0&@WC#1#<($I{XG0#<8hJV8@iA=0WA)5H^hQ!96`q0D2O5
z=;|7`_B1*aUuu%+SzT`#7kZ9|5r!j<hpFlfTAb>>EV0&p$E4eZxwDJRX>SY13dYhQ
zWlt;+#Kh<70p#&sT>6f$e|0=_J=Ns1KuB3Pv1BBYdFzwU<?UJ?8r9~q)nkh9Qq-;N
z(iv38Z8VD62<(Ugk=91(!1<1Gl4t{3FNMA#mQ9Ln0UdWpzz>i<Gq?M!KVL(L{{Z1x
zc!b<M3bxHEGO1A^9ZLXt9X?Wh#t6=9sj|NCwe5wV)b;&zOC_tUf6<vPT@<hbVc_Hu
z#s)zHuS#r}-V(O6xht*fb4~V!cwvT1l`<e9f%$+Nw=<mQsn4+h^F32cmr1-9(@PAF
zV@Wd+Bml}7bpxCbe;TD;r!A+$JG-0NTT#E7H6dV-tnS4|z%!KK1<2>ndkWyS=rsQT
z?OB^dj#krxua@L7f6vM{ADCyZN8vyjG*h-d(A!%Ka1J`t&Aj1D7-R}MlBWWIBBG=)
zOsTxY;cyO0oM88$K`GgYpXd9(DfzyX0UZ@D+2_W5nKAz9`qNBODuywzQ_zvYpaxM+
zXrw?(BQ6dOMmhASi+S5PhC_}H6wm}zRDubanM6)XoG=P_e?IipjoJ1pF@NrX%>Xuv
zdc`A>7B*ryI2px1?6)8D?=Pp^Gyx41@eHh?mNy{uAx|{FXP74c047bi-JPcx^`Hpo
zrvzphRVR=*9nV2eTWQ!5u*h-2!kPezic$z95J4S5q@V(dD4+t0D4-7RPxwe@)+{w)
z9f*=USk*QMe^l7%ykvDJ5_66-^fcWqd_kdD-C0L(VJvMX=ktp(Vn7{;1ZN$4^H@UT
z!-Pay((E$F7<FEZ!2om1^OoF3F~%t#Zw>zNCAIJb{G^ePKku(k*V?s8HrMn20Dy2*
zsa;K|-rwQ<d5*ip8jpz+Shu#ik4Af#3fwP~8#p0Pe;hV($vli7LyDt$;$3ZQ?AlvR
zG#TZ1BXovAAYc=ozx2^@fO%2IR8|(Jb>XSC9ol_`)xDn2y6w5QXV9_Z8RtDuPB3WA
zE|_4oSYVN5S)He52Mrksv;n)Z59!o%T+wpoY3y}H%blmUr|NW;y2h~vv8h_D8fbYZ
zK{3OGf8XYCHzCVqj(%cJ0UQj2Pfh;RlU{vp*ji0HZ<lL_D8cuk;PctI&!^I~{4lx<
z+Bb}3lF~d2Y}kFGF(bxy$<eX$pS${Uahl;PWY<&^jYoc2TjY0*;(dA<ZCA_F71RVs
zlW^J;F#zGZVS($>SKJwY;V<zTTcmAgrZ`6|e;BJ1lY&p)_RfB_=hRiHQ?{}Ef8ZT7
z<xNJ@SAMqr8QV$YJ!LK~ZJx(VUo~DwK^twrT#<m^><nkncEwExj<uV_j3thc%e9b1
z(76W$9!BhUADwV?R3{#5wV)|On)cJw?4<D)v|0f0SrIgWB0;<bB$J*Sxo&gU0G>u_
zf6&#uLbFQg7M`J4`H8vq?soGIa^LQbxWEI~JRKFCMBBU_m*4(IHI$_*({^8f`5uE0
zi2Ol$t6N1Ko{}ZFhkBi_wWCBWgY#zq07v_vdWzK+zBDjI;?GJzUwk8Tf1{9!zbMWC
z8wX7CPhxAzXsB_i(qD)C6FEY!NiVzpe+k{$Ynr{q@>s_9Lg!%yHWL+)BrLgR-IMa}
z_9qAF(p=m4zFqGk=vyI)*hCDVVTy7GY-||m!!YlG<P=tkHM=)%=d0LB;;V~TE^X}m
zJt|%^NU)5sBoc&@r)kdKq@LcG5L{~hDT3n8+Dm;QB$h=eOp-1R{i8W?xShQQe_IET
zGm7&1DTwt8yZ-<cS?ddnT{zDx`K-{Tz*P|tc^MxmBe40o{`V@^9w+eam)mabbcKo-
zV~$B!JdQydK_E9I=aM_I_pdOHM~RC@#aO9QN1+4}_<}_?h6wB8@oukic5We#(5g(o
zCL{{SY=9hY?g`J)eJPWCLe-^#f8rMQQSWmhbVd!hsa)rGC!F)#S11WnkVrVk6qJ&8
z8?}zO{6y8f&FN{Uq0dE$vCxci+;#r|IW*z%A6DHH$!Dj^@vhy{M(1$!KQ=Mfk8|r>
zeH6rXY2)oeI2skO)Akt_PEpUyq>z6909=xD*F5#+ofpJCUKR#BdleaSL{vm@LmaRp
zcTDr^o~M(ZN{RrQ^5ySuXS<Xrl6e|N3NSLqCm)?dMHB#0MHB#0MHB)5*%AN>2{<M4
zIW`aw&}lN`ACrX`@P8{(uG--*#Drd8pLP^Ix20npNczjvqv=)yrmh_<(~e6FH@Neo
zS;^$BkJ@?Sd&k##5~#2M0=TS&opNhHgXiUtC4SPd*T<K-PxK7cShh@n^#`Ua#ZY^g
zR*;hryDvp7%>R=FFiS#nf)c>#@9|TWEC9GNUbD?AN>~1*I)5R79VNm|QlXu5a<XJ4
z4XStG(QzWU7Y4FHh3K;So1agA^;v~mO-)!{Lf&c%+n}CP<&CL@gh9Q@_3nhBP+~{-
zx4E8govO}pCz&Ysez=#>Y@gmjYE&@GT7-`P5|TVuyNXwk-fmEOnm7ZmH_A?R9<)_!
z>?G;}sC&aulYiMbJu8*Opcat&2wD~m*508by&6nj11HF6LYht|LED;rG*tBmTitb|
z48{Yq{VxUpm9OSRsMv(O5oJ$fhAB^$m30=3PoeF6({-Q;IJ5CSiFfh1uy(9E=W1}3
zJQpm+S!OJmeZSmkp3gI48>Z^iaWW)(Il01n@BH*nmw&^rAL-4LcQl`Bo+EuJ>~`5W
zF+7bqIAb6~ql9oXlVPl7FTwx(h}~Z5lS)~qo_0|%;XlhM1^;;b+VOJLxB6zYv)1J9
z^*kS(R4U(@y4&vpuX3csa7mtu=bBx$Ym|yRMsvjtx8>NKU_GzHW#7EL8S?oWa@+=k
z!{^FcD1RD_^q7YL!7IvUqHcgMC@5&XRG6{-j9Tv26*l_08xVpAZ6CwcY6DuZB?Xa^
z5fe`Y1;FG_*)}o9Sz5blkuTb=^f2Ku#$Ffw9m-)<kyq7JJoU3`zvlj;3pAZ5`$o<C
zL{)JInZy61G9+IcCPgKJpXn1!0*3oB5jx};ihpct@z^jOYxcGabMu5Jvc&V9Ns#9A
zWNY~Qx+Gm0U8{BenFY2RDM!TCcI7p6)8W{n4x+J;bk$s<@($9{NDV}I5*Zc=`yIW<
z6LR%om5d&vPDN~u8)X(h2dt^AuA~1H1kFeUw?3>+ajRz;=hVq<+=|`Mij!&nd9P#u
z9e+s5iODlExEV|9C&slRTu5`=;Aj&tuJiP%d@k@7m<6fdblL#^=StvRN_IM%qezL^
z4@yVa{Scl8fk@VZv+JOqbAtq-&A;<H7zHWAU!@uLos{e5a4N+JydQVjzQ$u%*JA)H
z0!@YKOa-;VI73^@J;rdC1G7WC2-I|~l7DwHk6VD6kKCSt?YMF02F#L2A{s_!|AFW|
zBBZ6)g+KPp=5Af1(>p7)QUqHf16(uktcJFi?d+r^%eR8$g_IgEurcRBk>k7GVclzk
zS{lw=ow?S{hQ*yh>`ML{w=DF{5@E_Mysu7!UR-*6Rp>S|p2hX%r=8Jr1g}h*w|`--
z3~ZccI4O;GobFcVQ^yH}PyY~JTu>HAI|fD^zqT%n$BgWTJo&Qj;!uTfpVQSYl+C`+
zo+>rpRwO&=*Ex()w@x5V5WNnCa!S9aGw8}A=Ejd`1q1G(YNB~ujnyA&z@Sr~KBkHX
zY^FDZ&w(#!hoS%$GMpFh3Bh7eB!A4M&dZa~#{MglUS;#O1CE^@C<yb!4ONLHFzhhB
zqC+64*4rQIk|1svdOm#SL7s;$81@2Y^a+XKkx2hHa^xi3#i}RgjH^xk<nFd(xla3k
z)#h=KL7<XKzdo#_cmT6Fa~J$;yNuLx&YV2aEn#soNoGEd-P$l{>L1Fb+kbE_qqz)&
zEaiUZ17n)TdDW3?xh&L+tuL&aAnX|0>mqB-#TS<V0@uA-gXu`C9n$XFR)40X_jo%6
zYDlHIq@1mdoACRf+WeuOq?N>7*zirJpF45}D8}r8t)>^$ynKb4YQ%_&S7LkE;n5kE
zUD&{kEb0Hu9?=iJ*H}<>Tz}TPMD$yaJU$+W_|!i(OO8xTjUP`VCnC53Sa>_GCuEna
zc0W#Q^2UJ7F6SoyI?g^QiDn57aJSs;kAdh6T>FM(@qe!)zEcmZnZYe$OM|PRa+yAE
zpA&soVGOStCo`={ig5a=pH`Gig>Qz&W0)L9Z=qn|WNa}(XTeqykAF>0Pe(iPRu&Mp
zI0!A@tP1rwVw&fEN5{n@w=5`8yo@>Z9NyykbM89R*?!p+8^|=096L3heGTjfZiaq(
z3C*-{Ya$u0-zus*uQ=U|YU%#KDqRB6Y+z&NlJ9QMP*|$Mgza%|cuu&)^b^yhL0a|M
zI+sV7Vx@+=r<w-!!GCM!bWxh$#kUcOV{Rs;Af_;T*9ew~D9kFw-fDGWfLBmNgM%*m
z$I&gYjbj9v^=i@Dk7QvVU5|mCmX)gB`>hSB*^${F%YTNCRpA%}wnT-WCAKkQ_|f|r
zN)w~p65k@p&QUzLJ(b4MFOv?JGcz&)kr%LP?p!e?Y{j94gMT+fHg@mb>x4yH?IhIa
zlW_=wN`;nB>PA0Y_95UGzt<44(ojjnY!4=yx{zsq>BJuv=|pzz2R#pFR16X{;}9D9
z`1qUw8YX$kEPSK8ddCLDE7HAm+z#>HBrg}NfmC770_(6Kl1TDgcqgP}h)uJq7oJ_3
zsua|#WK?mVzkf(h+sgImh_Vm;Qvi{=X(|yur)_J0#=o*f`P0+RtvqQ=twnEhBJi_{
z{XnZuAgSg!4e?S#K<gk@N5dDeQp%!TY5-v{Pc8$Os>#&Fu0|x~ec<)52CvZL0UGU^
zb?&ZwH_Cg1k%T~p)!Z@9aq)t7<5@qDU>q#)dU=LdD1VM&sSgC}Z-U?|@KFJRiqq+A
zn{P-YtsoPTDE20EZ|<mVH#)q0azZ|r(I2Yw9-v0qLq<8I5U-7-n{5}NN8;rSa}65?
zkv^bH?yVAye3L}E`fEh`6-vdZvu759$XaZNP`GYQv@#LC{PJF#<$TJg0ql3Mogqei
z`y&(j_J1hZTIoxTLHOTh(AYl?p=Jg$bK>6={iDI)K6df%DD4jD!~I(d)*4>be(v|B
z@xS<cUVOr}N1mms9JlCcpCHV5FRuD}`a@=~|3eCmQ{Lb(|5y3{<!sTLhKLJQ07{Jo
zJ@&w9lpRbaZEZRaWZ~QvsUxYo?ielo-~EYoGJm1E<FG<yLaI4@z`PYC+o|Spi3M_)
zYRF<j_KfjqE}v;iz97W7*&kX2@%aOU`hNfR2m<*$^W*0}Ru<Gi8NQ3wGdFc0N5l%l
zR;QIaSj4NiUF`WygHku+hl(ZDLOiZpydCxo2hM*W;6N<k3$F|cn;>IcPwXs)Af0k<
z_<wBIX164rt{x7nk{CVU7vG`;0nZ3`_ia*%SVvQl{Lt!53Ou}H`Uj@fYB(I;8waoZ
z>b&$s@vmlsJ~Q8^;DU8aswg9O7KyG4`P)n=$?6vL9(Qc3n9cBRE&()gCp?TMTE%~W
zd}a(&r6M*1$qp;;8-rO#7Zry3V+&0&=zlqI^CFpIw4c<Ta3yQQP@-krgyU5kpjn<M
zK&w2D*Hf9ZFB`Gj1H1rYF5E~HMS?%UJIKr_PjJ&0cVlupal8Rv_&ntIAE5}5HzZY^
zQ#^AY9r&XH%5gho=T>#Gjlz&yYg`a{x}P4aD0aqaR9#*eo&TU?M|bjum2uGLBY)7`
z7J{gYmaj-#7LayT1xL;1vv|^Rf>O(gbq21CAn7M3(|<QSwR&m0`V6^GGS!?l3|&h_
zjjwc}pNs1HK9%zrs{OTBeKoi#04gKkMwna!e1|W?DaS8LCE5!T|8*?fENowdg(*aC
z2b6y)LQ4nb*}Q)e8i_JQ4(WZDmw&#eEbCMD_8o7E)AfXPHx56`N*Rl=m4rsId4hf@
zy{bSP;tRp?IEkX>mOx^><`q8f`s4@FqwJv6ZShgv_4M2S6VDIdk4=$V+Pfn{8}=+t
zvJSEq_|9WZ!4<+KbS7Zt&KS@S&YB3ubxjUiI@=Tsm81T4r~ps1G=EFw-G495sFTWp
zxzukmSlEJ<uLuo=J@lw^1alzl+K(HL{y6He_3L~v)Zs1GoN#aZWxz|EQ)xrdDQ)06
z6W{HEwcLPI8!}VM`@baPqv_;E2TWB*Tz5kD^g8z62kRyymW_2zK^C?1`r?2t)QrnQ
z3Z9N><J20~*S?*uK{XgCOn<mrz__*4dtUn~+$>~!i$K4ZqXYQLL|6LeyVx>0nt9_|
zT<K}W5=O-%q_14VUDDy2vc?1OI=C&=ZSw$OEJb|WE?QCS@uQOt#~|%F4)dXG=Gfb@
zjZxR?J!RI%{arAfoI-0Z@MVK9e^put=YHoj)W)Bl!@&!j+zsG66n_O6DMzZ4ZG&hq
z2%~Hc+ruNX42dq!|Ht_q3g4>tRnE6x9SOhUs}4zlD``ZTc%g{OLun*VcXeK1MGGa=
zYarvUwmSKy#)k>Nd>f{7kg^kpe$o&<XQ6O=4#@DA(r@ryT5z5u{Vr}2uBlii7>BTG
zo<ELo@4M|PG1v-p`hV7GRO`y$PY~)#Z@l#QN9+HK1xw5xwU3+hXT&Z~Y=Y!^Iww`4
zC|K9u)QW2iUm{skMX$IX=&tm(R`c5LiuTi0O_W7~jxWxiS#J_SVlsRzXN_Iodj+C+
zC}nEMKzajp8hJnibOAps_^h%*bU)=~-oW~C9w3H0Nw7X3B7fB3+9lS3aAz=1n058p
zjo#M_+DV%T5_xT|f->0Zg*BPeaR5DqlZ(UxSgY)m1Nevh4r#YxW3l`~0nL*pD1Zuo
zm&ZPFh0NQT;?>Zv1k-$J5)fma=QY;a{{aUe3JlrPxWfZLW_GL;iAvy|Sw`BY@u55G
zO)z{pC>R>$8h^hxBRZs<0^(!?AyrVF6dzH$din+Oo<?s4@$V8ALwi=hzAny0-ciJ}
z%A3tH`K8~C@cMJJ%nhNe^h~bR$YQsId#|hRn2jOSB((R-EDyY4S2_t|G^N=xQqlLl
zrtOSIjB}tAflv=Zy+mF!&DGol`&h~(h`t-MVdyZO!hgrVtZhpR8W|~6k#EeN_~3ac
zja){&+@9{<u}zW|vD~Q=QPre-;;yVB0@kE@MMtSYJUs}C1h5(e1m1$D>&_aaf~ZIS
zPi>skqZ`ZU=k}K$L4@I1M;|*S7Ckg$A)R&!;JbHhQ{WbCS{>+w?X8>I5D$BVTz5@x
a&VeHE+7Y9`eJGj|@?~PMWFSj}fDV{(%j#DE

delta 10923
zcmV;cDpb|vMb=)BdK4IS000)@00IC2009610b2k77aEa{egVXj4FMSeA(JNoE&?tC
zlUD&a0X~zE0Y?Im7L(ZlumL`^iUQC9f4@VS<?=1CBURbVNOIdwGRH0RbA}nFOAepq
z&5Z)>P(M%NQ^&q>kHaRc2|-(Jn*4FZA%k+08!<joXRyZHZ09HB`cg|P{`>waXqoqL
z_)IX!?e*t5=sH(KQsw^uhCF)mm$rKTGW`{U#Bf_Lh)918&1n~sxrQJ)Z&9%Af5s~|
zSddw109Xah^rLx120{C;-H=Xr$v-#u_~Ny7$zp#JZ?^F%pZy#GaUfOzXYS-+b?2pJ
zO3@2FC4SnZt?Z?vQxFI-79RtFo=40``74GG_mBPw=u>any?;OWZ@6SJ#C1JIf3jo>
zH)7oKVO;y1mgqkdj8wiv9(Aa<f6#6-y*$Gzz8lv7oDBQaaJqkLY9#8#m7MLIftlMU
z<{`UdKbWcR3K=YX{cuXE@$FcnU)_GV80p@-Bk=zK!yMI{_N`z407~uUpzC;(ZMhm!
zv}I$<vZi0;ewjGugX_mVsx*Sr7aKHNtl~|q=-7>R9=U81I{yGFbTU95f7rIBR!y;w
zm7@xuBlpK{nEwE4y-B+XbH7}PfoTraNXMGR4=0|4@z1Yntv{<6HzeM_`cYcqJ3yz)
z(e5LMf6N~{!N9;A=N(Dy$f`0VLVG}Lq*%<DG2`ZtWMq2hx8quuC7x1FxU)#5h>=3=
z0}2Tv)SM6a4QDH>v@@IHe<Vo@0#syUka63m@~V_?O{Kf^{{V+Qyd+$(mg?{QUHiqw
zi%;0wv`f>-<Zk2JudPj_JaKB#DALeHCg_E|#>X-{DO4anIx$n%w_1wU?(S8(X4Qld
z#OeVmr+!0Y^jd6ifi<=H)^{{=M(SG`LP$Ny0FS0PuOVI&YHx2>fBygg;iXg9PEn}!
z+pGN7<Z9|V9<Qm{S+$0f9C17#NXQ_JNJa>32FT+X$^5!jP|-Cejjz*4m964Y0|0=L
zAV4#;az=U1G0k7M)~}Mv(N|vb(g^b$J7XmrsT^nW=hv?_V@7v6e7;|dA+`o`#wlW4
zmcsnNvGoI|_i{NHf3BERi<RTQq18^eH^b1({>hyTa>=3GubNCry*B*dE^-e+hF(t`
zpF>i%jx?<@88uBMlW{xQ=1^N1I0JT6;~ZdgtDYp1Sp11cis029CoVjw&=lZhhdlk&
z`FrtJFRZL}`^2?x6DdgUq_>7kg-2#lfEz1<LvznL;<T*&f2y<7(@)5%&)X!Wr>38g
z%*rg9JVmFnyy`yAe9}&GK_q9_ACav~2k`7<E#`-HaD0?fBaw&i03n!={R;wm3<|S9
zg{-aTx3~WQgqjDrj%9@+NK~|BmSdlvj1Y6^O)?E9N`iaKRq;H3xrqwQ5kfXWVxSf~
z&p7HZPkNYAe}%0!{!Eodi&m4D-{?Ih@T{_hhr?IzurP2YW0C;xyX(ie{A$`A8DNlI
z_;T^2^NB``$&W9L0yll{z0av1N`~NlgH>BQEomCsMe`ox<SXWF`MMsN7#YX)DRVB-
zCBWBrl`a)R0^|}0uY3>6xh9-v%A2>VI4VWLe5t#1f7Vz03s;GxUce>MJTa(&xRB+Y
z)B&HaduFXgCBo_U@J->HhPf8<Bfs`q?s*HbRt=88sOWz0y-?FNH`1=BwvSjM2yL9l
zBq)Hpec*wZ90J_;=DOr->$`<(PaH?(#HK=8IN!-oTb3gO)b#!#)|05|?YEu(0LX6<
zI!Q%sf4;om<Zuz#YBEbZ&!yctU=Z!KKPlWh05EU}?NH65YH_o(X?KyJ=jOL@fu1^w
z>#bvvCAzqa#!;puh)XGjc9Z+XTxGh2R^SifA6j+3pxVu}OMl||Ac8`kax%t_!^~yl
z2js%2J^K1pduc6J-#_v#;^%#BZn``EM<-?Bf9*?A-S#+AQn=m($O>c=gOV}ApURzo
z;hkelvp08ko?HR8Z}U;P>Ch5t{)cicbs=j8vMo))FD=umm5r5HfI-M&az;aA=I>oI
zwv(#p<{R%7Oy)@g%M;HZB!z6`pgaON>{D-HT~T*OY?8i*6?x%}a>93peJ<yE47Zk^
ze_$Vq<WnH<_N#HJTxrqSvAeg=n;SB&zzzw?ILEzu3*FkR>auv;v6;%;N}g6E;~<O!
zw~?HlpIWUAu8C);t?GEZE!EcXaLMI-;O;w51wlAmlaNk*YJ_?H=9_b;&E(vO(ok?y
z%u+|!2dBM3G!om&(aePzSg8lp93R%Ze~aA*!<SNhwY)@)Gt3%QGR2l0?&AOh!1=iu
zJdATl+82iIC3m{l12NoprNl!nUC%sZf&k~=(x=|JT3F#IuG;IuejGEZ+W4jgje%|Q
zlx%#XjtJzP-`5>ZcB7%_wmKxU!>vbmdaSz=Hc$vS$lJ-|B<DYcQ71_hx}-Mie<8B9
znM8K#5-XI5?O2(6pddCGvyeF$CZ}Vm*y(rDuZJVIfut`a3v#GX5ID#|#y}h$#PP`|
zIPuM=&8j?d>YA;n%zjIuo6Km!K1c_50OPRljB`t^+-df4I$8L)Q@WXfIQvtwk+rd$
zE;2|_jPakwfH#wTx}2ih!}>?te@n|2`0fLdC(0Y7eSUGDqjcn(5?$)%+sT_kv$#Wa
z=1<??1#(+!0)r|RKse9c>5xTv@Ai$rwXpjRuXrvc+%92?NlW>SBYePc4p(PGl53#w
zxQVY>^~;@K%940QQZTqyk}<r#-!C~}c9E0QJ?H~^)(u+2IMA#X2%wn^e~mZ<F8$vw
z)EjfVrre#qyVbatTTP;E7Si(4W-^!_bpQY*Vh;5L0liP4@`Ye)-)Bv7`ScxH?eYPF
z1$o5Vh(RXc>Iu#X>(NGf0Z>nOtIPeKw$tlM-)BE)XpGL=!!Y0$0~`*A9G|5Cbk^4z
z+WnHt`zj&~k)i~=05Y;Me>{~e237gUBZVC~exZHjX*XAQdM=vwa!#z^+_P<FQGtUW
zA1*QI2>RAvhIULIKN1aLqw~<iAr~a=3g@Dd0Spk1q;5FPYwDJM7V_ne2Gr(&O68!M
zE3>%lA|uWK#v@)qC)f<o2ReLs(MxW!==Q-Ojg_H|fJVw7AHsM6e@_`ddmXAD_)bXq
z7fu2#t@4>cEX*)jiCni+*S<X|{xr7m)wD`9x0K%*a>3GNK2~2D5&`@^S5Nl6tBs_*
z#_fF$zHb`a+%%?b97wWfD)RyW-mCx{F@d-7&pE5MzY*iKL`2aeWk~$648wtpc0f4o
z>0BKY#C5OZ8wn*Yf8HFl*vzi+hET4-TxEvNd3^o?vUTls^{b_kVrzK91u=;?0&-4I
z1J@sbtcoZC_3iw3GRDwZ!)~e0)lhPM`04Fi<Hk0V-?aDoCB4Eu)RQu~4Ye4IARBuC
zIpa9(T$L4*qXv?(6=}w+y!ZRRBd@seR*LhgL*dIv?ZnE>e<6tsjDtBC#sMUb{9>VB
z7TK-M+b@Ug*4}8<Qr$v@LI>VIFU`+9^u==2Qu@6=>9Zw;rQ7jl#;L9?^xkE)lvZRa
zpec>Y6aWBV0q8sA`{Rn+e;=@o)*UeubD0KaCu?mWV}Zasc<F`5a%+sDw2UJaWNwwB
zqP9nJJ|ZFee?rZpB=O1=1(slT?I4ff<m7eh)21ph<J)w+OQ^IcBb-OE<yirDIZ_EF
z4^5-D_0JVWP|n^DA6r`^h_nbqk05uD&6a#;0f}6mz5f9E)lzR6TQj(WLbie_apx#t
z%_akNET<=P2IL-BoP&zw=%5a<JZt0_O}&Sg<*aG9f6n<xLdT#`IVE%KxbISb!f_Hp
z77ZaHb#{;ypK6&1#^M!5@8Ql#$X{}6kD`D(FZfO^5*clw@b#=#lB<S=Twt*=m2B<p
z<^KTV+0I64w7xQF8Jt;dml7f$Hz85NE(k005UJIP<mVj)a@0@<V*WUU!7NFl!WL;v
zlJ0dSfAb=_2ju8N?D`*S6UO$)%m#yQ(X<{(R&a1Q#?iNE85tvP2|tB#)KCX+ACIjd
z^8U@?_-({!$f7A!V<Z#K%=I6RPqs4k-xJ&Gc1aP^qlV#6{Co!mh|Y2MLBQt#5IOI~
zbCggAqIi#5)x0rtV`(%xRl`dH-Ykg}nH$3{e==LI2dAm^IkVxNcUkd;)#jZIwu^2A
zCV32yKGp_AQa<;6-8+nq^~-8cq9&rB@hrWww|g7~k}sdkB#|HmhF2KJJ*ZZ&k5ai?
z%^Kn$+IaF}TXU6=1!j<`Ve;`OIqCWUce>Yu^~*WaU3<McS#<K6g2e<<v0|hE2;I{$
zfA%@+?N|}~WbrIXZi{cG;ua0WPB-8YhQsvdI2hy#=QYhHX>|!F({xQr-p^=lvfD7*
zkG<18WFGaDnq~Z!>2Q`eEd%FdixU-Yalyt9JWvJX@dLrD$En)cTS0K5O~7wtV&R8I
zV}Ju-4{rS{cS-o2t?2fV+e2-q$r{4Yf1frcCBqgZoG|C+JuoYjeKP(zVu|doR!KoI
zp^1TTG7bhg#t-F9y0E;lDlaW3w=efZ(Ui~AB7i-T+f(s2p?5BsX>+4n%p{GTWQG1&
zC54DQxfucx!5wgMTT?HLVz|F|pGFL1W_SBEyM9+r2hYY!WO0+p>TArbpwc6Ff46vB
zRhr!F494A=nYNwS`LW3{<LY{GR&L<XJgb>g!g|aq1AOgh+hZF@1pN3IBz{x@r>y)r
z)b-tS?J{c?5=$`HObEqS%LNGPNWqNf-#&*NXNdeL{u{Nml56N^dxAh%fgoX3i4D+?
zook{Icx+0j-VoM=-(}h52pc>9e*nG9bJTNz*P)^h_(rAj2mB&hxgpnj#cW$3V=I#U
z=LgW@fIRMs?o56ka#|k`YQi-D5^YOk=U?{w;fFcok9xXKg(qMa!dk#09FUgmc_657
zzteZ>J*WfDXs+%nKMutup&lC7obTA;NJ;ZBIRI|t<o3s7$3l@ViqKrVf4&#gl^0+S
z6{{V9M!T|0;2qgNLMQ`;qP+qOe-A>;8^Ze2#>~u_v?aFT2;{%9&$D*z3s~q;+espL
zXIyFHR}bb}IE*$i&(D#Aj{Il2!JrNniu54<7?R!KJ`~kO%NBo<1HuNu$IqM$kH@`3
zr`zap+!-eDwy|*mfs}2we{Yq8vEBF1cq$L3-+BPx=&tGE(wgZYlfpWhLe9H(z~Wb3
zvJwZ)j=os;3dh=o8YED8S6&#@qmv8seU$FT&`HT)I_DgH(VqMOaI{yUUE6qR+GxMw
z7uVt7vf|$km<Ro?gCnkb4Ad||q^0otPlNR|whCKfTS#1h5N9R(e-)Hx+;`0YaCBFC
ziK9m(h<qigJW2uH_Us%nb|*M&V`*G;`=oo*=e5vWN`K)N)}vM%P>V7GxIgdv9E|$o
z6anY-SE5><3?YIkd?~BTA|Vn1Y;wm3oNw)e`5(fk*)$0}z@8e`ik3%Bur_ePunFJL
z<YU(v>BRtW)K=Gue-hd~SS_xbbElw*a}C5sHZ9Ih(oP5C+OcQ=qKYU0qKYU3rMuJD
zQ8toXYqo3>-V`6|(4v$Lw+eaMSg$xd8Xr$7aV*1Lv1wK>v#V}gGHelJ{`ol0I&;>m
ze{E^lh_;Clc;ksPy+9>UDL4zx;tL$-lkG_Q#+Ke-8Wc*de{u(#_j+_YeLu#vT$b1M
zIBGmcJLSE<?cdeh=`~GnRfAC$kodaV={$@HQW%v&lgP;69{e2OeJX(Q4zp!rrmS8e
zS%1=GP>hjC(1En?EX1CC#~(2tbn}YL)OFoH`%(KuS{=Qt8vroGz+~sHcH^fVJDzH!
z+Ksf3S;m$Le;YwN%I-FkBDTya`FahkdC2+C7~;93&CKt&$mx$iJHFo|Yx`?cpITur
zh>=CSf++4{MOAQQI5_!optCkkcJ}L4ZUbxbB)7V~s<K217LGW$Eaa&QM?7ch{`ot8
z7u9VSK=Gz6Je9k*9#m2CvGFGvCq2b*RkCZU3Bqptf3mm99c-Q<)>bHB{{V!FCL4C)
zBTcD+$2c8`=dOL$m3%|2+s86Ru39QNQp%9T0on!#8+gXijCu;>Xsc6&wU6S?m`)Lm
zr5nEIRX>Y0>2787b(o|v!gjENEI0c-G2Ht1^{Fj<W#R`|hxXz`!0-8>h;1O_laGA<
z70A(0f0|NltvdpoFMeGPqJI$UGhRerS%KZl0_G^ff%2Ys?|?b<sb#yo2S4zTSp|=5
zxk#e~vXdYf1CSYs$8+1Ia#U7z6O^wPWMNh^oUaGUyKniOeWtmqOFfR6{{RUMycVV`
zET%ZXgasr5alzxRbCX*We`p=IPvc!7rHM>xf1pB0Qc#=@pLtaM7mrHwiYgo?_Lty@
zl{${rpWu$N%Tl=1B$CEmYCC<(?$XT^A~yLp?axt_0dby#rEPt?Q@CiN{{V!>z+y!t
zw07tai55jU&mcD^9)u0TyylA0D;u|VdO*6=(k0pBeJ~<P<?P!K03P`60Q3h3fyXsv
ze`ePvvxiW*@ok(|w<at}C9FC5g7pWD%io?hpGxxTb4cu=S=fL80G@;VlT1f{r|K8?
zmiC5!7-{e{PSBz?ykEEhK?IfqjNoKsa0n+HGfk6MO*yW=;U&}U5ohwFR#;Bpk;b8y
z=%E1}a66t4153E=3zL9y1psy4C)TwHe{SC0^|&=RD}y`{#A9S3ff)nb@$Z_ied67H
zA$UfrvO_YmFi2t<1yr!$f3=RitC*su&ijt)+Z&_CI`Be*{{R4%IS|GUSnfRS$mgHS
z(xm?YgyY12Hgz2CIXj_@`g*Uh{Hva#s7FEn013B<Jmi<{$>ty-SldOA2mt>8QxBjY
zkft|`wf06+s2!}kND(0IjE|Rtj{SHZm4!tBUe$Gr{ciW|nvKDpeW7=i3&+p^JDQ_K
z6aZ006aZ006aoL)5&#MbIA!uYHV_cdX)@6*lK~U(e^<1rl&7B0Dgn&L+djg3gCJV}
zd+7W-sA%q^Qqm@T5Q1iFbf!$h5!j2=ic?J==z0bU0>;GQ=9alBokOwe=avkBdv54V
z!CP^@d$(x0)(S^!&@oFct3dshjp64>#QvHz4o|#qw(bH+lbFLChG{QjVETj8xI;Q-
z5r-gAf3W_L35IJoel8#uP#3AtW%pK8nvLVia{9SuIo#1Z$@>Eg)h%F{9%|F1hpNhm
znW+I7n<j0(xLeOr4?_O`fw&KxCSn|+FVNw+lbBNB0CS}TPx>Wu;?NjW)4lyO3M*O%
z_~_EO?N7$l)pGi!C>uNxzZxw$5Ra_^7QebGe^FPY0s0>K#;<V#eicEO=7GzgSuwTO
zD$xO!^_6RfNSMZx%?@P`6Mv46&K$RdSTX|QU<rd(+N7UB#RYwUjF|R}j!a%MXRGoy
zhr-DbbO$~!X1P!}8u5D$R0^uG@XbRFtPTdy*n}(1wa6r-UNa%0YeRvl9Mbs#ibRf+
ze`K2^%BZNc9O)JQF*X<=WSs}sbp6vY1F53FrA-y#8PF#Rl40u^K@))<$S~7b?lMrN
za1`CQ6QT>13kpUDxsG2M-($8-o+-T4+m9_2s)E4XD*xAuAGUp<b0IsvZdkpD6}e6p
zyvD-JOl>wmzF_sx|5R?pXQ`A9BF9UDe;Wn}=Ji+4B{2c=1t5deP-*0K+>Gh`YOw2z
zJwW(FZtLU2fN)`{G&)cLIY^_^?e7=rbc2#aAO_!b5IuPrEGY@dp>VpJzWtL_rQ-Bm
z#l3%ki8}mA9&GSn2KVX#fhO^8!Q|!3^B10-(-ka?+h91P{8GkXfMTLy?(K^%f7fOQ
ziyn|`7KBwpso)`bNOOEljg3XjB_Z?Uu^w#7A<Vzh#<r|g)zgTG)k+|zmq}9r89=$a
zBNuS~yXG`CO<fyYE~G3&Z1>;v@7AVKNBToT=eG+~`!XAnZr$-j{6j_}1oOD{*2irP
zFuI#y#SyzO6B_eWpp@ctg=@yUfAP}5yy(W351pC*{gF?{ohK(m(fl;F)v_HMU(OXs
z1Ptbn*I8SjaT$N)+s@l};T(s1YA}Mj2Sy!<40UNX=DXS?9f*_EdzO{meyaq1SQ;7g
zhn2Klt&03ON~Q9M9Nx<@Ue}J<eXLhNl}+9OY&-%h%o%#Xx516T<s*OMf2woT+Jb&J
z;+zw%s2^I$>1i`Gcn{iGpjG{*)34slbD_Gy*QPKDKS879(AS>p%(f}gZzNZ)3ndPb
zOALy=!R3p``;9WQpE#g#S{DEutOmI#hL1UTCAU5YRpaQWFhA>l3k~&?FBXOHjb)};
zTouCROxCsTlzTQE(T-7ffBliyE^e(-0V1zuZFa2zzi7!2i%lf~>O}rpHD}0!xuFgf
znNl%EecGM|cBdL{?9^5*{-1-vJ6G$1qfA_V=O(DD#IVJrocTFgT0*?UNt#3403c<x
z&g4Mn$+<xw!HOukF73dQxxXf^0XI{NhybD=M}k_T0|-Ez>rR|5e@Vm0fmZ%kWL=wM
zEGw7M8y!AYj##oOrxuA#+#6%DzKRtVzPF+<osyWO;C}n-feni~9SB#b(j%vb<kjin
zHo>I4jvi@txF3}cPQVUL{!v-sDHz^WFM{X7;DkwzskX{Rg+DNkmIH?|Hl2!==3!%)
zx#Jl>98i|A=G*3&e@V{R_U0xkN`srlrb6g%5H#_00z@4H>V{J^b6%uz-?t&O{=Yvk
z#nZF5QKjfW<q<h9CZ(%f?pxLFQ-XPu)bv)#(j1wktCs6K>IVg~y?tv2KTSkv%geQC
z#BDKfjE`l_vQ6_!<3h22Og-<0OhvDFy47e|j^K<NZGTRYe;v1b(__@prc*h}!A)_=
zp!UU|Eoc4c)&TwSE|cc5@iHWPQ7c#_=&)Zzz|1WYFMj*($AXP;Pz9Kh0jC(pp(ah#
zI;NTwX>!x&<l2~rS@h7<PqF{+B8_GNFXP!E$RVMgPqDq_6fj&~j~&1eSUXt~DBoyE
z3h~tOe0C|3f6;8Xc9eeisr2wj)g8!pnu*@;t&^C^PtE_j?gy@HWra*4j=cowOyVij
zDNG*8ZJV+$y7W*alj*TVq!D2jA!ZWsfNbCw;6&LQErMVDXhh^>i?HYoQz^*Nq(K@#
z5Rtg#iME;Ohk(rXUGZ8?PP)9rxvLFQVVwG|3h=x9e~oCCg0;WPdI5x)92K`OTlG45
zd(SZMRUXK7+|MWfP<`vEXcK7KQEP@KK1S<U(m;r=$_M5|y1rx8f07fh$UW8<f5aAP
zp~*6QK8FtD_uEM~1paz|HBha9eMw0%i@(9W7r@Ln$)yjm=SD`eKGt+v$JCBN_DVpH
zFdw$;e_<iq5&+OnjeU`y&rSc|9t7Z_5jBETEdWx}1jz~BJ2COisicGHOR*X*vzxZX
z6L07sJmA26FKr{eDi`m(Mlr*<0Vz)b>oy!$I&g~JYn6S1XxJzm>Z2@k_I^9f7%xdZ
zn#W((cLZW4ILrDOcVi2jlN!xvCsete%w(-Ef0Z`II`S|QUNq<3p-J>)h{e?=4E!pv
z7O6sTE_ob#81zyjbs{G!Zy|H$tS`%y_X-$0dKI?&K3XDlCA`aBmp7?Z^>p4LkH}`p
zBPsTA%Xxrsgip1m4try*xI)&)ROW}j|EuBada;cMpreQHo~`59$!?j=q_-jd2I#0=
ze;8S)QUSxiB$_<lS)s+!3XZoGVeVh*Q&lz|lBj!6b^}d+rtU#J@7Dr1#1AP7-yGsE
zXkvYMa6t}-wh$Ui{o$w$yW{TKJNaZO!AelOFQUcxh<G97w_yk!pQukRwEv6Yu)I<~
zdpmSCLAzhX(!kb8LPtF{Nk~Tfn|P?he-{DU|LXVcjZK9DrK`X6i3vXLHdFZ!_0%+d
z2qbDaThJ<P&qOcz)%>aJV0c7^L{P01r3)(f2OlzTL={bpEE6khBo2#(A_VR`Ci(c6
zTAOszxFgrOr^c517c9^N!n6fsk(KRm+f028CCY69hr4bvyYRDW1T!nbN8cE$e>RyJ
zjk!hGSFVtdMUs1>9I=igXKP|+)Zy#zFTn)&NZTNqweM~%stu64;MfmhZ}xX1?F);v
z-t+;gyqgT|He()f<sK1KR5_edJ+2kIrMGqp1BnKp#5;z1tLOYp!|B3jId7qz)-|V9
zROg6TOx`Q740;jNY=QPOSMhd}f4$G*1HL5&S_A27YMGEpvsh&1nW+jlU})x-tfJKw
zM69~}soDSR7EwVnL<w*hEMA7}yw3EVnyH<+X)*pZD}D((_tXqM@bWxAlj{I(?;zVR
zTCeqbY}W|M`4e;Fb=@KbpV#^TO{mOM2bW|-REk?nCieS3p}Ld8L5-jEe*|Ga3;S%f
zE)c??Q71?=4XM2k@>E1@OYZ<?wUC8if-(G=9fUI2W33sPtR2&k!N0=6m|1+<?j$jg
zaK~Ld3M$@<qUn*XaEK_QroO@KF;2*K*Q1bnoRufpi?I9*<qS}!EaW7E3%CDB@Xr5^
zk9VuiE~li#2IEOLHgxBne*{~t7i%}yVOlI(<)(dc%fca1R=iZ#%q<Q+gh%>i<!jPR
zD$6n4%?KLeS*ZNi#;zvhH6`*_ZB+4NVbnm+Y^E4p9YgA~2SI*N<3cNC#PwqT_|eQU
zlvA#Z?2NLqInbzz(UjgEG}Ko8h<-?@zJZ)`t_zo>r0<IepKZ2af7TvnKmo3=u&7?k
z-0BJWL|rt{AWP-eneZkk0myTH+^49gN^Vw~cXj5&)O_uf9ta3`Lnzo+Nx)#^xQ<dP
zQUZ+s>n@<IH%@V_0UXi6CeC5-la9gFlFQgVvxJ{M=o!lVgwI2|3A${B9gyk%!o*fm
z^L*YFzLYNHp6Ab|f4A%#QTRtI|Brklwk1<cAA}MD4E27cW+hx6wvKT45i`c<`2M3j
z8+xB=e4ynenmJPq7|Aw6B){`lq!M9&(u|z2ub-K^g7|>R6NAFTl};3fxFgG|H-;P0
zq>qoEP1T3f9@2Q*mO!lw8N}nfS#pfUjo(Hkz>{(9SIl%8e@<}1dIB4~2`(;V_#}N}
zQa-LOv7Z8m$4Dw!Z&2o|#dxMt`ihMYl8N&mpSP)LL&U65x*q)t8!Q&Hv@B#C_OyTX
zqB-PZmvA@66<vvitAWYWruQbWo8BG)>3i;vb#v?N*IR#*4QV6u4!~HM^JS`kH~wa!
zt0XH}V+>upf5Dn;_p#HDrrGjIF^l%X5G=S#F{!eMg;2uwJzYKp`?@!U84b$W`!#Dk
z)Nzw$Vj6@PUPo5)v-(NCyt0t&plE2wnkte^27(0}_16&NU}+P8sj3ot72`@6-jKxX
z#GT#18M(!c$*|?=pn`OJtb&ZMZ#`~;cJ}e3QkoQ4e-GuWzc1Yz4ee*`BEW@ptP~NN
zbA(7IBDq*Gh0MjMPL+D>-o}3dJ2xoqO}l0Zr(5Y<5B_m06RzRe9R*EtH#Z$-soPet
zsNnU@2zD-=6I6{NYxS;Z=CaV)B8oeCOLko3DgG*=C;;LaM1W=O&kRIhOy4buyk=Kp
z9R|-Af4^8}^YpG!lPJgrr^P$H|FT<OxWz2BbB!e6oRK(S$n{ebLlqu=kZ{1}bC=M}
z>Xv`HdF*+Y@c{2Ub?w8^;cZ<JzIGwP3|yYPP&yvqy^_Q){Cs!kaGLqTV!Qb_=<Rn#
z%hQSfG(Nbk*|kqZ26-T|b32gH+YJI5k2Is*e-AE|6Zkv~RDNYkIMnsXq|+9ZLee>I
zqF9no8N0br@`PqDJGR_D2__fb1mSQOv=8)U(u~`FzzQ69F_)h(c1|K=f`f~NJd>j=
z5Pk?GX~o2kz%@m8SZky~N*#XID0qg@HMuvR1;qMX=6Un=WV&OV5ULURm$kPV$U4kZ
zf3}6@r2)n{)I+qYajne%JG|n?Qiw&jhC1>G(etwft5}hmxv2bz_iJCQcal_n<*L}6
z(mL>_=sc1&58JOYP?$7Do8iD3vaeeZix@QE=OTtYTh0>!sx*BnZ2VLj()y4BI<9df
zp6X}wZaW>)1&xRe(aOsd`s?J>+XSU-f6G6bmK4fL_SvRzJ=UX>a=0Z_3YmjkIWRSw
zqK!G*5}-5tmD(%_N3L#N+Yj6t)Wo=b!?RC?tI@v`Q$=Z-K_uPMpetp$U*uqbV6ujD
z^m{RfEKg6mDZQsu-s9<-S>@<vDlr}YO8ykT9ch{k{{dU~c;B7GL(WH)^^sNtf8=9)
zS>ij!hw!pd+<;##?_98S7j5rlA=)0fqU?nasAg>Lm*#<ffLc3m8}y^<U$i_nQ<RsY
zRNu3JbP%~~%Z4vO8STd^8Vva8;@58YVQDzY$@mlFp)1*Egwao8X(MwIGcY=UkiNUj
z)30i3PU4tjNp_?iCtahDbQeU$e{#(!+v$8F_5-`6a(!Nj6azvdV38&^-MTAKodIon
zn>I9?Z&tqPB7lt>6a87N3Ew?%wsPTzvpTxP`q%QnpxUE%GP2oGg*{RD-k?p(`A_R|
zkIr;QwUuh;W*bQ_0tyO7m{pO=(Qd*9!nf@&8WuU1A@6*@Mq?&>$`J+Rf9mkrY1>gT
zEbrPiyn|IsS(nISI%0QxFG+y62qv{R`Zsf)Gs{?%!mjc!!;LDn<(K}g*EcCKPQ1rb
zv!CguT%wKYyIk@wG5~U}Pyi3H)^J+p|Du-7awO^cKJ_|jUkXloR0Asqzfre%(__Np
z&5{m|{n!(Vz}P3qqx6`<e_S7XKVo6M22I|c276aj+BjU-U~ppa?RyC+wz3Znw=m3)
zUhZ-ef)2#~llZP?V}15(@@8HUol_he2GmjX6)UMtoq~hznVIMm!0O6^uAU?O57G36
zMk($5+wl?DO?|fyUdZG7eH;DCeD5yOwIu3v03NqIply}`8TEsue~KS45q6M+dlwuC
zOG~k)Ijc*;uXFw!2fehOgzJAt9HXT7i)9Hv*W8GaL&((^z&?8LM}>u2_eDZ=qhIOC
ziXPH*zD`XR2)1rT7_-YXc$G7y*h1iKW*i=!4vdm^*bgu6)xj*aPOYazMw%km#-H`#
zV%^|vTU!t?>yHRxf6kJCNoM=YAh?T8-pLduQKxS~lzfzy7CrMju;DZtWxFc<<(4PE
zvMSl^cRa9??($S7&`7N!Jl8mRNQ9e+9Ft5=yY^-RwfnKlsfwqn35VE*r~w@~x@WTy
z^1$6hxmwzYY+6=u#DeqFE!4S>nf2W2ax0JAtO1JAU4&XKe}DMyjJ1)f-(S{-gb|Wa
z^n{a_DOO{`y@hb(^ZJe!TbbN3mBm%K>QnA@={h?bM|K-@U$CXod_%Y=X)JjC2>Qc{
z`yOkVh})o?_%4I$@_LS^i4U+3@j@WI`-25J;U6g#T|1?ZBR^Gkda623`fH$M97;1;
zU~Q}tHp+c7f0;%E+M3xo24=DH^upSQb;9bLhnAp=n$|RnCzCRO4jf`0zB2vPNS774
zgQp8QzO~uH=jY9>lYbF_9Q!}FlH`J5WW4mmwxPXIahCTMMz{{wZ2Ut)c@Dd|@H2;d
z<V^AGd(O45?_tCVlvLU#VL|-7fC3J<oQ>%+jF8_Se}<0h1NozN)I^VMW3W_2q81mu
zt{Pe4c9NJEfwj?Pbp&nY&=N68Qj#!evS9V@gT<CV2%xdu5NZK>(qlq>K7{*4=Xehz
z?jhLoBwCY@pX!2sX$Kt`!Am{cN+cpax2p`Fv90u&+ZrwPPIs?>Jhz%8=&s+G(Q70*
zzmDE~f8!9s16gt))$)D8fMf|t#cw+j5wFv98{nY>k+ohE&LfZ4w_IAXUZ-5o7K<<M
zz({x*<mLBB+AJloV%h}s+OkK)mnh=j!P1A~?pkc~q;xYTShSc_JJ_OI)Y3QBZLqhM
zvQ{<v#rYrJ3Y(r#8Zc`WNZhK_g=a28z`F3-e>(;H(iYxH{h5GXpW&x%Eiv>Gu3*zF
zRU&@OG)oQM6ZMEE`y|X`e(h#pDu`4UakvgzDe-G%G*z@w6u;#w{v>J=2t<~=_!<9q
zEkr7{PQ$xNjKx#{?9_+K|A;D7CKedD+-{gHN<S`6t-;iWxadJP3L%ql>?LfOQw(TP
ze+lv{#3$~a3P->IfGSy$HsK)J>+fi-=g8S6fZ1$RE*EYqq7G>l2^BE_%j&~>GRx8`
z`p^K)5RQzzaMY4@O9sr-NF4?D`{^5bvq0H|TT|{pdPOaSs|t%1(Mi{wQ?KVCfiH_t
zfUfbi41TwY?nH%Y2I;i0)U&3oE#{KCf4iCh#$qap)t=(vs+7pEoj?frAH0C(Qym(}
z0Q(w5E(o{nr-Lenn;_1D2Num2F}e)lr62O29SnutC=SfcpaDlgf_)3E{ka8R?`|Z(
z-vfP|tJ!Dju`%a3)gR6x9v+B>m?l0Gb3~xr<Vo?PxtScfIdL%LI}W|<_Nkh?4GAmd
NS*Ihou8YP0{jwasWW@jg

diff --git a/README.md b/README.md
index 1ad5aca..6b3cd05 100644
--- a/README.md
+++ b/README.md
@@ -69,34 +69,32 @@ download the certificates. If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
 
-    /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/E5.pem" dst-path="letsencrypt-E5.pem";
+    /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="ISRG-Root-X2.pem";
 
 ![screenshot: download certs](README.d/01-download-certs.avif)
 
 Note that the commands above do *not* verify server certificate, so if you
 want to be safe download with your workstations's browser and transfer the
-files to your MikroTik device.
+file to your MikroTik device.
 
 * [ISRG Root X2](https://letsencrypt.org/certs/isrg-root-x2.pem)
-* Let's Encrypt [E5](https://letsencrypt.org/certs/2024/e5.pem)
 
-Then we import the certificates.
+Then we import the certificate.
 
-    /certificate/import file-name=letsencrypt-E5.pem passphrase="";
+    /certificate/import file-name=ISRG-Root-X2.pem passphrase="";
 
 Do not worry that the command is not shown - that happens because it contains
 a sensitive property, the passphrase.
 
 ![screenshot: import certs](README.d/02-import-certs.avif)
 
-For basic verification we rename the certificates and print them by
-fingerprint. Make sure exactly these two certificates ("*E5*" and
-"*ISRG-Root-X2*") are shown. Also remove the left over file.
+For basic verification we rename the certificate and print it by
+fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
+is shown. Also remove the left over file.
 
-    /certificate/set name="E5" [ find where common-name="E5" ];
     /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
-    /certificate/print proplist=name,fingerprint where fingerprint="e788d14b0436b5120bbee3f15c15badf08c1407fe72568a4f16f9151c380e1e3" or fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
-    /file/remove [ find where name="letsencrypt-E5.pem" ];
+    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+    /file/remove [ find where name="ISRG-Root-X2.pem" ];
 
 ![screenshot: check certs](README.d/03-check-certs.avif)
 
diff --git a/certs/E1.pem b/certs/E1.pem
deleted file mode 100644
index a62fc03..0000000
--- a/certs/E1.pem
+++ /dev/null
@@ -1,124 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            b3:bd:df:f8:a7:84:5b:bc:e9:03:a0:41:35:b3:4a:45
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Validity
-            Not Before: Sep  4 00:00:00 2020 GMT
-            Not After : Sep 15 16:00:00 2025 GMT
-        Subject: C = US, O = Let's Encrypt, CN = E1
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:24:5c:2d:a2:2a:fd:1c:4b:a6:5d:97:73:27:31:
-                    ac:b2:a0:69:62:ef:65:e8:a6:b0:f0:ac:4b:9f:ff:
-                    1c:0b:70:0f:d3:98:2f:4d:fc:0f:00:9b:37:f0:74:
-                    05:57:32:97:2e:05:ef:2a:43:25:a3:fb:6e:34:27:
-                    13:f6:4f:7e:69:d3:02:99:5e:eb:24:47:92:c1:24:
-                    9b:e6:b1:21:8f:c1:24:81:fc:68:cc:1f:69:ba:58:
-                    f5:19:22:f7:74:c6:16
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Client Authentication, TLS Web Server Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC
-            X509v3 Authority Key Identifier: 
-                keyid:7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
-
-            Authority Information Access: 
-                CA Issuers - URI:http://x2.i.lencr.org/
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://x2.c.lencr.org/
-
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.2.1
-                Policy: 1.3.6.1.4.1.44947.1.1.1
-
-    Signature Algorithm: ecdsa-with-SHA384
-         30:64:02:30:7b:74:d5:52:13:8d:61:fe:0d:ba:3f:03:00:9d:
-         f3:d7:98:84:d9:57:2e:bd:e9:0f:9c:5c:48:04:21:f2:cb:b3:
-         60:72:8e:97:d6:12:4f:ca:44:f6:42:c9:d3:7b:86:a9:02:30:
-         5a:b1:b1:b4:ed:ea:60:99:20:b1:38:03:ca:3d:a0:26:b8:ee:
-         6e:2d:4a:f6:c6:66:1f:33:9a:db:92:4a:d5:f5:29:13:c6:70:
-         62:28:ba:23:8c:cf:3d:2f:cb:82:e9:7f
------BEGIN CERTIFICATE-----
-MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL
-MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo
-IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN
-MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j
-cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c
-S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj
-+240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB
-BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
-MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V
-yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB
-BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E
-IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG
-Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+
-Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q
-YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Validity
-            Not Before: Sep  4 00:00:00 2020 GMT
-            Not After : Sep 17 16:00:00 2040 GMT
-        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:cd:9b:d5:9f:80:83:0a:ec:09:4a:f3:16:4a:3e:
-                    5c:cf:77:ac:de:67:05:0d:1d:07:b6:dc:16:fb:5a:
-                    8b:14:db:e2:71:60:c4:ba:45:95:11:89:8e:ea:06:
-                    df:f7:2a:16:1c:a4:b9:c5:c5:32:e0:03:e0:1e:82:
-                    18:38:8b:d7:45:d8:0a:6a:6e:e6:00:77:fb:02:51:
-                    7d:22:d8:0a:6e:9a:5b:77:df:f0:fa:41:ec:39:dc:
-                    75:ca:68:07:0c:1f:ea
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:30:7b:79:4e:46:50:84:c2:44:87:46:1b:45:70:ff:
-         58:99:de:f4:fd:a4:d2:55:a6:20:2d:74:d6:34:bc:41:a3:50:
-         5f:01:27:56:b4:be:27:75:06:af:12:2e:75:98:8d:fc:02:31:
-         00:8b:f5:77:6c:d4:c8:65:aa:e0:0b:2c:ee:14:9d:27:37:a4:
-         f9:53:a5:51:e4:29:83:d7:f8:90:31:5b:42:9f:0a:f5:fe:ae:
-         00:68:e7:8c:49:0f:b6:6f:5b:5b:15:f2:e7
------BEGIN CERTIFICATE-----
-MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
-CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
-R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
-MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
-ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
-EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
-+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
-ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
-zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
-tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
-/q4AaOeMSQ+2b1tbFfLn
------END CERTIFICATE-----
diff --git a/certs/E5.pem b/certs/E5.pem
deleted file mode 100644
index 3f9e915..0000000
--- a/certs/E5.pem
+++ /dev/null
@@ -1,119 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            18:6e:75:d4:ee:b0:a0:5d:fd:2d:a8:20:86:5d:1e:31
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X2
-        Validity
-            Not Before: Mar 13 00:00:00 2024 GMT
-            Not After : Mar 12 23:59:59 2027 GMT
-        Subject: C=US, O=Let's Encrypt, CN=E5
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:0d:0b:3a:8a:6b:61:8e:b6:ef:dc:5f:58:e7:c6:
-                    42:45:54:ab:63:f6:66:61:48:0a:2e:59:75:b4:81:
-                    02:37:50:b7:3f:16:79:dc:98:ec:a1:28:97:72:20:
-                    1c:2c:cf:d5:7c:52:20:4e:54:78:5b:84:14:6b:c0:
-                    90:ae:85:ec:c0:51:41:3c:5a:87:7f:06:4d:d4:fe:
-                    60:d1:fa:6c:2d:e1:7d:95:10:88:a2:08:54:0f:99:
-                    1a:4c:e6:ea:0a:ac:d8
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Client Authentication, TLS Web Server Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                9F:2B:5F:CF:3C:21:4F:9D:04:B7:ED:2B:2C:C4:C6:70:8B:D2:D7:0D
-            X509v3 Authority Key Identifier: 
-                7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
-            Authority Information Access: 
-                CA Issuers - URI:http://x2.i.lencr.org/
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.2.1
-            X509v3 CRL Distribution Points: 
-                Full Name:
-                  URI:http://x2.c.lencr.org/
-    Signature Algorithm: ecdsa-with-SHA384
-    Signature Value:
-        30:64:02:30:1b:6d:2e:45:41:1c:45:3e:d9:5f:34:18:74:67:
-        13:79:ba:ab:29:b5:b6:10:4e:83:27:4a:8b:45:4e:c7:7b:cf:
-        f4:40:30:1d:61:a5:e6:1c:6d:a4:90:09:92:6e:46:4b:02:30:
-        46:29:18:84:34:7a:bc:fb:de:d8:1b:d8:19:a7:04:f5:cb:7e:
-        e7:6d:84:d9:da:8e:ea:ce:36:30:b9:a2:80:4c:2c:e6:60:12:
-        4b:a9:76:aa:e8:6d:95:47:da:72:09:0c
------BEGIN CERTIFICATE-----
-MIICtDCCAjugAwIBAgIQGG511O6woF39Lagghl0eMTAKBggqhkjOPQQDAzBPMQsw
-CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
-R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yNDAzMTMwMDAwMDBaFw0y
-NzAzMTIyMzU5NTlaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNy
-eXB0MQswCQYDVQQDEwJFNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABA0LOoprYY62
-79xfWOfGQkVUq2P2ZmFICi5ZdbSBAjdQtz8WedyY7KEol3IgHCzP1XxSIE5UeFuE
-FGvAkK6F7MBRQTxah38GTdT+YNH6bC3hfZUQiKIIVA+ZGkzm6gqs2KOB+DCB9TAO
-BgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIG
-A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJ8rX888IU+dBLftKyzExnCL0tcN
-MB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEBBCYw
-JDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzATBgNVHSAEDDAK
-MAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5v
-cmcvMAoGCCqGSM49BAMDA2cAMGQCMBttLkVBHEU+2V80GHRnE3m6qym1thBOgydK
-i0VOx3vP9EAwHWGl5hxtpJAJkm5GSwIwRikYhDR6vPve2BvYGacE9ct+522E2dqO
-6s42MLmigEws5mASS6l2quhtlUfacgkM
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Validity
-            Not Before: Sep  4 00:00:00 2020 GMT
-            Not After : Sep 17 16:00:00 2040 GMT
-        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:cd:9b:d5:9f:80:83:0a:ec:09:4a:f3:16:4a:3e:
-                    5c:cf:77:ac:de:67:05:0d:1d:07:b6:dc:16:fb:5a:
-                    8b:14:db:e2:71:60:c4:ba:45:95:11:89:8e:ea:06:
-                    df:f7:2a:16:1c:a4:b9:c5:c5:32:e0:03:e0:1e:82:
-                    18:38:8b:d7:45:d8:0a:6a:6e:e6:00:77:fb:02:51:
-                    7d:22:d8:0a:6e:9a:5b:77:df:f0:fa:41:ec:39:dc:
-                    75:ca:68:07:0c:1f:ea
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:30:7b:79:4e:46:50:84:c2:44:87:46:1b:45:70:ff:
-         58:99:de:f4:fd:a4:d2:55:a6:20:2d:74:d6:34:bc:41:a3:50:
-         5f:01:27:56:b4:be:27:75:06:af:12:2e:75:98:8d:fc:02:31:
-         00:8b:f5:77:6c:d4:c8:65:aa:e0:0b:2c:ee:14:9d:27:37:a4:
-         f9:53:a5:51:e4:29:83:d7:f8:90:31:5b:42:9f:0a:f5:fe:ae:
-         00:68:e7:8c:49:0f:b6:6f:5b:5b:15:f2:e7
------BEGIN CERTIFICATE-----
-MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
-CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
-R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
-MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
-ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
-EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
-+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
-ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
-zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
-tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
-/q4AaOeMSQ+2b1tbFfLn
------END CERTIFICATE-----
diff --git a/certs/ISRG-Root-X2.pem b/certs/ISRG-Root-X2.pem
new file mode 100644
index 0000000..9cca880
--- /dev/null
+++ b/certs/ISRG-Root-X2.pem
@@ -0,0 +1,21 @@
+# Issuer: CN=ISRG Root X2 O=Internet Security Research Group
+# Subject: CN=ISRG Root X2 O=Internet Security Research Group
+# Label: "ISRG Root X2"
+# Serial: 87493402998870891108772069816698636114
+# MD5 Fingerprint: d3:9e:c4:1e:23:3c:a6:df:cf:a3:7e:6d:e0:14:e6:e5
+# SHA1 Fingerprint: bd:b1:b9:3c:d5:97:8d:45:c6:26:14:55:f8:db:95:c7:5a:d1:53:af
+# SHA256 Fingerprint: 69:72:9b:8e:15:a8:6e:fc:17:7a:57:af:b7:17:1d:fc:64:ad:d2:8c:2f:ca:8c:f1:50:7e:34:45:3c:cb:14:70
+-----BEGIN CERTIFICATE-----
+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+/q4AaOeMSQ+2b1tbFfLn
+-----END CERTIFICATE-----
diff --git a/global-config.rsc b/global-config.rsc
index a0835f8..734b51e 100644
--- a/global-config.rsc
+++ b/global-config.rsc
@@ -92,11 +92,11 @@
 :global FwAddrLists {
 #  "allow"={
 #    { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/allow";
-#      cert="E5"; timeout=1w };
+#      cert="ISRG Root X2"; timeout=1w };
 #  };
   "block"={
 #    { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/block";
-#      cert="E5" };
+#      cert="ISRG Root X2" };
     { url="https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt";
       cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
     { url="https://sslbl.abuse.ch/blacklist/sslipblacklist.txt";
@@ -112,7 +112,7 @@
   };
 #  "mikrotik"={
 #    { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/mikrotik";
-#      cert="E5"; timeout=1w };
+#      cert="ISRG Root X2"; timeout=1w };
 #  };
 };
 :global FwAddrListTimeOut 1d;
diff --git a/global-functions.rsc b/global-functions.rsc
index eb700ef..6c5ce02 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -999,7 +999,7 @@
   :global SymbolForNotification;
   :global ValidateSyntax;
 
-  :if ([ $CertificateAvailable "E5" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X2" ] = false) do={
     $LogPrint warning $0 ("Downloading certificate failed, trying without.");
   }
 

From 3f51ebc125384e0fbdcb148962f81e382e07ca90 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 09:52:17 +0200
Subject: [PATCH 02/11] certs: R3 / R10 -> ISRG Root X1

---
 certs/ISRG-Root-X1.pem    |  38 ++++++
 certs/R10.pem             | 231 -------------------------------------
 certs/R3.pem              | 237 --------------------------------------
 global-config.rsc         |   2 +-
 global-functions.rsc      |   2 +-
 mod/notification-ntfy.rsc |   2 +-
 6 files changed, 41 insertions(+), 471 deletions(-)
 create mode 100644 certs/ISRG-Root-X1.pem
 delete mode 100644 certs/R10.pem
 delete mode 100644 certs/R3.pem

diff --git a/certs/ISRG-Root-X1.pem b/certs/ISRG-Root-X1.pem
new file mode 100644
index 0000000..995c95d
--- /dev/null
+++ b/certs/ISRG-Root-X1.pem
@@ -0,0 +1,38 @@
+# Issuer: CN=ISRG Root X1 O=Internet Security Research Group
+# Subject: CN=ISRG Root X1 O=Internet Security Research Group
+# Label: "ISRG Root X1"
+# Serial: 172886928669790476064670243504169061120
+# MD5 Fingerprint: 0c:d2:f9:e0:da:17:73:e9:ed:86:4d:a5:e3:70:e7:4e
+# SHA1 Fingerprint: ca:bd:2a:79:a1:07:6a:31:f2:1d:25:36:35:cb:03:9d:43:29:a5:e8
+# SHA256 Fingerprint: 96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c0:bd:df:08:c6
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
diff --git a/certs/R10.pem b/certs/R10.pem
deleted file mode 100644
index e8c1c4a..0000000
--- a/certs/R10.pem
+++ /dev/null
@@ -1,231 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            4b:a8:52:93:f7:9a:2f:a2:73:06:4b:a8:04:8d:75:d0
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
-        Validity
-            Not Before: Mar 13 00:00:00 2024 GMT
-            Not After : Mar 12 23:59:59 2027 GMT
-        Subject: C=US, O=Let's Encrypt, CN=R10
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:cf:57:e5:e6:c4:54:12:ed:b4:47:fe:c9:27:58:
-                    76:46:50:28:8c:1d:3e:88:df:05:9d:d5:b5:18:29:
-                    bd:dd:b5:5a:bf:fa:f6:ce:a3:be:af:00:21:4b:62:
-                    5a:5a:3c:01:2f:c5:58:03:f6:89:ff:8e:11:43:eb:
-                    c1:b5:e0:14:07:96:8f:6f:1f:d7:e7:ba:81:39:09:
-                    75:65:b7:c2:af:18:5b:37:26:28:e7:a3:f4:07:2b:
-                    6d:1a:ff:ab:58:bc:95:ae:40:ff:e9:cb:57:c4:b5:
-                    5b:7f:78:0d:18:61:bc:17:e7:54:c6:bb:49:91:cd:
-                    6e:18:d1:80:85:ee:a6:65:36:bc:74:ea:bc:50:4c:
-                    ea:fc:21:f3:38:16:93:94:ba:b0:d3:6b:38:06:cd:
-                    16:12:7a:ca:52:75:c8:ad:76:b2:c2:9c:5d:98:45:
-                    5c:6f:61:7b:c6:2d:ee:3c:13:52:86:01:d9:57:e6:
-                    38:1c:df:8d:b5:1f:92:91:9a:e7:4a:1c:cc:45:a8:
-                    72:55:f0:b0:e6:a3:07:ec:fd:a7:1b:66:9e:3f:48:
-                    8b:71:84:71:58:c9:3a:fa:ef:5e:f2:5b:44:2b:3c:
-                    74:e7:8f:b2:47:c1:07:6a:cd:9a:b7:0d:96:f7:12:
-                    81:26:51:54:0a:ec:61:f6:f7:f5:e2:f2:8a:c8:95:
-                    0d:8d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Client Authentication, TLS Web Server Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
-            X509v3 Authority Key Identifier: 
-                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
-            Authority Information Access: 
-                CA Issuers - URI:http://x1.i.lencr.org/
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.2.1
-            X509v3 CRL Distribution Points: 
-                Full Name:
-                  URI:http://x1.c.lencr.org/
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        92:b1:e7:41:37:eb:79:9d:81:e6:cd:e2:25:e1:3a:20:e9:90:
-        44:95:a3:81:5c:cf:c3:5d:fd:bd:a0:70:d5:b1:96:28:22:0b:
-        d2:f2:28:cf:0c:e7:d4:e6:43:8c:24:22:1d:c1:42:92:d1:09:
-        af:9f:4b:f4:c8:70:4f:20:16:b1:5a:dd:01:f6:1f:f8:1f:61:
-        6b:14:27:b0:72:8d:63:ae:ee:e2:ce:4b:cf:37:dd:bb:a3:d4:
-        cd:e7:ad:50:ad:bd:bf:e3:ec:3e:62:36:70:99:31:a7:e8:8d:
-        dd:ea:62:e2:12:ae:f5:9c:d4:3d:2c:0c:aa:d0:9c:79:be:ea:
-        3d:5c:44:6e:96:31:63:5a:7d:d6:7e:4f:24:a0:4b:05:7f:5e:
-        6f:d2:d4:ea:5f:33:4b:13:d6:57:b6:ca:de:51:b8:5d:a3:09:
-        82:74:fd:c7:78:9e:b3:b9:ac:16:da:4a:2b:96:c3:b6:8b:62:
-        8f:f9:74:19:a2:9e:03:de:e9:6f:9b:b0:0f:d2:a0:5a:f6:85:
-        5c:c2:04:b7:c8:d5:4e:32:c4:bf:04:5d:bc:29:f6:f7:81:8f:
-        0c:5d:3c:53:c9:40:90:8b:fb:b6:08:65:b9:a4:21:d5:09:e5:
-        13:84:84:37:82:ce:10:28:fc:76:c2:06:25:7a:46:52:4d:da:
-        53:72:a4:27:3f:62:70:ac:be:69:48:00:fb:67:0f:db:5b:a1:
-        e8:d7:03:21:2d:d7:c9:f6:99:42:39:83:43:df:77:0a:12:08:
-        f1:25:d6:ba:94:19:54:18:88:a5:c5:8e:e1:1a:99:93:79:6b:
-        ec:1c:f9:31:40:b0:cc:32:00:df:9f:5e:e7:b4:92:ab:90:82:
-        91:8d:0d:e0:1e:95:ba:59:3b:2e:4b:5f:c2:b7:46:35:52:39:
-        06:c0:bd:aa:ac:52:c1:22:a0:44:97:99:f7:0c:a0:21:a7:a1:
-        6c:71:47:16:17:01:68:c0:ca:a6:26:65:04:7c:b3:ae:c9:e7:
-        94:55:c2:6f:9b:3c:1c:a9:f9:2e:c5:20:1a:f0:76:e0:be:ec:
-        18:d6:4f:d8:25:fb:76:11:e8:bf:e6:21:0f:e8:e8:cc:b5:b6:
-        a7:d5:b8:f7:9f:41:cf:61:22:46:6a:83:b6:68:97:2e:7c:ea:
-        4e:95:db:23:eb:2e:c8:2b:28:84:a4:60:e9:49:f4:44:2e:3b:
-        f9:ca:62:57:01:e2:5d:90:16:f9:c9:fc:7a:23:48:8e:a6:d5:
-        81:72:f1:28:fa:5d:ce:fb:ed:4e:73:8f:94:2e:d2:41:94:98:
-        99:db:a7:af:70:5f:f5:be:fb:02:20:bf:66:27:6c:b4:ad:fa:
-        75:12:0b:2b:3e:ce:03:9e
------BEGIN CERTIFICATE-----
-MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
-MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
-Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
-Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
-bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
-YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
-/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
-FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
-mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
-DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
-MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
-AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
-tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
-Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
-VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
-AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
-zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
-u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
-1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
-GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
-1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
-QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
-4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
-rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
-RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
-KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
-        Validity
-            Not Before: Jun  4 11:04:38 2015 GMT
-            Not After : Jun  4 11:04:38 2035 GMT
-        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
-                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
-                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
-                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
-                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
-                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
-                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
-                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
-                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
-                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
-                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
-                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
-                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
-                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
-                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
-                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
-                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
-                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
-                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
-                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
-                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
-                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
-                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
-                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
-                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
-                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
-                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
-                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
-                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
-                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
-                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
-                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
-                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
-                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
-                    33:43:4f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
-    Signature Algorithm: sha256WithRSAEncryption
-         55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08:
-         ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73:
-         10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea:
-         17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86:
-         9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95:
-         d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae:
-         fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e:
-         8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33:
-         89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7:
-         4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33:
-         23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2:
-         6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d:
-         8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72:
-         ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac:
-         28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
-         37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae:
-         4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d:
-         e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7:
-         07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15:
-         b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2:
-         84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3:
-         1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b:
-         cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75:
-         d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67:
-         24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7:
-         ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f:
-         c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77:
-         bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40:
-         9d:7e:62:22:da:de:18:27
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
-WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
-ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
-MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
-h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
-0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
-A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
-T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
-B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
-B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
-KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
-OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
-jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
-qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
-rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
-hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
-ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
-3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
-NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
-ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
-TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
-jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
-oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
-4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
-mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
-emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
------END CERTIFICATE-----
diff --git a/certs/R3.pem b/certs/R3.pem
deleted file mode 100644
index 837b709..0000000
--- a/certs/R3.pem
+++ /dev/null
@@ -1,237 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
-        Validity
-            Not Before: Sep  4 00:00:00 2020 GMT
-            Not After : Sep 15 16:00:00 2025 GMT
-        Subject: C = US, O = Let's Encrypt, CN = R3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:bb:02:15:28:cc:f6:a0:94:d3:0f:12:ec:8d:55:
-                    92:c3:f8:82:f1:99:a6:7a:42:88:a7:5d:26:aa:b5:
-                    2b:b9:c5:4c:b1:af:8e:6b:f9:75:c8:a3:d7:0f:47:
-                    94:14:55:35:57:8c:9e:a8:a2:39:19:f5:82:3c:42:
-                    a9:4e:6e:f5:3b:c3:2e:db:8d:c0:b0:5c:f3:59:38:
-                    e7:ed:cf:69:f0:5a:0b:1b:be:c0:94:24:25:87:fa:
-                    37:71:b3:13:e7:1c:ac:e1:9b:ef:db:e4:3b:45:52:
-                    45:96:a9:c1:53:ce:34:c8:52:ee:b5:ae:ed:8f:de:
-                    60:70:e2:a5:54:ab:b6:6d:0e:97:a5:40:34:6b:2b:
-                    d3:bc:66:eb:66:34:7c:fa:6b:8b:8f:57:29:99:f8:
-                    30:17:5d:ba:72:6f:fb:81:c5:ad:d2:86:58:3d:17:
-                    c7:e7:09:bb:f1:2b:f7:86:dc:c1:da:71:5d:d4:46:
-                    e3:cc:ad:25:c1:88:bc:60:67:75:66:b3:f1:18:f7:
-                    a2:5c:e6:53:ff:3a:88:b6:47:a5:ff:13:18:ea:98:
-                    09:77:3f:9d:53:f9:cf:01:e5:f5:a6:70:17:14:af:
-                    63:a4:ff:99:b3:93:9d:dc:53:a7:06:fe:48:85:1d:
-                    a1:69:ae:25:75:bb:13:cc:52:03:f5:ed:51:a1:8b:
-                    db:15
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Client Authentication, TLS Web Server Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
-            X509v3 Authority Key Identifier: 
-                keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
-
-            Authority Information Access: 
-                CA Issuers - URI:http://x1.i.lencr.org/
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://x1.c.lencr.org/
-
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.2.1
-                Policy: 1.3.6.1.4.1.44947.1.1.1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         85:ca:4e:47:3e:a3:f7:85:44:85:bc:d5:67:78:b2:98:63:ad:
-         75:4d:1e:96:3d:33:65:72:54:2d:81:a0:ea:c3:ed:f8:20:bf:
-         5f:cc:b7:70:00:b7:6e:3b:f6:5e:94:de:e4:20:9f:a6:ef:8b:
-         b2:03:e7:a2:b5:16:3c:91:ce:b4:ed:39:02:e7:7c:25:8a:47:
-         e6:65:6e:3f:46:f4:d9:f0:ce:94:2b:ee:54:ce:12:bc:8c:27:
-         4b:b8:c1:98:2f:a2:af:cd:71:91:4a:08:b7:c8:b8:23:7b:04:
-         2d:08:f9:08:57:3e:83:d9:04:33:0a:47:21:78:09:82:27:c3:
-         2a:c8:9b:b9:ce:5c:f2:64:c8:c0:be:79:c0:4f:8e:6d:44:0c:
-         5e:92:bb:2e:f7:8b:10:e1:e8:1d:44:29:db:59:20:ed:63:b9:
-         21:f8:12:26:94:93:57:a0:1d:65:04:c1:0a:22:ae:10:0d:43:
-         97:a1:18:1f:7e:e0:e0:86:37:b5:5a:b1:bd:30:bf:87:6e:2b:
-         2a:ff:21:4e:1b:05:c3:f5:18:97:f0:5e:ac:c3:a5:b8:6a:f0:
-         2e:bc:3b:33:b9:ee:4b:de:cc:fc:e4:af:84:0b:86:3f:c0:55:
-         43:36:f6:68:e1:36:17:6a:8e:99:d1:ff:a5:40:a7:34:b7:c0:
-         d0:63:39:35:39:75:6e:f2:ba:76:c8:93:02:e9:a9:4b:6c:17:
-         ce:0c:02:d9:bd:81:fb:9f:b7:68:d4:06:65:b3:82:3d:77:53:
-         f8:8e:79:03:ad:0a:31:07:75:2a:43:d8:55:97:72:c4:29:0e:
-         f7:c4:5d:4e:c8:ae:46:84:30:d7:f2:85:5f:18:a1:79:bb:e7:
-         5e:70:8b:07:e1:86:93:c3:b9:8f:dc:61:71:25:2a:af:df:ed:
-         25:50:52:68:8b:92:dc:e5:d6:b5:e3:da:7d:d0:87:6c:84:21:
-         31:ae:82:f5:fb:b9:ab:c8:89:17:3d:e1:4c:e5:38:0e:f6:bd:
-         2b:bd:96:81:14:eb:d5:db:3d:20:a7:7e:59:d3:e2:f8:58:f9:
-         5b:b8:48:cd:fe:5c:4f:16:29:fe:1e:55:23:af:c8:11:b0:8d:
-         ea:7c:93:90:17:2f:fd:ac:a2:09:47:46:3f:f0:e9:b0:b7:ff:
-         28:4d:68:32:d6:67:5e:1e:69:a3:93:b8:f5:9d:8b:2f:0b:d2:
-         52:43:a6:6f:32:57:65:4d:32:81:df:38:53:85:5d:7e:5d:66:
-         29:ea:b8:dd:e4:95:b5:cd:b5:56:12:42:cd:c4:4e:c6:25:38:
-         44:50:6d:ec:ce:00:55:18:fe:e9:49:64:d4:4e:ca:97:9c:b4:
-         5b:c0:73:a8:ab:b8:47:c2
------BEGIN CERTIFICATE-----
-MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
-WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
-R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
-sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
-NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
-Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
-/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
-AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
-FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
-AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
-Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
-gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
-PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
-ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
-CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
-lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
-avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
-yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
-yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
-hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
-HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
-MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
-nLRbwHOoq7hHwg==
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
-        Validity
-            Not Before: Jun  4 11:04:38 2015 GMT
-            Not After : Jun  4 11:04:38 2035 GMT
-        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
-                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
-                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
-                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
-                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
-                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
-                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
-                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
-                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
-                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
-                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
-                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
-                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
-                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
-                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
-                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
-                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
-                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
-                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
-                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
-                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
-                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
-                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
-                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
-                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
-                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
-                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
-                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
-                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
-                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
-                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
-                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
-                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
-                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
-                    33:43:4f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
-    Signature Algorithm: sha256WithRSAEncryption
-         55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08:
-         ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73:
-         10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea:
-         17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86:
-         9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95:
-         d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae:
-         fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e:
-         8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33:
-         89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7:
-         4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33:
-         23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2:
-         6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d:
-         8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72:
-         ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac:
-         28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
-         37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae:
-         4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d:
-         e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7:
-         07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15:
-         b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2:
-         84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3:
-         1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b:
-         cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75:
-         d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67:
-         24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7:
-         ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f:
-         c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77:
-         bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40:
-         9d:7e:62:22:da:de:18:27
------BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
-WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
-ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
-MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
-h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
-0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
-A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
-T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
-B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
-B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
-KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
-OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
-jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
-qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
-rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
-hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
-ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
-3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
-NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
-ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
-TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
-jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
-oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
-4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
-mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
-emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
------END CERTIFICATE-----
diff --git a/global-config.rsc b/global-config.rsc
index 734b51e..f99fdf1 100644
--- a/global-config.rsc
+++ b/global-config.rsc
@@ -102,7 +102,7 @@
     { url="https://sslbl.abuse.ch/blacklist/sslipblacklist.txt";
       cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
     { url="https://www.dshield.org/block.txt"; cidr="/24";
-      cert="R3" };
+      cert="ISRG Root X1" };
     { url="https://lists.blocklist.de/lists/strongips.txt";
       cert="Certum Domain Validation CA SHA2" };
 #    { url="https://www.spamhaus.org/drop/drop.txt";
diff --git a/global-functions.rsc b/global-functions.rsc
index 6c5ce02..567444e 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -334,7 +334,7 @@
     :return true;
   }
 
-  :if ([ $CertificateAvailable "R3" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
     $LogPrint error $0 ("Downloading required certificate failed.");
     :return false;
   }
diff --git a/mod/notification-ntfy.rsc b/mod/notification-ntfy.rsc
index 4413f07..cdc10e7 100644
--- a/mod/notification-ntfy.rsc
+++ b/mod/notification-ntfy.rsc
@@ -98,7 +98,7 @@
 
   :do {
     :if ($NtfyServer = "ntfy.sh") do={
-      :if ([ $CertificateAvailable "R3" ] = false) do={
+      :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
         $LogPrint warning $0 ("Downloading required certificate failed.");
         :error false;
       }

From b875d64724a8ac3218b2e0779effe19c1729e11a Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 10:25:53 +0200
Subject: [PATCH 03/11] certs: GlobalSign Atlas R3 DV TLS CA 2022 Q3 ->
 GlobalSign

---
 .../GlobalSign-Atlas-R3-DV-TLS-CA-2022-Q3.pem | 177 ------------------
 certs/GlobalSign.pem                          |  28 +++
 global-config.rsc                             |   4 +-
 3 files changed, 30 insertions(+), 179 deletions(-)
 delete mode 100644 certs/GlobalSign-Atlas-R3-DV-TLS-CA-2022-Q3.pem
 create mode 100644 certs/GlobalSign.pem

diff --git a/certs/GlobalSign-Atlas-R3-DV-TLS-CA-2022-Q3.pem b/certs/GlobalSign-Atlas-R3-DV-TLS-CA-2022-Q3.pem
deleted file mode 100644
index b514c11..0000000
--- a/certs/GlobalSign-Atlas-R3-DV-TLS-CA-2022-Q3.pem
+++ /dev/null
@@ -1,177 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            7c:2a:0c:21:3f:c6:55:53:45:c9:1f:19:1f:b8:4e:fa
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
-        Validity
-            Not Before: Apr 20 12:00:00 2022 GMT
-            Not After : Apr 20 00:00:00 2025 GMT
-        Subject: C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2022 Q3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b8:a8:7a:66:3c:4e:66:9c:ce:37:a5:54:35:4d:
-                    36:c7:99:d3:a8:27:36:f2:2f:c6:d5:18:3e:e9:09:
-                    dd:05:d6:d7:2c:34:32:7c:08:63:49:d1:10:37:e5:
-                    78:5d:11:62:ce:6d:fb:2f:3f:37:94:db:8f:7b:30:
-                    e9:5e:2c:d9:55:3f:b2:db:b9:a0:b5:60:37:8b:a4:
-                    06:32:35:50:a4:09:af:0a:45:ff:a8:1f:9b:65:8e:
-                    dd:4a:e0:40:a1:e3:63:37:58:90:dd:75:3b:fc:0e:
-                    1c:82:40:98:bd:70:b1:c1:48:14:14:3c:04:4b:69:
-                    dd:d4:9c:01:a6:e9:21:e3:82:0a:fe:e4:aa:bf:34:
-                    a0:8c:cb:c9:79:6e:3e:5c:6a:52:9e:c4:ed:2b:c5:
-                    69:fe:50:3c:93:9d:b5:ff:2d:28:a8:6c:06:6c:9d:
-                    c5:af:b2:59:fb:59:77:0d:74:7a:88:84:a4:d4:1d:
-                    d4:ba:20:06:cc:b5:1e:48:4e:74:21:15:86:75:c0:
-                    cc:5a:d1:05:cf:57:16:7a:13:17:ec:c2:4a:ae:d5:
-                    1e:72:aa:22:5a:8c:9c:82:32:c4:10:e6:42:6e:21:
-                    86:68:7c:80:23:30:35:d3:bd:b0:5e:0a:29:2b:f0:
-                    14:b1:18:37:d9:59:25:c3:e7:38:d9:e9:d4:2d:36:
-                    35:65
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                FA:91:39:63:9A:FB:AD:10:24:E5:BE:B5:B9:DA:AB:D9:C4:46:69:AB
-            X509v3 Authority Key Identifier: 
-                8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC
-            Authority Information Access: 
-                OCSP - URI:http://ocsp2.globalsign.com/rootr3
-                CA Issuers - URI:http://secure.globalsign.com/cacert/root-r3.crt
-            X509v3 CRL Distribution Points: 
-                Full Name:
-                  URI:http://crl.globalsign.com/root-r3.crl
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.2.1
-                Policy: 1.3.6.1.4.1.4146.10.1.3
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        14:33:2c:79:e5:3f:82:c6:70:3f:da:59:38:a7:bb:a2:76:ac:
-        61:18:05:68:57:d9:0d:fb:8a:46:bc:f1:a8:e8:0c:70:02:1d:
-        c6:2f:97:ed:36:3e:9e:52:86:2f:5c:62:d8:d5:47:43:9a:73:
-        d1:2b:25:87:9f:44:b4:14:eb:26:bc:21:47:74:20:bd:9f:a4:
-        bf:b3:80:1d:4d:35:7d:cd:b9:b5:da:55:f2:90:50:c8:b2:17:
-        4e:0e:b4:61:88:29:5f:44:5d:03:7f:57:91:81:d0:eb:30:ae:
-        d5:2a:ec:82:20:ce:4e:d2:b0:8b:95:02:61:73:d8:69:34:f4:
-        ad:63:0e:5c:e4:20:1f:a9:7d:ed:8e:e5:1c:04:bb:22:9f:c7:
-        a9:22:ca:99:3d:02:a7:67:e8:06:2d:fa:04:6b:bb:49:d2:6c:
-        99:57:63:6c:2d:c2:61:78:e1:20:b1:fb:f6:bf:e1:82:39:39:
-        3c:7b:ef:7d:1a:95:4a:b2:72:da:55:90:ae:ed:dd:e2:70:90:
-        7c:1a:ee:b5:32:5a:5d:cf:d6:fa:45:f2:9e:01:0c:31:2f:89:
-        84:fe:31:60:0f:fd:ee:a6:5b:84:d5:c7:18:e6:a4:f9:40:30:
-        29:18:1e:fe:fc:41:b5:b9:29:05:75:8b:62:1a:5b:22:2e:bf:
-        e4:59:6c:b0
------BEGIN CERTIFICATE-----
-MIIEjzCCA3egAwIBAgIQfCoMIT/GVVNFyR8ZH7hO+jANBgkqhkiG9w0BAQsFADBM
-MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xv
-YmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0yMjA0MjAxMjAwMDBaFw0y
-NTA0MjAwMDAwMDBaMFgxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWdu
-IG52LXNhMS4wLAYDVQQDEyVHbG9iYWxTaWduIEF0bGFzIFIzIERWIFRMUyBDQSAy
-MDIyIFEzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKh6ZjxOZpzO
-N6VUNU02x5nTqCc28i/G1Rg+6QndBdbXLDQyfAhjSdEQN+V4XRFizm37Lz83lNuP
-ezDpXizZVT+y27mgtWA3i6QGMjVQpAmvCkX/qB+bZY7dSuBAoeNjN1iQ3XU7/A4c
-gkCYvXCxwUgUFDwES2nd1JwBpukh44IK/uSqvzSgjMvJeW4+XGpSnsTtK8Vp/lA8
-k521/y0oqGwGbJ3Fr7JZ+1l3DXR6iISk1B3UuiAGzLUeSE50IRWGdcDMWtEFz1cW
-ehMX7MJKrtUecqoiWoycgjLEEOZCbiGGaHyAIzA1072wXgopK/AUsRg32Vklw+c4
-2enULTY1ZQIDAQABo4IBXzCCAVswDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
-CCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW
-BBT6kTljmvutECTlvrW52qvZxEZpqzAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpj
-move4t0bvDB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3Nw
-Mi5nbG9iYWxzaWduLmNvbS9yb290cjMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1
-cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjMuY3J0MDYGA1UdHwQvMC0w
-K6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yMy5jcmwwIQYD
-VR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAGgMgoBAzANBgkqhkiG9w0BAQsFAAOC
-AQEAFDMseeU/gsZwP9pZOKe7onasYRgFaFfZDfuKRrzxqOgMcAIdxi+X7TY+nlKG
-L1xi2NVHQ5pz0Sslh59EtBTrJrwhR3QgvZ+kv7OAHU01fc25tdpV8pBQyLIXTg60
-YYgpX0RdA39XkYHQ6zCu1SrsgiDOTtKwi5UCYXPYaTT0rWMOXOQgH6l97Y7lHAS7
-Ip/HqSLKmT0Cp2foBi36BGu7SdJsmVdjbC3CYXjhILH79r/hgjk5PHvvfRqVSrJy
-2lWQru3d4nCQfBrutTJaXc/W+kXyngEMMS+JhP4xYA/97qZbhNXHGOak+UAwKRge
-/vxBtbkpBXWLYhpbIi6/5FlssA==
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            04:00:00:00:00:01:21:58:53:08:a2
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
-        Validity
-            Not Before: Mar 18 10:00:00 2009 GMT
-            Not After : Mar 18 10:00:00 2029 GMT
-        Subject: OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:cc:25:76:90:79:06:78:22:16:f5:c0:83:b6:84:
-                    ca:28:9e:fd:05:76:11:c5:ad:88:72:fc:46:02:43:
-                    c7:b2:8a:9d:04:5f:24:cb:2e:4b:e1:60:82:46:e1:
-                    52:ab:0c:81:47:70:6c:dd:64:d1:eb:f5:2c:a3:0f:
-                    82:3d:0c:2b:ae:97:d7:b6:14:86:10:79:bb:3b:13:
-                    80:77:8c:08:e1:49:d2:6a:62:2f:1f:5e:fa:96:68:
-                    df:89:27:95:38:9f:06:d7:3e:c9:cb:26:59:0d:73:
-                    de:b0:c8:e9:26:0e:83:15:c6:ef:5b:8b:d2:04:60:
-                    ca:49:a6:28:f6:69:3b:f6:cb:c8:28:91:e5:9d:8a:
-                    61:57:37:ac:74:14:dc:74:e0:3a:ee:72:2f:2e:9c:
-                    fb:d0:bb:bf:f5:3d:00:e1:06:33:e8:82:2b:ae:53:
-                    a6:3a:16:73:8c:dd:41:0e:20:3a:c0:b4:a7:a1:e9:
-                    b2:4f:90:2e:32:60:e9:57:cb:b9:04:92:68:68:e5:
-                    38:26:60:75:b2:9f:77:ff:91:14:ef:ae:20:49:fc:
-                    ad:40:15:48:d1:02:31:61:19:5e:b8:97:ef:ad:77:
-                    b7:64:9a:7a:bf:5f:c1:13:ef:9b:62:fb:0d:6c:e0:
-                    54:69:16:a9:03:da:6e:e9:83:93:71:76:c6:69:85:
-                    82:17
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        4b:40:db:c0:50:aa:fe:c8:0c:ef:f7:96:54:45:49:bb:96:00:
-        09:41:ac:b3:13:86:86:28:07:33:ca:6b:e6:74:b9:ba:00:2d:
-        ae:a4:0a:d3:f5:f1:f1:0f:8a:bf:73:67:4a:83:c7:44:7b:78:
-        e0:af:6e:6c:6f:03:29:8e:33:39:45:c3:8e:e4:b9:57:6c:aa:
-        fc:12:96:ec:53:c6:2d:e4:24:6c:b9:94:63:fb:dc:53:68:67:
-        56:3e:83:b8:cf:35:21:c3:c9:68:fe:ce:da:c2:53:aa:cc:90:
-        8a:e9:f0:5d:46:8c:95:dd:7a:58:28:1a:2f:1d:de:cd:00:37:
-        41:8f:ed:44:6d:d7:53:28:97:7e:f3:67:04:1e:15:d7:8a:96:
-        b4:d3:de:4c:27:a4:4c:1b:73:73:76:f4:17:99:c2:1f:7a:0e:
-        e3:2d:08:ad:0a:1c:2c:ff:3c:ab:55:0e:0f:91:7e:36:eb:c3:
-        57:49:be:e1:2e:2d:7c:60:8b:c3:41:51:13:23:9d:ce:f7:32:
-        6b:94:01:a8:99:e7:2c:33:1f:3a:3b:25:d2:86:40:ce:3b:2c:
-        86:78:c9:61:2f:14:ba:ee:db:55:6f:df:84:ee:05:09:4d:bd:
-        28:d8:72:ce:d3:62:50:65:1e:eb:92:97:83:31:d9:b3:b5:ca:
-        47:58:3f:5f
------BEGIN CERTIFICATE-----
-MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
-A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
-Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
-MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
-A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
-RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
-gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
-KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
-QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
-XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
-DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
-LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
-RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
-jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
-6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
-mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
-Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
-WD9f
------END CERTIFICATE-----
diff --git a/certs/GlobalSign.pem b/certs/GlobalSign.pem
new file mode 100644
index 0000000..47035e4
--- /dev/null
+++ b/certs/GlobalSign.pem
@@ -0,0 +1,28 @@
+# Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R3
+# Subject: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R3
+# Label: "GlobalSign Root CA - R3"
+# Serial: 4835703278459759426209954
+# MD5 Fingerprint: c5:df:b8:49:ca:05:13:55:ee:2d:ba:1a:c3:3e:b0:28
+# SHA1 Fingerprint: d6:9b:56:11:48:f0:1c:77:c5:45:78:c1:09:26:df:5b:85:69:76:ad
+# SHA256 Fingerprint: cb:b5:22:d7:b7:f1:27:ad:6a:01:13:86:5b:df:1c:d4:10:2e:7d:07:59:af:63:5a:7c:f4:72:0d:c9:63:c5:3b
+-----BEGIN CERTIFICATE-----
+MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
+MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
+A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
+RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
+gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
+KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
+QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
+XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
+LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
+RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
+jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
+6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
+mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
+Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
+WD9f
+-----END CERTIFICATE-----
diff --git a/global-config.rsc b/global-config.rsc
index f99fdf1..16de721 100644
--- a/global-config.rsc
+++ b/global-config.rsc
@@ -98,9 +98,9 @@
 #    { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/block";
 #      cert="ISRG Root X2" };
     { url="https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt";
-      cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
+      cert="GlobalSign" };
     { url="https://sslbl.abuse.ch/blacklist/sslipblacklist.txt";
-      cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
+      cert="GlobalSign" };
     { url="https://www.dshield.org/block.txt"; cidr="/24";
       cert="ISRG Root X1" };
     { url="https://lists.blocklist.de/lists/strongips.txt";

From 944e125ef9186d933609c131dfdd85178a57453b Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 10:29:40 +0200
Subject: [PATCH 04/11] certs: Certum Domain Validation CA SHA2 -> Certum
 Trusted Network CA

---
 certs/Certum-Domain-Validation-CA-SHA2.pem | 176 ---------------------
 certs/Certum-Trusted-Network-CA.pem        |  29 ++++
 global-config.rsc                          |   2 +-
 3 files changed, 30 insertions(+), 177 deletions(-)
 delete mode 100644 certs/Certum-Domain-Validation-CA-SHA2.pem
 create mode 100644 certs/Certum-Trusted-Network-CA.pem

diff --git a/certs/Certum-Domain-Validation-CA-SHA2.pem b/certs/Certum-Domain-Validation-CA-SHA2.pem
deleted file mode 100644
index 0cc17ac..0000000
--- a/certs/Certum-Domain-Validation-CA-SHA2.pem
+++ /dev/null
@@ -1,176 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 279744 (0x444c0)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
-        Validity
-            Not Before: Oct 22 12:07:37 2008 GMT
-            Not After : Dec 31 12:07:37 2029 GMT
-        Subject: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:e3:fb:7d:a3:72:ba:c2:f0:c9:14:87:f5:6b:01:
-                    4e:e1:6e:40:07:ba:6d:27:5d:7f:f7:5b:2d:b3:5a:
-                    c7:51:5f:ab:a4:32:a6:61:87:b6:6e:0f:86:d2:30:
-                    02:97:f8:d7:69:57:a1:18:39:5d:6a:64:79:c6:01:
-                    59:ac:3c:31:4a:38:7c:d2:04:d2:4b:28:e8:20:5f:
-                    3b:07:a2:cc:4d:73:db:f3:ae:4f:c7:56:d5:5a:a7:
-                    96:89:fa:f3:ab:68:d4:23:86:59:27:cf:09:27:bc:
-                    ac:6e:72:83:1c:30:72:df:e0:a2:e9:d2:e1:74:75:
-                    19:bd:2a:9e:7b:15:54:04:1b:d7:43:39:ad:55:28:
-                    c5:e2:1a:bb:f4:c0:e4:ae:38:49:33:cc:76:85:9f:
-                    39:45:d2:a4:9e:f2:12:8c:51:f8:7c:e4:2d:7f:f5:
-                    ac:5f:eb:16:9f:b1:2d:d1:ba:cc:91:42:77:4c:25:
-                    c9:90:38:6f:db:f0:cc:fb:8e:1e:97:59:3e:d5:60:
-                    4e:e6:05:28:ed:49:79:13:4b:ba:48:db:2f:f9:72:
-                    d3:39:ca:fe:1f:d8:34:72:f5:b4:40:cf:31:01:c3:
-                    ec:de:11:2d:17:5d:1f:b8:50:d1:5e:19:a7:69:de:
-                    07:33:28:ca:50:95:f9:a7:54:cb:54:86:50:45:a9:
-                    f9:49
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                08:76:CD:CB:07:FF:24:F6:C5:CD:ED:BB:90:BC:E2:84:37:46:75:F7
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-    Signature Value:
-        a6:a8:ad:22:ce:01:3d:a6:a3:ff:62:d0:48:9d:8b:5e:72:b0:
-        78:44:e3:dc:1c:af:09:fd:23:48:fa:bd:2a:c4:b9:55:04:b5:
-        10:a3:8d:27:de:0b:82:63:d0:ee:de:0c:37:79:41:5b:22:b2:
-        b0:9a:41:5c:a6:70:e0:d4:d0:77:cb:23:d3:00:e0:6c:56:2f:
-        e1:69:0d:0d:d9:aa:bf:21:81:50:d9:06:a5:a8:ff:95:37:d0:
-        aa:fe:e2:b3:f5:99:2d:45:84:8a:e5:42:09:d7:74:02:2f:f7:
-        89:d8:99:e9:bc:27:d4:47:8d:ba:0d:46:1c:77:cf:14:a4:1c:
-        b9:a4:31:c4:9c:28:74:03:34:ff:33:19:26:a5:e9:0d:74:b7:
-        3e:97:c6:76:e8:27:96:a3:66:dd:e1:ae:f2:41:5b:ca:98:56:
-        83:73:70:e4:86:1a:d2:31:41:ba:2f:be:2d:13:5a:76:6f:4e:
-        e8:4e:81:0e:3f:5b:03:22:a0:12:be:66:58:11:4a:cb:03:c4:
-        b4:2a:2a:2d:96:17:e0:39:54:bc:48:d3:76:27:9d:9a:2d:06:
-        a6:c9:ec:39:d2:ab:db:9f:9a:0b:27:02:35:29:b1:40:95:e7:
-        f9:e8:9c:55:88:19:46:d6:b7:34:f5:7e:ce:39:9a:d9:38:f1:
-        51:f7:4f:2c
------BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
-MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
-ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
-cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
-WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
-Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
-IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
-UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
-TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
-BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
-kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
-AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
-HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
-sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
-I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
-J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
-VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
-03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            26:dd:d2:2b:46:c9:c4:4d:5a:69:4d:39:80:7e:72:ad
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
-        Validity
-            Not Before: Sep 11 12:00:00 2014 GMT
-            Not After : Jun  9 10:46:39 2027 GMT
-        Subject: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:a1:25:63:df:8d:e4:20:07:d9:54:d1:d1:04:f6:
-                    17:e2:3e:47:fb:c3:74:25:b8:c4:bf:12:12:bc:e0:
-                    70:d1:39:05:c2:17:b3:f7:82:70:a0:4e:07:fe:10:
-                    2a:ff:db:0d:46:5e:24:94:a3:8b:45:9f:18:9b:ce:
-                    42:c4:ae:db:83:33:bc:c2:bb:b4:30:b6:a7:37:87:
-                    78:7b:48:cb:25:2c:82:bb:0a:48:12:60:76:89:ec:
-                    8e:cc:8f:1e:52:48:e9:86:02:5a:c2:b0:8a:7c:85:
-                    3d:d9:ff:60:4f:33:6c:a6:a1:a0:85:e1:d7:53:f2:
-                    ea:27:3d:65:a9:72:c1:08:83:cc:b0:25:9c:11:46:
-                    24:e0:3e:f4:a7:ef:ed:51:b1:65:93:42:b4:f6:e6:
-                    86:0a:10:79:32:36:58:b2:6b:a8:dc:d5:7a:1e:9d:
-                    14:ee:40:e7:b2:46:4c:bd:9a:29:c2:ec:f8:30:c1:
-                    62:02:2a:e2:1c:83:62:d0:85:36:1a:83:de:12:84:
-                    29:65:ef:d2:32:be:31:60:42:a8:cf:f8:dd:ea:d0:
-                    56:47:1d:bd:76:96:24:13:e7:be:d9:99:2b:fa:30:
-                    64:f1:8a:38:7a:a6:e1:2a:96:02:b0:9d:ba:d8:8f:
-                    6d:4e:7a:94:69:7d:b0:93:aa:74:e5:93:90:13:fa:
-                    a2:99
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                E5:31:AD:BF:3A:11:96:F4:83:BC:50:3C:D4:B7:90:9B:90:EE:DE:25
-            X509v3 Authority Key Identifier: 
-                08:76:CD:CB:07:FF:24:F6:C5:CD:ED:BB:90:BC:E2:84:37:46:75:F7
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 CRL Distribution Points: 
-                Full Name:
-                  URI:http://crl.certum.pl/ctnca.crl
-            Authority Information Access: 
-                OCSP - URI:http://subca.ocsp-certum.com
-                CA Issuers - URI:http://repository.certum.pl/ctnca.cer
-            X509v3 Certificate Policies: 
-                Policy: X509v3 Any Policy
-                  CPS: http://www.certum.pl/CPS
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        ba:bf:f0:e1:dd:4d:2b:42:43:64:58:df:64:f3:ff:80:1a:5f:
-        56:be:3b:a9:b2:76:f7:54:7a:4c:30:c1:99:24:4b:72:d2:ca:
-        d4:fa:08:c6:90:de:88:12:ed:f8:90:f9:fc:a9:84:fd:92:f2:
-        78:e5:db:c9:22:57:ab:41:30:42:6b:0b:9f:d7:73:33:fb:01:
-        67:1c:42:5c:8f:27:67:c7:6e:07:03:8d:0e:96:cb:0a:03:cc:
-        3e:f8:87:3c:35:30:cd:18:8c:d5:71:dd:cd:dd:61:b0:13:a3:
-        64:46:4e:fe:71:4e:6b:65:e9:14:04:f2:3f:a8:bd:0c:36:3d:
-        2a:5d:9e:07:f2:c2:4f:90:c5:5e:4d:18:37:d1:27:28:80:a4:
-        36:e5:ca:93:6a:65:0e:f8:93:b9:af:52:58:4b:7a:71:d8:ba:
-        f3:ef:d2:f3:f6:a2:97:e4:5d:14:02:9a:cb:e5:ae:b6:93:e1:
-        23:9f:9b:3f:46:f7:ee:8e:a1:00:5b:66:c3:1e:68:23:86:0f:
-        5d:77:ba:53:ad:f9:52:fb:70:15:c5:75:eb:cf:79:ad:49:7c:
-        f2:76:62:ae:44:2f:c5:5f:51:34:25:41:6a:12:0a:5f:8e:ae:
-        10:c4:43:89:35:fd:ec:ff:31:e6:ec:1e:87:e9:3a:7c:29:50:
-        45:41:a3:14
------BEGIN CERTIFICATE-----
-MIIEzjCCA7agAwIBAgIQJt3SK0bJxE1aaU05gH5yrTANBgkqhkiG9w0BAQsFADB+
-MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMgUy5B
-LjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIwIAYD
-VQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMB4XDTE0MDkxMTEyMDAwMFoX
-DTI3MDYwOTEwNDYzOVowgYUxCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRv
-IFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlv
-biBBdXRob3JpdHkxKTAnBgNVBAMTIENlcnR1bSBEb21haW4gVmFsaWRhdGlvbiBD
-QSBTSEEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoSVj343kIAfZ
-VNHRBPYX4j5H+8N0JbjEvxISvOBw0TkFwhez94JwoE4H/hAq/9sNRl4klKOLRZ8Y
-m85CxK7bgzO8wru0MLanN4d4e0jLJSyCuwpIEmB2ieyOzI8eUkjphgJawrCKfIU9
-2f9gTzNspqGgheHXU/LqJz1lqXLBCIPMsCWcEUYk4D70p+/tUbFlk0K09uaGChB5
-MjZYsmuo3NV6Hp0U7kDnskZMvZopwuz4MMFiAiriHINi0IU2GoPeEoQpZe/SMr4x
-YEKoz/jd6tBWRx29dpYkE+e+2Zkr+jBk8Yo4eqbhKpYCsJ262I9tTnqUaX2wk6p0
-5ZOQE/qimQIDAQABo4IBPjCCATowDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
-5TGtvzoRlvSDvFA81LeQm5Du3iUwHwYDVR0jBBgwFoAUCHbNywf/JPbFze27kLzi
-hDdGdfcwDgYDVR0PAQH/BAQDAgEGMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9j
-cmwuY2VydHVtLnBsL2N0bmNhLmNybDBrBggrBgEFBQcBAQRfMF0wKAYIKwYBBQUH
-MAGGHGh0dHA6Ly9zdWJjYS5vY3NwLWNlcnR1bS5jb20wMQYIKwYBBQUHMAKGJWh0
-dHA6Ly9yZXBvc2l0b3J5LmNlcnR1bS5wbC9jdG5jYS5jZXIwOQYDVR0gBDIwMDAu
-BgRVHSAAMCYwJAYIKwYBBQUHAgEWGGh0dHA6Ly93d3cuY2VydHVtLnBsL0NQUzAN
-BgkqhkiG9w0BAQsFAAOCAQEAur/w4d1NK0JDZFjfZPP/gBpfVr47qbJ291R6TDDB
-mSRLctLK1PoIxpDeiBLt+JD5/KmE/ZLyeOXbySJXq0EwQmsLn9dzM/sBZxxCXI8n
-Z8duBwONDpbLCgPMPviHPDUwzRiM1XHdzd1hsBOjZEZO/nFOa2XpFATyP6i9DDY9
-Kl2eB/LCT5DFXk0YN9EnKICkNuXKk2plDviTua9SWEt6cdi68+/S8/ail+RdFAKa
-y+WutpPhI5+bP0b37o6hAFtmwx5oI4YPXXe6U635UvtwFcV16895rUl88nZirkQv
-xV9RNCVBahIKX46uEMRDiTX97P8x5uweh+k6fClQRUGjFA==
------END CERTIFICATE-----
diff --git a/certs/Certum-Trusted-Network-CA.pem b/certs/Certum-Trusted-Network-CA.pem
new file mode 100644
index 0000000..a48e706
--- /dev/null
+++ b/certs/Certum-Trusted-Network-CA.pem
@@ -0,0 +1,29 @@
+# Issuer: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
+# Subject: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
+# Label: "Certum Trusted Network CA"
+# Serial: 279744
+# MD5 Fingerprint: d5:e9:81:40:c5:18:69:fc:46:2c:89:75:62:0f:aa:78
+# SHA1 Fingerprint: 07:e0:32:e0:20:b7:2c:3f:19:2f:06:28:a2:59:3a:19:a7:0f:06:9e
+# SHA256 Fingerprint: 5c:58:46:8d:55:f5:8e:49:7e:74:39:82:d2:b5:00:10:b6:d1:65:37:4a:cf:83:a7:d4:a3:2d:b7:68:c4:40:8e
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
+MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
+ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
+cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
+WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
+Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
+IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
+UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
+TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
+BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
+kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
+AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
+sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
+I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
+J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
+VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
+03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
+-----END CERTIFICATE-----
diff --git a/global-config.rsc b/global-config.rsc
index 16de721..73a9ca0 100644
--- a/global-config.rsc
+++ b/global-config.rsc
@@ -104,7 +104,7 @@
     { url="https://www.dshield.org/block.txt"; cidr="/24";
       cert="ISRG Root X1" };
     { url="https://lists.blocklist.de/lists/strongips.txt";
-      cert="Certum Domain Validation CA SHA2" };
+      cert="Certum Trusted Network CA" };
 #    { url="https://www.spamhaus.org/drop/drop.txt";
 #      cert="Cloudflare Inc ECC CA-3" };
 #    { url="https://www.spamhaus.org/drop/edrop.txt";

From 7553870f2aac7182f5181273fb4a73e219fc68c7 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 10:32:01 +0200
Subject: [PATCH 05/11] certs: Cloudflare Inc ECC CA-3 -> Baltimore CyberTrust
 Root

---
 certs/Baltimore-CyberTrust-Root.pem |  28 +++++
 certs/Cloudflare-Inc-ECC-CA-3.pem   | 163 ----------------------------
 global-config.rsc                   |   4 +-
 3 files changed, 30 insertions(+), 165 deletions(-)
 create mode 100644 certs/Baltimore-CyberTrust-Root.pem
 delete mode 100644 certs/Cloudflare-Inc-ECC-CA-3.pem

diff --git a/certs/Baltimore-CyberTrust-Root.pem b/certs/Baltimore-CyberTrust-Root.pem
new file mode 100644
index 0000000..de8121a
--- /dev/null
+++ b/certs/Baltimore-CyberTrust-Root.pem
@@ -0,0 +1,28 @@
+# Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
+# Subject: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
+# Label: "Baltimore CyberTrust Root"
+# Serial: 33554617
+# MD5 Fingerprint: ac:b6:94:a5:9c:17:e0:d7:91:52:9b:b1:97:06:a6:e4
+# SHA1 Fingerprint: d4:de:20:d0:5e:66:fc:53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74
+# SHA256 Fingerprint: 16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+-----END CERTIFICATE-----
diff --git a/certs/Cloudflare-Inc-ECC-CA-3.pem b/certs/Cloudflare-Inc-ECC-CA-3.pem
deleted file mode 100644
index fa91603..0000000
--- a/certs/Cloudflare-Inc-ECC-CA-3.pem
+++ /dev/null
@@ -1,163 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0a:37:87:64:5e:5f:b4:8c:22:4e:fd:1b:ed:14:0c:3c
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
-        Validity
-            Not Before: Jan 27 12:48:08 2020 GMT
-            Not After : Dec 31 23:59:59 2024 GMT
-        Subject: C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (256 bit)
-                pub:
-                    04:b9:ad:4d:66:99:14:0b:46:ec:1f:81:d1:2a:50:
-                    1e:9d:03:15:2f:34:12:7d:2d:96:b8:88:38:9b:85:
-                    5f:8f:bf:bb:4d:ef:61:46:c4:c9:73:d4:24:4f:e0:
-                    ee:1c:ce:6c:b3:51:71:2f:6a:ee:4c:05:09:77:d3:
-                    72:62:a4:9b:d7
-                ASN1 OID: prime256v1
-                NIST CURVE: P-256
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F
-            X509v3 Authority Key Identifier: 
-                E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.digicert.com
-            X509v3 CRL Distribution Points: 
-                Full Name:
-                  URI:http://crl3.digicert.com/Omniroot2025.crl
-            X509v3 Certificate Policies: 
-                Policy: 2.16.840.1.114412.1.1
-                  CPS: https://www.digicert.com/CPS
-                Policy: 2.16.840.1.114412.1.2
-                Policy: 2.23.140.1.2.1
-                Policy: 2.23.140.1.2.2
-                Policy: 2.23.140.1.2.3
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        05:24:1d:dd:1b:b0:2a:eb:98:d6:85:e3:39:4d:5e:6b:57:9d:
-        82:57:fc:eb:e8:31:a2:57:90:65:05:be:16:44:38:5a:77:02:
-        b9:cf:10:42:c6:e1:92:a4:e3:45:27:f8:00:47:2c:68:a8:56:
-        99:53:54:8f:ad:9e:40:c1:d0:0f:b6:d7:0d:0b:38:48:6c:50:
-        2c:49:90:06:5b:64:1d:8b:cc:48:30:2e:de:08:e2:9b:49:22:
-        c0:92:0c:11:5e:96:92:94:d5:fc:20:dc:56:6c:e5:92:93:bf:
-        7a:1c:c0:37:e3:85:49:15:fa:2b:e1:74:39:18:0f:b7:da:f3:
-        a2:57:58:60:4f:cc:8e:94:00:fc:46:7b:34:31:3e:4d:47:82:
-        81:3a:cb:f4:89:5d:0e:ef:4d:0d:6e:9c:1b:82:24:dd:32:25:
-        5d:11:78:51:10:3d:a0:35:23:04:2f:65:6f:9c:c1:d1:43:d7:
-        d0:1e:f3:31:67:59:27:dd:6b:d2:75:09:93:11:24:24:14:cf:
-        29:be:e6:23:c3:b8:8f:72:3f:e9:07:c8:24:44:53:7a:b3:b9:
-        61:65:a1:4c:0e:c6:48:00:c9:75:63:05:87:70:45:52:83:d3:
-        95:9d:45:ea:f0:e8:31:1d:7e:09:1f:0a:fe:3e:dd:aa:3c:5e:
-        74:d2:ac:b1
------BEGIN CERTIFICATE-----
-MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
-MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
-clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
-MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
-BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
-QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
-nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
-16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
-GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
-BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
-KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
-b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
-bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
-BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
-CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
-AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
-+ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
-lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
-goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
-CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
-6DEdfgkfCv4+3ao8XnTSrLE=
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 33554617 (0x20000b9)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
-        Validity
-            Not Before: May 12 18:46:00 2000 GMT
-            Not After : May 12 23:59:00 2025 GMT
-        Subject: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
-                    d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
-                    64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
-                    62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
-                    52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
-                    73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
-                    50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
-                    a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
-                    70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
-                    d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
-                    5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
-                    98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
-                    ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
-                    39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
-                    c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
-                    ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
-                    78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
-                    1a:39
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:3
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-    Signature Value:
-        85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03:
-        bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f:
-        76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a:
-        12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f:
-        ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01:
-        74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8:
-        05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9:
-        31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d:
-        9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b:
-        1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88:
-        73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee:
-        7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e:
-        9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0:
-        fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42:
-        ea:63:39:a9
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
------END CERTIFICATE-----
diff --git a/global-config.rsc b/global-config.rsc
index 73a9ca0..cdc1d5c 100644
--- a/global-config.rsc
+++ b/global-config.rsc
@@ -106,9 +106,9 @@
     { url="https://lists.blocklist.de/lists/strongips.txt";
       cert="Certum Trusted Network CA" };
 #    { url="https://www.spamhaus.org/drop/drop.txt";
-#      cert="Cloudflare Inc ECC CA-3" };
+#      cert="Baltimore CyberTrust Root" };
 #    { url="https://www.spamhaus.org/drop/edrop.txt";
-#      cert="Cloudflare Inc ECC CA-3" };
+#      cert="Baltimore CyberTrust Root" };
   };
 #  "mikrotik"={
 #    { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/mikrotik";

From a744508d4f59bb95106b454c930fbb3f9eb28066 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 10:34:49 +0200
Subject: [PATCH 06/11] certs: Starfield Secure Certificate Authority - G2 ->
 Starfield Root Certificate Authority - G2

---
 ...tarfield-Root-Certificate-Authority-G2.pem |  30 +++
 ...rfield-Secure-Certificate-Authority-G2.pem | 179 ------------------
 update-tunnelbroker.rsc                       |   2 +-
 3 files changed, 31 insertions(+), 180 deletions(-)
 create mode 100644 certs/Starfield-Root-Certificate-Authority-G2.pem
 delete mode 100644 certs/Starfield-Secure-Certificate-Authority-G2.pem

diff --git a/certs/Starfield-Root-Certificate-Authority-G2.pem b/certs/Starfield-Root-Certificate-Authority-G2.pem
new file mode 100644
index 0000000..4e6774d
--- /dev/null
+++ b/certs/Starfield-Root-Certificate-Authority-G2.pem
@@ -0,0 +1,30 @@
+# Issuer: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Subject: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Label: "Starfield Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: d6:39:81:c6:52:7e:96:69:fc:fc:ca:66:ed:05:f2:96
+# SHA1 Fingerprint: b5:1c:06:7c:ee:2b:0c:3d:f8:55:ab:2d:92:f4:fe:39:d4:e7:0f:0e
+# SHA256 Fingerprint: 2c:e1:cb:0b:f9:d2:f9:e1:02:99:3f:be:21:51:52:c3:b2:dd:0c:ab:de:1c:68:e5:31:9b:83:91:54:db:b7:f5
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
+HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
+ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
+MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
+b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
+aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
+Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
+nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
+HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
+Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
+dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
+HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
+CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
+sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
+4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
+8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
+pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
+mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
+-----END CERTIFICATE-----
diff --git a/certs/Starfield-Secure-Certificate-Authority-G2.pem b/certs/Starfield-Secure-Certificate-Authority-G2.pem
deleted file mode 100644
index 7772e6b..0000000
--- a/certs/Starfield-Secure-Certificate-Authority-G2.pem
+++ /dev/null
@@ -1,179 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 7 (0x7)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
-        Validity
-            Not Before: May  3 07:00:00 2011 GMT
-            Not After : May  3 07:00:00 2031 GMT
-        Subject: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:e5:90:66:4b:ec:f9:46:71:a9:20:83:be:e9:6c:
-                    bf:4a:c9:48:69:81:75:4e:6d:24:f6:cb:17:13:f8:
-                    b0:71:59:84:7a:6b:2b:85:a4:34:b5:16:e5:cb:cc:
-                    e9:41:70:2c:a4:2e:d6:fa:32:7d:e1:a8:de:94:10:
-                    ac:31:c1:c0:d8:6a:ff:59:27:ab:76:d6:fc:0b:74:
-                    6b:b8:a7:ae:3f:c4:54:f4:b4:31:44:dd:93:56:8c:
-                    a4:4c:5e:9b:89:cb:24:83:9b:e2:57:7d:b7:d8:12:
-                    1f:c9:85:6d:f4:d1:80:f1:50:9b:87:ae:d4:0b:10:
-                    05:fb:27:ba:28:6d:17:e9:0e:d6:4d:b9:39:55:06:
-                    ff:0a:24:05:7e:2f:c6:1d:72:6c:d4:8b:29:8c:57:
-                    7d:da:d9:eb:66:1a:d3:4f:a7:df:7f:52:c4:30:c5:
-                    a5:c9:0e:02:c5:53:bf:77:38:68:06:24:c3:66:c8:
-                    37:7e:30:1e:45:71:23:35:ff:90:d8:2a:9d:8d:e7:
-                    b0:92:4d:3c:7f:2a:0a:93:dc:cd:16:46:65:f7:60:
-                    84:8b:76:4b:91:27:73:14:92:e0:ea:ee:8f:16:ea:
-                    8d:0e:3e:76:17:bf:7d:89:80:80:44:43:e7:2d:e0:
-                    43:09:75:da:36:e8:ad:db:89:3a:f5:5d:12:8e:23:
-                    04:83
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63
-            X509v3 Authority Key Identifier: 
-                keyid:7C:0C:32:1F:A7:D9:30:7F:C4:7D:68:A3:62:A8:A1:CE:AB:07:5B:27
-
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.starfieldtech.com/
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.starfieldtech.com/sfroot-g2.crl
-
-            X509v3 Certificate Policies: 
-                Policy: X509v3 Any Policy
-                  CPS: https://certs.starfieldtech.com/repository/
-
-    Signature Algorithm: sha256WithRSAEncryption
-         56:65:ca:fe:f3:3f:0a:a8:93:8b:18:c7:de:43:69:13:34:20:
-         be:4e:5f:78:a8:6b:9c:db:6a:4d:41:db:c1:13:ec:dc:31:00:
-         22:5e:f7:00:9e:0c:e0:34:65:34:f9:b1:3a:4e:48:c8:12:81:
-         88:5c:5b:3e:08:53:7a:f7:1a:64:df:b8:50:61:cc:53:51:40:
-         29:4b:c2:f4:ae:3a:5f:e4:ca:ad:26:cc:4e:61:43:e5:fd:57:
-         a6:37:70:ce:43:2b:b0:94:c3:92:e9:e1:5f:aa:10:49:b7:69:
-         e4:e0:d0:1f:64:a4:2b:cd:1f:6f:a0:f8:84:24:18:ce:79:3d:
-         a9:91:bf:54:18:13:89:99:54:11:0d:55:c5:26:0b:79:4f:5a:
-         1c:6e:f9:63:db:14:80:a4:07:ab:fa:b2:a5:b9:88:dd:91:fe:
-         65:3b:a4:a3:79:be:89:4d:e1:d0:b0:f4:c8:17:0c:0a:96:14:
-         7c:09:b7:6c:e1:c2:d8:55:d4:18:a0:aa:41:69:70:24:a3:b9:
-         ef:e9:5a:dc:3e:eb:94:4a:f0:b7:de:5f:0e:76:fa:fb:fb:69:
-         03:45:40:50:ee:72:0c:a4:12:86:81:cd:13:d1:4e:c4:3c:ca:
-         4e:0d:d2:26:f1:00:b7:b4:a6:a2:e1:6e:7a:81:fd:30:ac:7a:
-         1f:c7:59:7b
------BEGIN CERTIFICATE-----
-MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
-MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
-dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
-Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
-pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
-3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
-Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
-MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
-v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
-Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
-zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
-BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
-LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
-LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
-BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
-MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
-QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
-rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
-eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
-sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
-7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
-        Validity
-            Not Before: Sep  1 00:00:00 2009 GMT
-            Not After : Dec 31 23:59:59 2037 GMT
-        Subject: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:bd:ed:c1:03:fc:f6:8f:fc:02:b1:6f:5b:9f:48:
-                    d9:9d:79:e2:a2:b7:03:61:56:18:c3:47:b6:d7:ca:
-                    3d:35:2e:89:43:f7:a1:69:9b:de:8a:1a:fd:13:20:
-                    9c:b4:49:77:32:29:56:fd:b9:ec:8c:dd:22:fa:72:
-                    dc:27:61:97:ee:f6:5a:84:ec:6e:19:b9:89:2c:dc:
-                    84:5b:d5:74:fb:6b:5f:c5:89:a5:10:52:89:46:55:
-                    f4:b8:75:1c:e6:7f:e4:54:ae:4b:f8:55:72:57:02:
-                    19:f8:17:71:59:eb:1e:28:07:74:c5:9d:48:be:6c:
-                    b4:f4:a4:b0:f3:64:37:79:92:c0:ec:46:5e:7f:e1:
-                    6d:53:4c:62:af:cd:1f:0b:63:bb:3a:9d:fb:fc:79:
-                    00:98:61:74:cf:26:82:40:63:f3:b2:72:6a:19:0d:
-                    99:ca:d4:0e:75:cc:37:fb:8b:89:c1:59:f1:62:7f:
-                    5f:b3:5f:65:30:f8:a7:b7:4d:76:5a:1e:76:5e:34:
-                    c0:e8:96:56:99:8a:b3:f0:7f:a4:cd:bd:dc:32:31:
-                    7c:91:cf:e0:5f:11:f8:6b:aa:49:5c:d1:99:94:d1:
-                    a2:e3:63:5b:09:76:b5:56:62:e1:4b:74:1d:96:d4:
-                    26:d4:08:04:59:d0:98:0e:0e:e6:de:fc:c3:ec:1f:
-                    90:f1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                7C:0C:32:1F:A7:D9:30:7F:C4:7D:68:A3:62:A8:A1:CE:AB:07:5B:27
-    Signature Algorithm: sha256WithRSAEncryption
-         11:59:fa:25:4f:03:6f:94:99:3b:9a:1f:82:85:39:d4:76:05:
-         94:5e:e1:28:93:6d:62:5d:09:c2:a0:a8:d4:b0:75:38:f1:34:
-         6a:9d:e4:9f:8a:86:26:51:e6:2c:d1:c6:2d:6e:95:20:4a:92:
-         01:ec:b8:8a:67:7b:31:e2:67:2e:8c:95:03:26:2e:43:9d:4a:
-         31:f6:0e:b5:0c:bb:b7:e2:37:7f:22:ba:00:a3:0e:7b:52:fb:
-         6b:bb:3b:c4:d3:79:51:4e:cd:90:f4:67:07:19:c8:3c:46:7a:
-         0d:01:7d:c5:58:e7:6d:e6:85:30:17:9a:24:c4:10:e0:04:f7:
-         e0:f2:7f:d4:aa:0a:ff:42:1d:37:ed:94:e5:64:59:12:20:77:
-         38:d3:32:3e:38:81:75:96:73:fa:68:8f:b1:cb:ce:1f:c5:ec:
-         fa:9c:7e:cf:7e:b1:f1:07:2d:b6:fc:bf:ca:a4:bf:d0:97:05:
-         4a:bc:ea:18:28:02:90:bd:54:78:09:21:71:d3:d1:7d:1d:d9:
-         16:b0:a9:61:3d:d0:0a:00:22:fc:c7:7b:cb:09:64:45:0b:3b:
-         40:81:f7:7d:7c:32:f5:98:ca:58:8e:7d:2a:ee:90:59:73:64:
-         f9:36:74:5e:25:a1:f5:66:05:2e:7f:39:15:a9:2a:fb:50:8b:
-         8e:85:69:f4
------BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
-MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
-Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
-nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
-HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
-Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
-dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
-HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
-CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
-sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
-4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
-8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
-pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
-mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
------END CERTIFICATE-----
diff --git a/update-tunnelbroker.rsc b/update-tunnelbroker.rsc
index 364dc08..f9ba202 100644
--- a/update-tunnelbroker.rsc
+++ b/update-tunnelbroker.rsc
@@ -25,7 +25,7 @@
     :error false;
   }
 
-  :if ([ $CertificateAvailable "Starfield Secure Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" ] = false) do={
     $LogPrint error $ScriptName ("Downloading required certificate failed.");
     :error false;
   }

From 0ae3d31c58d57578092e76368ebd82bdc859123d Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 10:38:35 +0200
Subject: [PATCH 07/11] certs: GTS CA 1C3 / GTS CA 1P5  -> GTS Root R1

---
 certs/GTS-CA-1C3.pem  | 242 ------------------------------------------
 certs/GTS-CA-1P5.pem  | 238 -----------------------------------------
 certs/GTS-Root-R1.pem |  38 +++++++
 doc/netwatch-dns.md   |   2 +-
 global-functions.rsc  |   2 +-
 5 files changed, 40 insertions(+), 482 deletions(-)
 delete mode 100644 certs/GTS-CA-1C3.pem
 delete mode 100644 certs/GTS-CA-1P5.pem
 create mode 100644 certs/GTS-Root-R1.pem

diff --git a/certs/GTS-CA-1C3.pem b/certs/GTS-CA-1C3.pem
deleted file mode 100644
index a8432d2..0000000
--- a/certs/GTS-CA-1C3.pem
+++ /dev/null
@@ -1,242 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            02:03:bc:53:59:6b:34:c7:18:f5:01:50:66
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = Google Trust Services LLC, CN = GTS Root R1
-        Validity
-            Not Before: Aug 13 00:00:42 2020 GMT
-            Not After : Sep 30 00:00:42 2027 GMT
-        Subject: C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:f5:88:df:e7:62:8c:1e:37:f8:37:42:90:7f:6c:
-                    87:d0:fb:65:82:25:fd:e8:cb:6b:a4:ff:6d:e9:5a:
-                    23:e2:99:f6:1c:e9:92:03:99:13:7c:09:0a:8a:fa:
-                    42:d6:5e:56:24:aa:7a:33:84:1f:d1:e9:69:bb:b9:
-                    74:ec:57:4c:66:68:93:77:37:55:53:fe:39:10:4d:
-                    b7:34:bb:5f:25:77:37:3b:17:94:ea:3c:e5:9d:d5:
-                    bc:c3:b4:43:eb:2e:a7:47:ef:b0:44:11:63:d8:b4:
-                    41:85:dd:41:30:48:93:1b:bf:b7:f6:e0:45:02:21:
-                    e0:96:42:17:cf:d9:2b:65:56:34:07:26:04:0d:a8:
-                    fd:7d:ca:2e:ef:ea:48:7c:37:4d:3f:00:9f:83:df:
-                    ef:75:84:2e:79:57:5c:fc:57:6e:1a:96:ff:fc:8c:
-                    9a:a6:99:be:25:d9:7f:96:2c:06:f7:11:2a:02:80:
-                    80:eb:63:18:3c:50:49:87:e5:8a:ca:5f:19:2b:59:
-                    96:81:00:a0:fb:51:db:ca:77:0b:0b:c9:96:4f:ef:
-                    70:49:c7:5c:6d:20:fd:99:b4:b4:e2:ca:2e:77:fd:
-                    2d:dc:0b:b6:6b:13:0c:8c:19:2b:17:96:98:b9:f0:
-                    8b:f6:a0:27:bb:b6:e3:8d:51:8f:bd:ae:c7:9b:b1:
-                    89:9d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                8A:74:7F:AF:85:CD:EE:95:CD:3D:9C:D0:E2:46:14:F3:71:35:1D:27
-            X509v3 Authority Key Identifier: 
-                keyid:E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E
-
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.pki.goog/gtsr1
-                CA Issuers - URI:http://pki.goog/repo/certs/gtsr1.der
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.pki.goog/gtsr1/gtsr1.crl
-
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.5.3
-                  CPS: https://pki.goog/repository/
-                Policy: 2.23.140.1.2.1
-                Policy: 2.23.140.1.2.2
-
-    Signature Algorithm: sha256WithRSAEncryption
-         89:7d:ac:20:5c:0c:3c:be:9a:a8:57:95:1b:b4:ae:fa:ab:a5:
-         72:71:b4:36:95:fd:df:40:11:03:4c:c2:46:14:bb:14:24:ab:
-         f0:50:71:22:db:ad:c4:6e:7f:cf:f1:6a:6f:c8:83:1b:d8:ce:
-         89:5f:87:6c:87:b8:a9:0c:a3:9b:a1:62:94:93:95:df:5b:ae:
-         66:19:0b:02:96:9e:fc:b5:e7:10:69:3e:7a:cb:46:49:5f:46:
-         e1:41:b1:d7:98:4d:65:34:00:80:1a:3f:4f:9f:6c:7f:49:00:
-         81:53:41:a4:92:21:82:82:1a:f1:a3:44:5b:2a:50:12:13:4d:
-         c1:53:36:f3:42:08:af:54:fa:8e:77:53:1b:64:38:27:17:09:
-         bd:58:c9:1b:7c:39:2d:5b:f3:ce:d4:ed:97:db:14:03:bf:09:
-         53:24:1f:c2:0c:04:79:98:26:f2:61:f1:53:52:fd:42:8c:1b:
-         66:2b:3f:15:a1:bb:ff:f6:9b:e3:81:9a:01:06:71:89:35:28:
-         24:dd:e1:bd:eb:19:2d:e1:48:cb:3d:59:83:51:b4:74:c6:9d:
-         7c:c6:b1:86:5b:af:cc:34:c4:d3:cc:d4:81:11:95:00:a1:f4:
-         12:22:01:fa:b4:83:71:af:8c:b7:8c:73:24:ac:37:53:c2:00:
-         90:3f:11:fe:5c:ed:36:94:10:3b:bd:29:ae:e2:c7:3a:62:3b:
-         6c:63:d9:80:bf:59:71:ac:63:27:b9:4c:17:a0:da:f6:73:15:
-         bf:2a:de:8f:f3:a5:6c:32:81:33:03:d0:86:51:71:99:34:ba:
-         93:8d:5d:b5:51:58:f7:b2:93:e8:01:f6:59:be:71:9b:fd:4d:
-         28:ce:cf:6d:c7:16:dc:f7:d1:d6:46:9b:a7:ca:6b:e9:77:0f:
-         fd:a0:b6:1b:23:83:1d:10:1a:d9:09:00:84:e0:44:d3:a2:75:
-         23:b3:34:86:f6:20:b0:a4:5e:10:1d:e0:52:46:00:9d:b1:0f:
-         1f:21:70:51:f5:9a:dd:06:fc:55:f4:2b:0e:33:77:c3:4b:42:
-         c2:f1:77:13:fc:73:80:94:eb:1f:bb:37:3f:ce:02:2a:66:b0:
-         73:1d:32:a5:32:6c:32:b0:8e:e0:c4:23:ff:5b:7d:4d:65:70:
-         ac:2b:9b:3d:ce:db:e0:6d:8e:32:80:be:96:9f:92:63:bc:97:
-         bb:5d:b9:f4:e1:71:5e:2a:e4:ef:03:22:b1:8a:65:3a:8f:c0:
-         93:65:d4:85:cd:0f:0f:5b:83:59:16:47:16:2d:9c:24:3a:c8:
-         80:a6:26:14:85:9b:f6:37:9b:ac:6f:f9:c5:c3:06:51:f3:e2:
-         7f:c5:b1:10:ba:51:f4:dd
------BEGIN CERTIFICATE-----
-MIIFljCCA36gAwIBAgINAgO8U1lrNMcY9QFQZjANBgkqhkiG9w0BAQsFADBHMQsw
-CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
-MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
-MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
-Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFDMzCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAPWI3+dijB43+DdCkH9sh9D7ZYIl/ejLa6T/belaI+KZ9hzp
-kgOZE3wJCor6QtZeViSqejOEH9Hpabu5dOxXTGZok3c3VVP+ORBNtzS7XyV3NzsX
-lOo85Z3VvMO0Q+sup0fvsEQRY9i0QYXdQTBIkxu/t/bgRQIh4JZCF8/ZK2VWNAcm
-BA2o/X3KLu/qSHw3TT8An4Pf73WELnlXXPxXbhqW//yMmqaZviXZf5YsBvcRKgKA
-gOtjGDxQSYflispfGStZloEAoPtR28p3CwvJlk/vcEnHXG0g/Zm0tOLKLnf9LdwL
-tmsTDIwZKxeWmLnwi/agJ7u2441Rj72ux5uxiZ0CAwEAAaOCAYAwggF8MA4GA1Ud
-DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
-AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUinR/r4XN7pXNPZzQ4kYU83E1HScwHwYD
-VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
-CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
-AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
-MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsMFcG
-A1UdIARQME4wOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
-aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcN
-AQELBQADggIBAIl9rCBcDDy+mqhXlRu0rvqrpXJxtDaV/d9AEQNMwkYUuxQkq/BQ
-cSLbrcRuf8/xam/IgxvYzolfh2yHuKkMo5uhYpSTld9brmYZCwKWnvy15xBpPnrL
-RklfRuFBsdeYTWU0AIAaP0+fbH9JAIFTQaSSIYKCGvGjRFsqUBITTcFTNvNCCK9U
-+o53UxtkOCcXCb1YyRt8OS1b887U7ZfbFAO/CVMkH8IMBHmYJvJh8VNS/UKMG2Yr
-PxWhu//2m+OBmgEGcYk1KCTd4b3rGS3hSMs9WYNRtHTGnXzGsYZbr8w0xNPM1IER
-lQCh9BIiAfq0g3GvjLeMcySsN1PCAJA/Ef5c7TaUEDu9Ka7ixzpiO2xj2YC/WXGs
-Yye5TBeg2vZzFb8q3o/zpWwygTMD0IZRcZk0upONXbVRWPeyk+gB9lm+cZv9TSjO
-z23HFtz30dZGm6fKa+l3D/2gthsjgx0QGtkJAITgRNOidSOzNIb2ILCkXhAd4FJG
-AJ2xDx8hcFH1mt0G/FX0Kw4zd8NLQsLxdxP8c4CU6x+7Nz/OAipmsHMdMqUybDKw
-juDEI/9bfU1lcKwrmz3O2+BtjjKAvpafkmO8l7tdufThcV4q5O8DIrGKZTqPwJNl
-1IXNDw9bg1kWRxYtnCQ6yICmJhSFm/Y3m6xv+cXDBlHz4n/FsRC6UfTd
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1
-        Signature Algorithm: sha384WithRSAEncryption
-        Issuer: C = US, O = Google Trust Services LLC, CN = GTS Root R1
-        Validity
-            Not Before: Jun 22 00:00:00 2016 GMT
-            Not After : Jun 22 00:00:00 2036 GMT
-        Subject: C = US, O = Google Trust Services LLC, CN = GTS Root R1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:b6:11:02:8b:1e:e3:a1:77:9b:3b:dc:bf:94:3e:
-                    b7:95:a7:40:3c:a1:fd:82:f9:7d:32:06:82:71:f6:
-                    f6:8c:7f:fb:e8:db:bc:6a:2e:97:97:a3:8c:4b:f9:
-                    2b:f6:b1:f9:ce:84:1d:b1:f9:c5:97:de:ef:b9:f2:
-                    a3:e9:bc:12:89:5e:a7:aa:52:ab:f8:23:27:cb:a4:
-                    b1:9c:63:db:d7:99:7e:f0:0a:5e:eb:68:a6:f4:c6:
-                    5a:47:0d:4d:10:33:e3:4e:b1:13:a3:c8:18:6c:4b:
-                    ec:fc:09:90:df:9d:64:29:25:23:07:a1:b4:d2:3d:
-                    2e:60:e0:cf:d2:09:87:bb:cd:48:f0:4d:c2:c2:7a:
-                    88:8a:bb:ba:cf:59:19:d6:af:8f:b0:07:b0:9e:31:
-                    f1:82:c1:c0:df:2e:a6:6d:6c:19:0e:b5:d8:7e:26:
-                    1a:45:03:3d:b0:79:a4:94:28:ad:0f:7f:26:e5:a8:
-                    08:fe:96:e8:3c:68:94:53:ee:83:3a:88:2b:15:96:
-                    09:b2:e0:7a:8c:2e:75:d6:9c:eb:a7:56:64:8f:96:
-                    4f:68:ae:3d:97:c2:84:8f:c0:bc:40:c0:0b:5c:bd:
-                    f6:87:b3:35:6c:ac:18:50:7f:84:e0:4c:cd:92:d3:
-                    20:e9:33:bc:52:99:af:32:b5:29:b3:25:2a:b4:48:
-                    f9:72:e1:ca:64:f7:e6:82:10:8d:e8:9d:c2:8a:88:
-                    fa:38:66:8a:fc:63:f9:01:f9:78:fd:7b:5c:77:fa:
-                    76:87:fa:ec:df:b1:0e:79:95:57:b4:bd:26:ef:d6:
-                    01:d1:eb:16:0a:bb:8e:0b:b5:c5:c5:8a:55:ab:d3:
-                    ac:ea:91:4b:29:cc:19:a4:32:25:4e:2a:f1:65:44:
-                    d0:02:ce:aa:ce:49:b4:ea:9f:7c:83:b0:40:7b:e7:
-                    43:ab:a7:6c:a3:8f:7d:89:81:fa:4c:a5:ff:d5:8e:
-                    c3:ce:4b:e0:b5:d8:b3:8e:45:cf:76:c0:ed:40:2b:
-                    fd:53:0f:b0:a7:d5:3b:0d:b1:8a:a2:03:de:31:ad:
-                    cc:77:ea:6f:7b:3e:d6:df:91:22:12:e6:be:fa:d8:
-                    32:fc:10:63:14:51:72:de:5d:d6:16:93:bd:29:68:
-                    33:ef:3a:66:ec:07:8a:26:df:13:d7:57:65:78:27:
-                    de:5e:49:14:00:a2:00:7f:9a:a8:21:b6:a9:b1:95:
-                    b0:a5:b9:0d:16:11:da:c7:6c:48:3c:40:e0:7e:0d:
-                    5a:cd:56:3c:d1:97:05:b9:cb:4b:ed:39:4b:9c:c4:
-                    3f:d2:55:13:6e:24:b0:d6:71:fa:f4:c1:ba:cc:ed:
-                    1b:f5:fe:81:41:d8:00:98:3d:3a:c8:ae:7a:98:37:
-                    18:05:95
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E
-    Signature Algorithm: sha384WithRSAEncryption
-         38:96:0a:ee:3d:b4:96:1e:5f:ef:9d:9c:0b:33:9f:2b:e0:ca:
-         fd:d2:8e:0a:1f:41:74:a5:7c:aa:84:d4:e5:f2:1e:e6:37:52:
-         32:9c:0b:d1:61:1d:bf:28:c1:b6:44:29:35:75:77:98:b2:7c:
-         d9:bd:74:ac:8a:68:e3:a9:31:09:29:01:60:73:e3:47:7c:53:
-         a8:90:4a:27:ef:4b:d7:9f:93:e7:82:36:ce:9a:68:0c:82:e7:
-         cf:d4:10:16:6f:5f:0e:99:5c:f6:1f:71:7d:ef:ef:7b:2f:7e:
-         ea:36:d6:97:70:0b:15:ee:d7:5c:56:6a:33:a5:e3:49:38:0c:
-         b8:7d:fb:8d:85:a4:b1:59:5e:f4:6a:e1:dd:a1:f6:64:44:ae:
-         e6:51:83:21:66:c6:11:3e:f3:ce:47:ee:9c:28:1f:25:da:ff:
-         ac:66:95:dd:35:0f:5c:ef:20:2c:62:fd:91:ba:a9:cc:fc:5a:
-         9c:93:81:83:29:97:4a:7c:5a:72:b4:39:d0:b7:77:cb:79:fd:
-         69:3a:92:37:ed:6e:38:65:46:7e:e9:60:bd:79:88:97:5f:38:
-         12:f4:ee:af:5b:82:c8:86:d5:e1:99:6d:8c:04:f2:76:ba:49:
-         f6:6e:e9:6d:1e:5f:a0:ef:27:82:76:40:f8:a6:d3:58:5c:0f:
-         2c:42:da:42:c6:7b:88:34:c7:c1:d8:45:9b:c1:3e:c5:61:1d:
-         d9:63:50:49:f6:34:85:6a:e0:18:c5:6e:47:ab:41:42:29:9b:
-         f6:60:0d:d2:31:d3:63:98:23:93:5a:00:81:48:b4:ef:cd:8a:
-         cd:c9:cf:99:ee:d9:9e:aa:36:e1:68:4b:71:49:14:36:28:3a:
-         3d:1d:ce:9a:8f:25:e6:80:71:61:2b:b5:7b:cc:f9:25:16:81:
-         e1:31:5f:a1:a3:7e:16:a4:9c:16:6a:97:18:bd:76:72:a5:0b:
-         9e:1d:36:e6:2f:a1:2f:be:70:91:0f:a8:e6:da:f8:c4:92:40:
-         6c:25:7e:7b:b3:09:dc:b2:17:ad:80:44:f0:68:a5:8f:94:75:
-         ff:74:5a:e8:a8:02:7c:0c:09:e2:a9:4b:0b:a0:85:0b:62:b9:
-         ef:a1:31:92:fb:ef:f6:51:04:89:6c:e8:a9:74:a1:bb:17:b3:
-         b5:fd:49:0f:7c:3c:ec:83:18:20:43:4e:d5:93:ba:b4:34:b1:
-         1f:16:36:1f:0c:e6:64:39:16:4c:dc:e0:fe:1d:c8:a9:62:3d:
-         40:ea:ca:c5:34:02:b4:ae:89:88:33:35:dc:2c:13:73:d8:27:
-         f1:d0:72:ee:75:3b:22:de:98:68:66:5b:f1:c6:63:47:55:1c:
-         ba:a5:08:51:75:a6:48:25
------BEGIN CERTIFICATE-----
-MIIFWjCCA0KgAwIBAgIQbkepxUtHDA3sM9CJuRz04TANBgkqhkiG9w0BAQwFADBH
-MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
-QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIy
-MDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNl
-cnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaM
-f/vo27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vX
-mX7wCl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7
-zUjwTcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0P
-fyblqAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtc
-vfaHszVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4
-Zor8Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUsp
-zBmkMiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOO
-Rc92wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYW
-k70paDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+
-DVrNVjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgF
-lQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBADiW
-Cu49tJYeX++dnAsznyvgyv3SjgofQXSlfKqE1OXyHuY3UjKcC9FhHb8owbZEKTV1
-d5iyfNm9dKyKaOOpMQkpAWBz40d8U6iQSifvS9efk+eCNs6aaAyC58/UEBZvXw6Z
-XPYfcX3v73svfuo21pdwCxXu11xWajOl40k4DLh9+42FpLFZXvRq4d2h9mREruZR
-gyFmxhE+885H7pwoHyXa/6xmld01D1zvICxi/ZG6qcz8WpyTgYMpl0p8WnK0OdC3
-d8t5/Wk6kjftbjhlRn7pYL15iJdfOBL07q9bgsiG1eGZbYwE8na6SfZu6W0eX6Dv
-J4J2QPim01hcDyxC2kLGe4g0x8HYRZvBPsVhHdljUEn2NIVq4BjFbkerQUIpm/Zg
-DdIx02OYI5NaAIFItO/Nis3Jz5nu2Z6qNuFoS3FJFDYoOj0dzpqPJeaAcWErtXvM
-+SUWgeExX6GjfhaknBZqlxi9dnKlC54dNuYvoS++cJEPqOba+MSSQGwlfnuzCdyy
-F62ARPBopY+Udf90WuioAnwMCeKpSwughQtiue+hMZL77/ZRBIls6Kl0obsXs7X9
-SQ98POyDGCBDTtWTurQ0sR8WNh8M5mQ5Fkzc4P4dyKliPUDqysU0ArSuiYgzNdws
-E3PYJ/HQcu51OyLemGhmW/HGY0dVHLqlCFF1pkgl
------END CERTIFICATE-----
diff --git a/certs/GTS-CA-1P5.pem b/certs/GTS-CA-1P5.pem
deleted file mode 100644
index 5be738d..0000000
--- a/certs/GTS-CA-1P5.pem
+++ /dev/null
@@ -1,238 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            02:03:bc:50:a3:27:53:f0:91:80:22:ed:f1
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, O=Google Trust Services LLC, CN=GTS Root R1
-        Validity
-            Not Before: Aug 13 00:00:42 2020 GMT
-            Not After : Sep 30 00:00:42 2027 GMT
-        Subject: C=US, O=Google Trust Services LLC, CN=GTS CA 1P5
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b3:82:f0:24:8c:bf:2d:87:af:b2:d9:a7:ae:fa:
-                    ca:ba:44:d6:5b:3e:fe:b2:f7:b2:65:16:dc:de:10:
-                    e8:4f:2d:10:58:5a:28:86:87:a1:ee:6a:b3:a0:d9:
-                    75:4f:7f:a1:52:01:8b:55:a8:4a:5b:06:48:c8:36:
-                    12:25:ab:89:f9:f2:23:5f:9d:60:65:f9:5c:da:be:
-                    3a:e8:5c:6d:7d:9c:d0:84:18:85:30:cd:4e:9b:ec:
-                    3c:d8:b3:e1:96:d4:f3:c5:0b:65:db:8f:b0:74:cb:
-                    f6:1e:f3:78:f1:ac:95:c5:dd:73:c3:31:88:81:af:
-                    74:aa:6f:fd:0c:e3:05:95:f0:c5:10:4f:65:63:fa:
-                    a0:af:c6:18:3d:c5:a1:df:97:79:d7:05:89:b3:30:
-                    b0:74:ae:3d:92:10:6b:8c:15:77:dd:0b:04:57:fb:
-                    81:03:dd:ea:22:34:d5:e5:56:b2:f0:c4:8d:41:b1:
-                    c3:02:db:62:ec:80:d0:ff:76:d4:86:e4:04:1a:b6:
-                    b6:0c:2b:62:71:7d:d9:af:d9:f1:5e:fa:c0:1e:ca:
-                    a0:19:5c:55:f0:80:d1:2a:0c:07:86:90:9f:35:e3:
-                    28:2b:5b:ef:23:c8:a3:1d:a4:a3:3a:ee:fe:83:dc:
-                    82:4c:25:b0:4d:c5:51:ad:9e:9b:d3:5b:84:c2:1a:
-                    5a:e9
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                D5:FC:9E:0D:DF:1E:CA:DD:08:97:97:6E:2B:C5:5F:C5:2B:F5:EC:B8
-            X509v3 Authority Key Identifier: 
-                E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.pki.goog/gtsr1
-                CA Issuers - URI:http://pki.goog/repo/certs/gtsr1.der
-            X509v3 CRL Distribution Points: 
-                Full Name:
-                  URI:http://crl.pki.goog/gtsr1/gtsr1.crl
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.5.3
-                  CPS: https://pki.goog/repository/
-                Policy: 2.23.140.1.2.1
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        6c:63:27:ee:23:df:e5:52:68:4d:81:66:91:85:df:7d:65:e5:
-        5b:37:31:08:26:b2:07:5d:9a:be:b1:ca:01:b9:ad:bf:9d:77:
-        f6:51:1d:d7:98:c5:0b:49:a1:7b:a1:d7:d3:68:e5:44:0f:8b:
-        ba:36:dd:42:82:77:d2:8d:dd:f5:3f:fb:eb:c8:07:98:93:ee:
-        5a:d0:b5:3d:de:4b:1c:2d:8c:4d:ec:7e:8c:7b:fe:4e:40:fd:
-        f0:b4:b3:59:02:10:51:5c:e3:c0:2b:fd:b7:06:48:51:7e:09:
-        5e:3f:0f:dc:a7:fe:97:e7:79:c5:0e:44:89:78:c5:69:59:29:
-        a0:9a:3a:48:36:29:a6:94:93:55:2d:b8:47:b5:e9:96:b5:9f:
-        07:cd:a6:ab:3e:32:8a:c0:86:83:c5:c1:41:c8:9f:2f:35:8e:
-        0d:c0:07:7a:e1:ac:c9:65:b5:cb:8a:a7:dd:71:d8:61:65:39:
-        84:ac:32:3e:f7:7a:36:f1:56:9f:57:a9:41:6d:5a:90:a7:db:
-        3a:ea:75:80:0c:63:0b:69:74:6f:07:4c:15:f3:37:28:a5:19:
-        a4:6e:f5:f6:20:cd:63:b2:7e:c4:2b:09:75:89:da:d1:3c:2e:
-        72:4f:36:1a:a1:9e:44:d0:cd:9b:a6:23:08:3f:97:a1:a7:9e:
-        5a:a5:f7:09:94:ad:5d:76:5d:28:56:d1:1a:66:51:51:07:7b:
-        de:3d:b0:c8:ef:30:7a:24:2d:be:b8:b3:86:f6:4b:f7:f0:b5:
-        4f:ff:ce:c6:f9:f6:3f:2a:27:08:0f:09:3e:23:5a:c7:e3:42:
-        2d:7a:36:e4:3d:98:96:60:39:98:ea:d1:db:63:2a:eb:78:09:
-        b1:4e:21:b3:8e:b7:ce:3e:92:f1:95:5c:a4:39:d0:c0:2b:c8:
-        53:15:f5:d2:2f:82:cd:06:74:67:99:90:77:37:0a:97:2d:c5:
-        1c:1e:f4:d0:5b:e9:15:e3:ea:02:09:c8:13:d7:13:70:65:bf:
-        fb:88:9b:5a:25:be:77:09:e1:a7:6a:4e:11:75:b9:1e:4d:f1:
-        00:1b:6a:66:79:8e:c3:6e:d8:6d:a2:22:a2:6d:05:fb:2c:f2:
-        f1:50:e5:a0:d1:d8:9f:35:7d:fc:70:ab:59:2a:02:f1:be:b0:
-        d3:f1:f8:cd:12:b9:6a:25:90:5b:e3:85:20:e6:f5:da:cb:40:
-        1c:19:34:20:03:61:77:ba:7f:48:0f:49:0b:29:eb:e7:61:64:
-        c7:63:d1:47:eb:1c:e1:ee:94:46:ef:39:73:cc:ee:4f:2b:8d:
-        dc:fb:58:a7:b3:65:20:99:95:b9:fb:55:6f:d7:96:6e:94:3d:
-        f4:7a:92:8e:63:1d:df:6d
------BEGIN CERTIFICATE-----
-MIIFjDCCA3SgAwIBAgINAgO8UKMnU/CRgCLt8TANBgkqhkiG9w0BAQsFADBHMQsw
-CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
-MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjAwODEzMDAwMDQyWhcNMjcwOTMwMDAw
-MDQyWjBGMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
-Y2VzIExMQzETMBEGA1UEAxMKR1RTIENBIDFQNTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBALOC8CSMvy2Hr7LZp676yrpE1ls+/rL3smUW3N4Q6E8tEFha
-KIaHoe5qs6DZdU9/oVIBi1WoSlsGSMg2EiWrifnyI1+dYGX5XNq+OuhcbX2c0IQY
-hTDNTpvsPNiz4ZbU88ULZduPsHTL9h7zePGslcXdc8MxiIGvdKpv/QzjBZXwxRBP
-ZWP6oK/GGD3Fod+XedcFibMwsHSuPZIQa4wVd90LBFf7gQPd6iI01eVWsvDEjUGx
-wwLbYuyA0P921IbkBBq2tgwrYnF92a/Z8V76wB7KoBlcVfCA0SoMB4aQnzXjKCtb
-7yPIox2kozru/oPcgkwlsE3FUa2em9NbhMIaWukCAwEAAaOCAXYwggFyMA4GA1Ud
-DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0T
-AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU1fyeDd8eyt0Il5duK8VfxSv17LgwHwYD
-VR0jBBgwFoAU5K8rJnEaK0gnhS9SZizv8IkTcT4waAYIKwYBBQUHAQEEXDBaMCYG
-CCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuZ29vZy9ndHNyMTAwBggrBgEFBQcw
-AoYkaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzcjEuZGVyMDQGA1UdHwQt
-MCswKaAnoCWGI2h0dHA6Ly9jcmwucGtpLmdvb2cvZ3RzcjEvZ3RzcjEuY3JsME0G
-A1UdIARGMEQwOAYKKwYBBAHWeQIFAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3Br
-aS5nb29nL3JlcG9zaXRvcnkvMAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAgEA
-bGMn7iPf5VJoTYFmkYXffWXlWzcxCCayB12avrHKAbmtv5139lEd15jFC0mhe6HX
-02jlRA+LujbdQoJ30o3d9T/768gHmJPuWtC1Pd5LHC2MTex+jHv+TkD98LSzWQIQ
-UVzjwCv9twZIUX4JXj8P3Kf+l+d5xQ5EiXjFaVkpoJo6SDYpppSTVS24R7XplrWf
-B82mqz4yisCGg8XBQcifLzWODcAHeuGsyWW1y4qn3XHYYWU5hKwyPvd6NvFWn1ep
-QW1akKfbOup1gAxjC2l0bwdMFfM3KKUZpG719iDNY7J+xCsJdYna0Twuck82GqGe
-RNDNm6YjCD+XoaeeWqX3CZStXXZdKFbRGmZRUQd73j2wyO8weiQtvrizhvZL9/C1
-T//Oxvn2PyonCA8JPiNax+NCLXo25D2YlmA5mOrR22Mq63gJsU4hs463zj6S8ZVc
-pDnQwCvIUxX10i+CzQZ0Z5mQdzcKly3FHB700FvpFePqAgnIE9cTcGW/+4ibWiW+
-dwnhp2pOEXW5Hk3xABtqZnmOw27YbaIiom0F+yzy8VDloNHYnzV9/HCrWSoC8b6w
-0/H4zRK5aiWQW+OFIOb12stAHBk0IANhd7p/SA9JCynr52Fkx2PRR+sc4e6URu85
-c8zuTyuN3PtYp7NlIJmVuftVb9eWbpQ99HqSjmMd320=
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            02:03:e5:93:6f:31:b0:13:49:88:6b:a2:17
-        Signature Algorithm: sha384WithRSAEncryption
-        Issuer: C=US, O=Google Trust Services LLC, CN=GTS Root R1
-        Validity
-            Not Before: Jun 22 00:00:00 2016 GMT
-            Not After : Jun 22 00:00:00 2036 GMT
-        Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:b6:11:02:8b:1e:e3:a1:77:9b:3b:dc:bf:94:3e:
-                    b7:95:a7:40:3c:a1:fd:82:f9:7d:32:06:82:71:f6:
-                    f6:8c:7f:fb:e8:db:bc:6a:2e:97:97:a3:8c:4b:f9:
-                    2b:f6:b1:f9:ce:84:1d:b1:f9:c5:97:de:ef:b9:f2:
-                    a3:e9:bc:12:89:5e:a7:aa:52:ab:f8:23:27:cb:a4:
-                    b1:9c:63:db:d7:99:7e:f0:0a:5e:eb:68:a6:f4:c6:
-                    5a:47:0d:4d:10:33:e3:4e:b1:13:a3:c8:18:6c:4b:
-                    ec:fc:09:90:df:9d:64:29:25:23:07:a1:b4:d2:3d:
-                    2e:60:e0:cf:d2:09:87:bb:cd:48:f0:4d:c2:c2:7a:
-                    88:8a:bb:ba:cf:59:19:d6:af:8f:b0:07:b0:9e:31:
-                    f1:82:c1:c0:df:2e:a6:6d:6c:19:0e:b5:d8:7e:26:
-                    1a:45:03:3d:b0:79:a4:94:28:ad:0f:7f:26:e5:a8:
-                    08:fe:96:e8:3c:68:94:53:ee:83:3a:88:2b:15:96:
-                    09:b2:e0:7a:8c:2e:75:d6:9c:eb:a7:56:64:8f:96:
-                    4f:68:ae:3d:97:c2:84:8f:c0:bc:40:c0:0b:5c:bd:
-                    f6:87:b3:35:6c:ac:18:50:7f:84:e0:4c:cd:92:d3:
-                    20:e9:33:bc:52:99:af:32:b5:29:b3:25:2a:b4:48:
-                    f9:72:e1:ca:64:f7:e6:82:10:8d:e8:9d:c2:8a:88:
-                    fa:38:66:8a:fc:63:f9:01:f9:78:fd:7b:5c:77:fa:
-                    76:87:fa:ec:df:b1:0e:79:95:57:b4:bd:26:ef:d6:
-                    01:d1:eb:16:0a:bb:8e:0b:b5:c5:c5:8a:55:ab:d3:
-                    ac:ea:91:4b:29:cc:19:a4:32:25:4e:2a:f1:65:44:
-                    d0:02:ce:aa:ce:49:b4:ea:9f:7c:83:b0:40:7b:e7:
-                    43:ab:a7:6c:a3:8f:7d:89:81:fa:4c:a5:ff:d5:8e:
-                    c3:ce:4b:e0:b5:d8:b3:8e:45:cf:76:c0:ed:40:2b:
-                    fd:53:0f:b0:a7:d5:3b:0d:b1:8a:a2:03:de:31:ad:
-                    cc:77:ea:6f:7b:3e:d6:df:91:22:12:e6:be:fa:d8:
-                    32:fc:10:63:14:51:72:de:5d:d6:16:93:bd:29:68:
-                    33:ef:3a:66:ec:07:8a:26:df:13:d7:57:65:78:27:
-                    de:5e:49:14:00:a2:00:7f:9a:a8:21:b6:a9:b1:95:
-                    b0:a5:b9:0d:16:11:da:c7:6c:48:3c:40:e0:7e:0d:
-                    5a:cd:56:3c:d1:97:05:b9:cb:4b:ed:39:4b:9c:c4:
-                    3f:d2:55:13:6e:24:b0:d6:71:fa:f4:c1:ba:cc:ed:
-                    1b:f5:fe:81:41:d8:00:98:3d:3a:c8:ae:7a:98:37:
-                    18:05:95
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E
-    Signature Algorithm: sha384WithRSAEncryption
-    Signature Value:
-        9f:aa:42:26:db:0b:9b:be:ff:1e:96:92:2e:3e:a2:65:4a:6a:
-        98:ba:22:cb:7d:c1:3a:d8:82:0a:06:c6:f6:a5:de:c0:4e:87:
-        66:79:a1:f9:a6:58:9c:aa:f9:b5:e6:60:e7:e0:e8:b1:1e:42:
-        41:33:0b:37:3d:ce:89:70:15:ca:b5:24:a8:cf:6b:b5:d2:40:
-        21:98:cf:22:34:cf:3b:c5:22:84:e0:c5:0e:8a:7c:5d:88:e4:
-        35:24:ce:9b:3e:1a:54:1e:6e:db:b2:87:a7:fc:f3:fa:81:55:
-        14:62:0a:59:a9:22:05:31:3e:82:d6:ee:db:57:34:bc:33:95:
-        d3:17:1b:e8:27:a2:8b:7b:4e:26:1a:7a:5a:64:b6:d1:ac:37:
-        f1:fd:a0:f3:38:ec:72:f0:11:75:9d:cb:34:52:8d:e6:76:6b:
-        17:c6:df:86:ab:27:8e:49:2b:75:66:81:10:21:a6:ea:3e:f4:
-        ae:25:ff:7c:15:de:ce:8c:25:3f:ca:62:70:0a:f7:2f:09:66:
-        07:c8:3f:1c:fc:f0:db:45:30:df:62:88:c1:b5:0f:9d:c3:9f:
-        4a:de:59:59:47:c5:87:22:36:e6:82:a7:ed:0a:b9:e2:07:a0:
-        8d:7b:7a:4a:3c:71:d2:e2:03:a1:1f:32:07:dd:1b:e4:42:ce:
-        0c:00:45:61:80:b5:0b:20:59:29:78:bd:f9:55:cb:63:c5:3c:
-        4c:f4:b6:ff:db:6a:5f:31:6b:99:9e:2c:c1:6b:50:a4:d7:e6:
-        18:14:bd:85:3f:67:ab:46:9f:a0:ff:42:a7:3a:7f:5c:cb:5d:
-        b0:70:1d:2b:34:f5:d4:76:09:0c:eb:78:4c:59:05:f3:33:42:
-        c3:61:15:10:1b:77:4d:ce:22:8c:d4:85:f2:45:7d:b7:53:ea:
-        ef:40:5a:94:0a:5c:20:5f:4e:40:5d:62:22:76:df:ff:ce:61:
-        bd:8c:23:78:d2:37:02:e0:8e:de:d1:11:37:89:f6:bf:ed:49:
-        07:62:ae:92:ec:40:1a:af:14:09:d9:d0:4e:b2:a2:f7:be:ee:
-        ee:d8:ff:dc:1a:2d:de:b8:36:71:e2:fc:79:b7:94:25:d1:48:
-        73:5b:a1:35:e7:b3:99:67:75:c1:19:3a:2b:47:4e:d3:42:8e:
-        fd:31:c8:16:66:da:d2:0c:3c:db:b3:8e:c9:a1:0d:80:0f:7b:
-        16:77:14:bf:ff:db:09:94:b2:93:bc:20:58:15:e9:db:71:43:
-        f3:de:10:c3:00:dc:a8:2a:95:b6:c2:d6:3f:90:6b:76:db:6c:
-        fe:8c:bc:f2:70:35:0c:dc:99:19:35:dc:d7:c8:46:63:d5:36:
-        71:ae:57:fb:b7:82:6d:dc
------BEGIN CERTIFICATE-----
-MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
-CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
-MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
-MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
-Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
-A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
-27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
-Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
-TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
-qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
-szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
-Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
-MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
-wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
-aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
-VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
-AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
-FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
-C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
-QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
-h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
-7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
-ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
-MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
-Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
-6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
-0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
-2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
-bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
------END CERTIFICATE-----
diff --git a/certs/GTS-Root-R1.pem b/certs/GTS-Root-R1.pem
new file mode 100644
index 0000000..a6095d2
--- /dev/null
+++ b/certs/GTS-Root-R1.pem
@@ -0,0 +1,38 @@
+# Issuer: CN=GTS Root R1 O=Google Trust Services LLC
+# Subject: CN=GTS Root R1 O=Google Trust Services LLC
+# Label: "GTS Root R1"
+# Serial: 159662320309726417404178440727
+# MD5 Fingerprint: 05:fe:d0:bf:71:a8:a3:76:63:da:01:e0:d8:52:dc:40
+# SHA1 Fingerprint: e5:8c:1c:c4:91:3b:38:63:4b:e9:10:6e:e3:ad:8e:6b:9d:d9:81:4a
+# SHA256 Fingerprint: d9:47:43:2a:bd:e7:b7:fa:90:fc:2e:6b:59:10:1b:12:80:e0:e1:c7:e4:e4:0f:a3:c6:88:7f:ff:57:a7:f4:cf
+-----BEGIN CERTIFICATE-----
+MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
+CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
+MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
+MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
+Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
+A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
+27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
+Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
+TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
+qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
+szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
+Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
+MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
+wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
+aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
+VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
+AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
+C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
+QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
+h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
+7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
+ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
+MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
+Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
+6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
+0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
+2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
+bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
+-----END CERTIFICATE-----
diff --git a/doc/netwatch-dns.md b/doc/netwatch-dns.md
index 443106f..3214368 100644
--- a/doc/netwatch-dns.md
+++ b/doc/netwatch-dns.md
@@ -64,7 +64,7 @@ the repository (see `certs` sub directory).
 
     /tool/netwatch/add comment="doh, doh-cert=DigiCert Global G2 TLS RSA SHA256 2020 CA1" host=1.1.1.1;
     /tool/netwatch/add comment="doh, doh-cert=DigiCert TLS Hybrid ECC SHA384 2020 CA1" host=9.9.9.9;
-    /tool/netwatch/add comment="doh, doh-cert=GTS CA 1C3" host=8.8.8.8;
+    /tool/netwatch/add comment="doh, doh-cert=GTS Root R1" host=8.8.8.8;
 
 Sometimes using just one specific (possibly internal) DNS server may be
 desired, with fallback in case it fails. This is possible as well:
diff --git a/global-functions.rsc b/global-functions.rsc
index 567444e..ca8ecb1 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -509,7 +509,7 @@
   }
 
   :do {
-    :if ([ $CertificateAvailable "GTS CA 1P5" ] = false) do={
+    :if ([ $CertificateAvailable "GTS Root R1" ] = false) do={
       $LogPrint warning $0 ("Downloading required certificate failed.");
       :error false;
     }

From 588dacb5af93819021b71a88f200464359dee701 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 10:47:42 +0200
Subject: [PATCH 08/11] certs: Go Daddy Secure Certificate Authority - G2 -> Go
 Daddy Root Certificate Authority - G2

---
 ...Go-Daddy-Root-Certificate-Authority-G2.pem |  30 +++
 ...-Daddy-Secure-Certificate-Authority-G2.pem | 178 ------------------
 mod/notification-telegram.rsc                 |   2 +-
 telegram-chat.rsc                             |   2 +-
 4 files changed, 32 insertions(+), 180 deletions(-)
 create mode 100644 certs/Go-Daddy-Root-Certificate-Authority-G2.pem
 delete mode 100644 certs/Go-Daddy-Secure-Certificate-Authority-G2.pem

diff --git a/certs/Go-Daddy-Root-Certificate-Authority-G2.pem b/certs/Go-Daddy-Root-Certificate-Authority-G2.pem
new file mode 100644
index 0000000..c61f300
--- /dev/null
+++ b/certs/Go-Daddy-Root-Certificate-Authority-G2.pem
@@ -0,0 +1,30 @@
+# Issuer: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
+# Subject: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
+# Label: "Go Daddy Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: 80:3a:bc:22:c1:e6:fb:8d:9b:3b:27:4a:32:1b:9a:01
+# SHA1 Fingerprint: 47:be:ab:c9:22:ea:e8:0e:78:78:34:62:a7:9f:45:c2:54:fd:e6:8b
+# SHA256 Fingerprint: 45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7:32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
+NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
+AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
+E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
+/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
+DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
+GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
+tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
+AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
+FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
+WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
+9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
+gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
+2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
+LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
+4uJEvlz36hz1
+-----END CERTIFICATE-----
diff --git a/certs/Go-Daddy-Secure-Certificate-Authority-G2.pem b/certs/Go-Daddy-Secure-Certificate-Authority-G2.pem
deleted file mode 100644
index 4faba90..0000000
--- a/certs/Go-Daddy-Secure-Certificate-Authority-G2.pem
+++ /dev/null
@@ -1,178 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 7 (0x7)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-        Validity
-            Not Before: May  3 07:00:00 2011 GMT
-            Not After : May  3 07:00:00 2031 GMT
-        Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:b9:e0:cb:10:d4:af:76:bd:d4:93:62:eb:30:64:
-                    b8:81:08:6c:c3:04:d9:62:17:8e:2f:ff:3e:65:cf:
-                    8f:ce:62:e6:3c:52:1c:da:16:45:4b:55:ab:78:6b:
-                    63:83:62:90:ce:0f:69:6c:99:c8:1a:14:8b:4c:cc:
-                    45:33:ea:88:dc:9e:a3:af:2b:fe:80:61:9d:79:57:
-                    c4:cf:2e:f4:3f:30:3c:5d:47:fc:9a:16:bc:c3:37:
-                    96:41:51:8e:11:4b:54:f8:28:be:d0:8c:be:f0:30:
-                    38:1e:f3:b0:26:f8:66:47:63:6d:de:71:26:47:8f:
-                    38:47:53:d1:46:1d:b4:e3:dc:00:ea:45:ac:bd:bc:
-                    71:d9:aa:6f:00:db:db:cd:30:3a:79:4f:5f:4c:47:
-                    f8:1d:ef:5b:c2:c4:9d:60:3b:b1:b2:43:91:d8:a4:
-                    33:4e:ea:b3:d6:27:4f:ad:25:8a:a5:c6:f4:d5:d0:
-                    a6:ae:74:05:64:57:88:b5:44:55:d4:2d:2a:3a:3e:
-                    f8:b8:bd:e9:32:0a:02:94:64:c4:16:3a:50:f1:4a:
-                    ae:e7:79:33:af:0c:20:07:7f:e8:df:04:39:c2:69:
-                    02:6c:63:52:fa:77:c1:1b:c8:74:87:c8:b9:93:18:
-                    50:54:35:4b:69:4e:bc:3b:d3:49:2e:1f:dc:c1:d2:
-                    52:fb
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
-            X509v3 Authority Key Identifier: 
-                keyid:3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
-
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.godaddy.com/
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.godaddy.com/gdroot-g2.crl
-
-            X509v3 Certificate Policies: 
-                Policy: X509v3 Any Policy
-                  CPS: https://certs.godaddy.com/repository/
-
-    Signature Algorithm: sha256WithRSAEncryption
-         08:7e:6c:93:10:c8:38:b8:96:a9:90:4b:ff:a1:5f:4f:04:ef:
-         6c:3e:9c:88:06:c9:50:8f:a6:73:f7:57:31:1b:be:bc:e4:2f:
-         db:f8:ba:d3:5b:e0:b4:e7:e6:79:62:0e:0c:a2:d7:6a:63:73:
-         31:b5:f5:a8:48:a4:3b:08:2d:a2:5d:90:d7:b4:7c:25:4f:11:
-         56:30:c4:b6:44:9d:7b:2c:9d:e5:5e:e6:ef:0c:61:aa:bf:e4:
-         2a:1b:ee:84:9e:b8:83:7d:c1:43:ce:44:a7:13:70:0d:91:1f:
-         f4:c8:13:ad:83:60:d9:d8:72:a8:73:24:1e:b5:ac:22:0e:ca:
-         17:89:62:58:44:1b:ab:89:25:01:00:0f:cd:c4:1b:62:db:51:
-         b4:d3:0f:51:2a:9b:f4:bc:73:fc:76:ce:36:a4:cd:d9:d8:2c:
-         ea:ae:9b:f5:2a:b2:90:d1:4d:75:18:8a:3f:8a:41:90:23:7d:
-         5b:4b:fe:a4:03:58:9b:46:b2:c3:60:60:83:f8:7d:50:41:ce:
-         c2:a1:90:c3:bb:ef:02:2f:d2:15:54:ee:44:15:d9:0a:ae:a7:
-         8a:33:ed:b1:2d:76:36:26:dc:04:eb:9f:f7:61:1f:15:dc:87:
-         6f:ee:46:96:28:ad:a1:26:7d:0a:09:a7:2e:04:a3:8d:bc:f8:
-         bc:04:30:01
------BEGIN CERTIFICATE-----
-MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
-MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
-CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
-EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
-BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
-K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
-cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
-pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
-eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
-AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
-HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
-9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
-b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
-b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
-CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
-MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
-91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
-RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
-DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
-GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
-LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-        Validity
-            Not Before: Sep  1 00:00:00 2009 GMT
-            Not After : Dec 31 23:59:59 2037 GMT
-        Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:bf:71:62:08:f1:fa:59:34:f7:1b:c9:18:a3:f7:
-                    80:49:58:e9:22:83:13:a6:c5:20:43:01:3b:84:f1:
-                    e6:85:49:9f:27:ea:f6:84:1b:4e:a0:b4:db:70:98:
-                    c7:32:01:b1:05:3e:07:4e:ee:f4:fa:4f:2f:59:30:
-                    22:e7:ab:19:56:6b:e2:80:07:fc:f3:16:75:80:39:
-                    51:7b:e5:f9:35:b6:74:4e:a9:8d:82:13:e4:b6:3f:
-                    a9:03:83:fa:a2:be:8a:15:6a:7f:de:0b:c3:b6:19:
-                    14:05:ca:ea:c3:a8:04:94:3b:46:7c:32:0d:f3:00:
-                    66:22:c8:8d:69:6d:36:8c:11:18:b7:d3:b2:1c:60:
-                    b4:38:fa:02:8c:ce:d3:dd:46:07:de:0a:3e:eb:5d:
-                    7c:c8:7c:fb:b0:2b:53:a4:92:62:69:51:25:05:61:
-                    1a:44:81:8c:2c:a9:43:96:23:df:ac:3a:81:9a:0e:
-                    29:c5:1c:a9:e9:5d:1e:b6:9e:9e:30:0a:39:ce:f1:
-                    88:80:fb:4b:5d:cc:32:ec:85:62:43:25:34:02:56:
-                    27:01:91:b4:3b:70:2a:3f:6e:b1:e8:9c:88:01:7d:
-                    9f:d4:f9:db:53:6d:60:9d:bf:2c:e7:58:ab:b8:5f:
-                    46:fc:ce:c4:1b:03:3c:09:eb:49:31:5c:69:46:b3:
-                    e0:47
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
-    Signature Algorithm: sha256WithRSAEncryption
-         99:db:5d:79:d5:f9:97:59:67:03:61:f1:7e:3b:06:31:75:2d:
-         a1:20:8e:4f:65:87:b4:f7:a6:9c:bc:d8:e9:2f:d0:db:5a:ee:
-         cf:74:8c:73:b4:38:42:da:05:7b:f8:02:75:b8:fd:a5:b1:d7:
-         ae:f6:d7:de:13:cb:53:10:7e:8a:46:d1:97:fa:b7:2e:2b:11:
-         ab:90:b0:27:80:f9:e8:9f:5a:e9:37:9f:ab:e4:df:6c:b3:85:
-         17:9d:3d:d9:24:4f:79:91:35:d6:5f:04:eb:80:83:ab:9a:02:
-         2d:b5:10:f4:d8:90:c7:04:73:40:ed:72:25:a0:a9:9f:ec:9e:
-         ab:68:12:99:57:c6:8f:12:3a:09:a4:bd:44:fd:06:15:37:c1:
-         9b:e4:32:a3:ed:38:e8:d8:64:f3:2c:7e:14:fc:02:ea:9f:cd:
-         ff:07:68:17:db:22:90:38:2d:7a:8d:d1:54:f1:69:e3:5f:33:
-         ca:7a:3d:7b:0a:e3:ca:7f:5f:39:e5:e2:75:ba:c5:76:18:33:
-         ce:2c:f0:2f:4c:ad:f7:b1:e7:ce:4f:a8:c4:9b:4a:54:06:c5:
-         7f:7d:d5:08:0f:e2:1c:fe:7e:17:b8:ac:5e:f6:d4:16:b2:43:
-         09:0c:4d:f6:a7:6b:b4:99:84:65:ca:7a:88:e2:e2:44:be:5c:
-         f7:ea:1c:f5
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
-NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
-AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
-E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
-/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
-DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
-GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
-tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
-AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
-FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
-WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
-9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
-gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
-2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
-LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
-4uJEvlz36hz1
------END CERTIFICATE-----
diff --git a/mod/notification-telegram.rsc b/mod/notification-telegram.rsc
index 9a628ce..1890483 100644
--- a/mod/notification-telegram.rsc
+++ b/mod/notification-telegram.rsc
@@ -143,7 +143,7 @@
   }
 
   :do {
-    :if ([ $CertificateAvailable "Go Daddy Secure Certificate Authority - G2" ] = false) do={
+    :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
       $LogPrint warning $0 ("Downloading required certificate failed.");
       :error false;
     }
diff --git a/telegram-chat.rsc b/telegram-chat.rsc
index 0fd8a06..1c274ec 100644
--- a/telegram-chat.rsc
+++ b/telegram-chat.rsc
@@ -55,7 +55,7 @@
     :set TelegramRandomDelay 0;
   }
 
-  :if ([ $CertificateAvailable "Go Daddy Secure Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
     $LogPrint warning $ScriptName ("Downloading required certificate failed.");
     :error false;
   }

From a05efdc07fa912d0d17f4994ee9e892b51030be1 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 10:55:13 +0200
Subject: [PATCH 09/11] certs: DigiCert Global G2 TLS RSA SHA256 2020 CA1 ->
 DigiCert Global Root G2

This is used by Cloudflare DNS (1.1.1.1).

$CertificateAvailable "DigiCert Global Root G2";
/ip/dns/set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes;
---
 ...Cert-Global-G2-TLS-RSA-SHA256-2020-CA1.pem | 182 ------------------
 certs/DigiCert-Global-Root-G2.pem             |  29 +++
 doc/netwatch-dns.md                           |   2 +-
 3 files changed, 30 insertions(+), 183 deletions(-)
 delete mode 100644 certs/DigiCert-Global-G2-TLS-RSA-SHA256-2020-CA1.pem
 create mode 100644 certs/DigiCert-Global-Root-G2.pem

diff --git a/certs/DigiCert-Global-G2-TLS-RSA-SHA256-2020-CA1.pem b/certs/DigiCert-Global-G2-TLS-RSA-SHA256-2020-CA1.pem
deleted file mode 100644
index 12084ee..0000000
--- a/certs/DigiCert-Global-G2-TLS-RSA-SHA256-2020-CA1.pem
+++ /dev/null
@@ -1,182 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0c:f5:bd:06:2b:56:02:f4:7a:b8:50:2c:23:cc:f0:66
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
-        Validity
-            Not Before: Mar 30 00:00:00 2021 GMT
-            Not After : Mar 29 23:59:59 2031 GMT
-        Subject: C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:cc:f7:10:62:4f:a6:bb:63:6f:ed:90:52:56:c5:
-                    6d:27:7b:7a:12:56:8a:f1:f4:f9:d6:e7:e1:8f:bd:
-                    95:ab:f2:60:41:15:70:db:12:00:fa:27:0a:b5:57:
-                    38:5b:7d:b2:51:93:71:95:0e:6a:41:94:5b:35:1b:
-                    fa:7b:fa:bb:c5:be:24:30:fe:56:ef:c4:f3:7d:97:
-                    e3:14:f5:14:4d:cb:a7:10:f2:16:ea:ab:22:f0:31:
-                    22:11:61:69:90:26:ba:78:d9:97:1f:e3:7d:66:ab:
-                    75:44:95:73:c8:ac:ff:ef:5d:0a:8a:59:43:e1:ac:
-                    b2:3a:0f:f3:48:fc:d7:6b:37:c1:63:dc:de:46:d6:
-                    db:45:fe:7d:23:fd:90:e8:51:07:1e:51:a3:5f:ed:
-                    49:46:54:7f:2c:88:c5:f4:13:9c:97:15:3c:03:e8:
-                    a1:39:dc:69:0c:32:c1:af:16:57:4c:94:47:42:7c:
-                    a2:c8:9c:7d:e6:d4:4d:54:af:42:99:a8:c1:04:c2:
-                    77:9c:d6:48:e4:ce:11:e0:2a:80:99:f0:43:70:cf:
-                    3f:76:6b:d1:4c:49:ab:24:5e:c2:0d:82:fd:46:a8:
-                    ab:6c:93:cc:62:52:42:75:92:f8:9a:fa:5e:5e:b2:
-                    b0:61:e5:1f:1f:b9:7f:09:98:e8:3d:fa:83:7f:47:
-                    69:a1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                74:85:80:C0:66:C7:DF:37:DE:CF:BD:29:37:AA:03:1D:BE:ED:CD:17
-            X509v3 Authority Key Identifier: 
-                4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.digicert.com
-                CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
-            X509v3 CRL Distribution Points: 
-                Full Name:
-                  URI:http://crl3.digicert.com/DigiCertGlobalRootG2.crl
-            X509v3 Certificate Policies: 
-                Policy: 2.16.840.1.114412.2.1
-                Policy: 2.23.140.1.1
-                Policy: 2.23.140.1.2.1
-                Policy: 2.23.140.1.2.2
-                Policy: 2.23.140.1.2.3
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        90:f1:70:cb:28:97:69:97:7c:74:fd:c0:fa:26:7b:53:ab:ad:
-        cd:65:fd:ba:9c:06:9c:8a:d7:5a:43:87:ed:4d:4c:56:5f:ad:
-        c1:c5:b5:05:20:2e:59:d1:ff:4a:f5:a0:2a:d8:b0:95:ad:c9:
-        2e:4a:3b:d7:a7:f6:6f:88:29:fc:30:3f:24:84:bb:c3:b7:7b:
-        93:07:2c:af:87:6b:76:33:ed:00:55:52:b2:59:9e:e4:b9:d0:
-        f3:df:e7:0f:fe:dd:f8:c4:b9:10:72:81:09:04:5f:cf:97:9e:
-        2e:32:75:8e:cf:9a:58:d2:57:31:7e:37:01:81:b2:66:6d:29:
-        1a:b1:66:09:6d:d1:6e:90:f4:b9:fa:2f:01:14:c5:5c:56:64:
-        01:d9:7d:87:a8:38:53:9f:8b:5d:46:6d:5c:c6:27:84:81:d4:
-        7e:8c:8c:a3:9b:52:e7:c6:88:ec:37:7c:2a:fb:f0:55:5a:38:
-        72:10:d8:00:13:cf:4c:73:db:aa:37:35:a8:29:81:69:9c:76:
-        bc:de:18:7b:90:d4:ca:cf:ef:67:03:fd:04:5a:21:16:b1:ff:
-        ea:3f:df:dc:82:f5:eb:f4:59:92:23:0d:24:2a:95:25:4c:ca:
-        a1:91:e6:d4:b7:ac:87:74:b3:f1:6d:a3:99:db:f9:d5:bd:84:
-        40:9f:07:98
------BEGIN CERTIFICATE-----
-MIIEyDCCA7CgAwIBAgIQDPW9BitWAvR6uFAsI8zwZjANBgkqhkiG9w0BAQsFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
-MjAeFw0yMTAzMzAwMDAwMDBaFw0zMTAzMjkyMzU5NTlaMFkxCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKkRpZ2lDZXJ0IEdsb2Jh
-bCBHMiBUTFMgUlNBIFNIQTI1NiAyMDIwIENBMTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAMz3EGJPprtjb+2QUlbFbSd7ehJWivH0+dbn4Y+9lavyYEEV
-cNsSAPonCrVXOFt9slGTcZUOakGUWzUb+nv6u8W+JDD+Vu/E832X4xT1FE3LpxDy
-FuqrIvAxIhFhaZAmunjZlx/jfWardUSVc8is/+9dCopZQ+GssjoP80j812s3wWPc
-3kbW20X+fSP9kOhRBx5Ro1/tSUZUfyyIxfQTnJcVPAPooTncaQwywa8WV0yUR0J8
-osicfebUTVSvQpmowQTCd5zWSOTOEeAqgJnwQ3DPP3Zr0UxJqyRewg2C/Uaoq2yT
-zGJSQnWS+Jr6Xl6ysGHlHx+5fwmY6D36g39HaaECAwEAAaOCAYIwggF+MBIGA1Ud
-EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHSFgMBmx9833s+9KTeqAx2+7c0XMB8G
-A1UdIwQYMBaAFE4iVCAYlebjbuYP+vq5Eu0GF485MA4GA1UdDwEB/wQEAwIBhjAd
-BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYIKwYBBQUHAQEEajBoMCQG
-CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKG
-NGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RH
-Mi5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29t
-L0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNybDA9BgNVHSAENjA0MAsGCWCGSAGG/WwC
-ATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgGBmeBDAECAzANBgkqhkiG
-9w0BAQsFAAOCAQEAkPFwyyiXaZd8dP3A+iZ7U6utzWX9upwGnIrXWkOH7U1MVl+t
-wcW1BSAuWdH/SvWgKtiwla3JLko716f2b4gp/DA/JIS7w7d7kwcsr4drdjPtAFVS
-slme5LnQ89/nD/7d+MS5EHKBCQRfz5eeLjJ1js+aWNJXMX43AYGyZm0pGrFmCW3R
-bpD0ufovARTFXFZkAdl9h6g4U5+LXUZtXMYnhIHUfoyMo5tS58aI7Dd8KvvwVVo4
-chDYABPPTHPbqjc1qCmBaZx2vN4Ye5DUys/vZwP9BFohFrH/6j/f3IL16/RZkiMN
-JCqVJUzKoZHm1Lesh3Sz8W2jmdv51b2EQJ8HmA==
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
-        Validity
-            Not Before: Aug  1 12:00:00 2013 GMT
-            Not After : Jan 15 12:00:00 2038 GMT
-        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:bb:37:cd:34:dc:7b:6b:c9:b2:68:90:ad:4a:75:
-                    ff:46:ba:21:0a:08:8d:f5:19:54:c9:fb:88:db:f3:
-                    ae:f2:3a:89:91:3c:7a:e6:ab:06:1a:6b:cf:ac:2d:
-                    e8:5e:09:24:44:ba:62:9a:7e:d6:a3:a8:7e:e0:54:
-                    75:20:05:ac:50:b7:9c:63:1a:6c:30:dc:da:1f:19:
-                    b1:d7:1e:de:fd:d7:e0:cb:94:83:37:ae:ec:1f:43:
-                    4e:dd:7b:2c:d2:bd:2e:a5:2f:e4:a9:b8:ad:3a:d4:
-                    99:a4:b6:25:e9:9b:6b:00:60:92:60:ff:4f:21:49:
-                    18:f7:67:90:ab:61:06:9c:8f:f2:ba:e9:b4:e9:92:
-                    32:6b:b5:f3:57:e8:5d:1b:cd:8c:1d:ab:95:04:95:
-                    49:f3:35:2d:96:e3:49:6d:dd:77:e3:fb:49:4b:b4:
-                    ac:55:07:a9:8f:95:b3:b4:23:bb:4c:6d:45:f0:f6:
-                    a9:b2:95:30:b4:fd:4c:55:8c:27:4a:57:14:7c:82:
-                    9d:cd:73:92:d3:16:4a:06:0c:8c:50:d1:8f:1e:09:
-                    be:17:a1:e6:21:ca:fd:83:e5:10:bc:83:a5:0a:c4:
-                    67:28:f6:73:14:14:3d:46:76:c3:87:14:89:21:34:
-                    4d:af:0f:45:0c:a6:49:a1:ba:bb:9c:c5:b1:33:83:
-                    29:85
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39
-    Signature Algorithm: sha256WithRSAEncryption
-    Signature Value:
-        60:67:28:94:6f:0e:48:63:eb:31:dd:ea:67:18:d5:89:7d:3c:
-        c5:8b:4a:7f:e9:be:db:2b:17:df:b0:5f:73:77:2a:32:13:39:
-        81:67:42:84:23:f2:45:67:35:ec:88:bf:f8:8f:b0:61:0c:34:
-        a4:ae:20:4c:84:c6:db:f8:35:e1:76:d9:df:a6:42:bb:c7:44:
-        08:86:7f:36:74:24:5a:da:6c:0d:14:59:35:bd:f2:49:dd:b6:
-        1f:c9:b3:0d:47:2a:3d:99:2f:bb:5c:bb:b5:d4:20:e1:99:5f:
-        53:46:15:db:68:9b:f0:f3:30:d5:3e:31:e2:8d:84:9e:e3:8a:
-        da:da:96:3e:35:13:a5:5f:f0:f9:70:50:70:47:41:11:57:19:
-        4e:c0:8f:ae:06:c4:95:13:17:2f:1b:25:9f:75:f2:b1:8e:99:
-        a1:6f:13:b1:41:71:fe:88:2a:c8:4f:10:20:55:d7:f3:14:45:
-        e5:e0:44:f4:ea:87:95:32:93:0e:fe:53:46:fa:2c:9d:ff:8b:
-        22:b9:4b:d9:09:45:a4:de:a4:b8:9a:58:dd:1b:7d:52:9f:8e:
-        59:43:88:81:a4:9e:26:d5:6f:ad:dd:0d:c6:37:7d:ed:03:92:
-        1b:e5:77:5f:76:ee:3c:8d:c4:5d:56:5b:a2:d9:66:6e:b3:35:
-        37:e5:32:b6
------BEGIN CERTIFICATE-----
-MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
-MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
-2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
-1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
-q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
-tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
-vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
-BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
-5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
-1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
-NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
-Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
-8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
-pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
-MrY=
------END CERTIFICATE-----
diff --git a/certs/DigiCert-Global-Root-G2.pem b/certs/DigiCert-Global-Root-G2.pem
new file mode 100644
index 0000000..8af6c7a
--- /dev/null
+++ b/certs/DigiCert-Global-Root-G2.pem
@@ -0,0 +1,29 @@
+# Issuer: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert Global Root G2"
+# Serial: 4293743540046975378534879503202253541
+# MD5 Fingerprint: e4:a6:8a:c8:54:ac:52:42:46:0a:fd:72:48:1b:2a:44
+# SHA1 Fingerprint: df:3c:24:f9:bf:d6:66:76:1b:26:80:73:fe:06:d1:cc:8d:4f:82:a4
+# SHA256 Fingerprint: cb:3c:cb:b7:60:31:e5:e0:13:8f:8d:d3:9a:23:f9:de:47:ff:c3:5e:43:c1:14:4c:ea:27:d4:6a:5a:b1:cb:5f
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
+2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
+1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
+q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
+tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
+vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
+BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
+5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
+1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
+NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
+Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
+8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
+pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
+MrY=
+-----END CERTIFICATE-----
diff --git a/doc/netwatch-dns.md b/doc/netwatch-dns.md
index 3214368..3d2c6be 100644
--- a/doc/netwatch-dns.md
+++ b/doc/netwatch-dns.md
@@ -62,7 +62,7 @@ manually!
 Importing a certificate automatically is possible, at least if available in
 the repository (see `certs` sub directory).
 
-    /tool/netwatch/add comment="doh, doh-cert=DigiCert Global G2 TLS RSA SHA256 2020 CA1" host=1.1.1.1;
+    /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root G2" host=1.1.1.1;
     /tool/netwatch/add comment="doh, doh-cert=DigiCert TLS Hybrid ECC SHA384 2020 CA1" host=9.9.9.9;
     /tool/netwatch/add comment="doh, doh-cert=GTS Root R1" host=8.8.8.8;
 

From c4e8d01de19f9c5e1d19c74c010079233c4d4df5 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 10:57:16 +0200
Subject: [PATCH 10/11] certs: DigiCert TLS Hybrid ECC SHA384 2020 CA1 ->
 DigiCert Global Root CA

This is used by Cloudflare DNS Quard9 (9.9.9.9).

$CertificateAvailable "DigiCert Global Root CA";
/ip/dns/set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes;
---
 certs/DigiCert-Global-Root-CA.pem             |  29 +++
 ...igiCert-TLS-Hybrid-ECC-SHA384-2020-CA1.pem | 174 ------------------
 doc/netwatch-dns.md                           |   2 +-
 3 files changed, 30 insertions(+), 175 deletions(-)
 create mode 100644 certs/DigiCert-Global-Root-CA.pem
 delete mode 100644 certs/DigiCert-TLS-Hybrid-ECC-SHA384-2020-CA1.pem

diff --git a/certs/DigiCert-Global-Root-CA.pem b/certs/DigiCert-Global-Root-CA.pem
new file mode 100644
index 0000000..b0f0013
--- /dev/null
+++ b/certs/DigiCert-Global-Root-CA.pem
@@ -0,0 +1,29 @@
+# Issuer: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert Global Root CA"
+# Serial: 10944719598952040374951832963794454346
+# MD5 Fingerprint: 79:e4:a9:84:0d:7d:3a:96:d7:c0:4f:e2:43:4c:89:2e
+# SHA1 Fingerprint: a8:98:5d:3a:65:e5:e5:c4:b2:d7:d6:6d:40:c6:dd:2f:b1:9c:54:36
+# SHA256 Fingerprint: 43:48:a0:e9:44:4c:78:cb:26:5e:05:8d:5e:89:44:b4:d8:4f:96:62:bd:26:db:25:7f:89:34:a4:43:c7:01:61
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
+-----END CERTIFICATE-----
diff --git a/certs/DigiCert-TLS-Hybrid-ECC-SHA384-2020-CA1.pem b/certs/DigiCert-TLS-Hybrid-ECC-SHA384-2020-CA1.pem
deleted file mode 100644
index 446f56f..0000000
--- a/certs/DigiCert-TLS-Hybrid-ECC-SHA384-2020-CA1.pem
+++ /dev/null
@@ -1,174 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            07:f2:f3:5c:87:a8:77:af:7a:ef:e9:47:99:35:25:bd
-        Signature Algorithm: sha384WithRSAEncryption
-        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-        Validity
-            Not Before: Apr 14 00:00:00 2021 GMT
-            Not After : Apr 13 23:59:59 2031 GMT
-        Subject: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:c1:1b:c6:9a:5b:98:d9:a4:29:a0:e9:d4:04:b5:
-                    db:eb:a6:b2:6c:55:c0:ff:ed:98:c6:49:2f:06:27:
-                    51:cb:bf:70:c1:05:7a:c3:b1:9d:87:89:ba:ad:b4:
-                    13:17:c9:a8:b4:83:c8:b8:90:d1:cc:74:35:36:3c:
-                    83:72:b0:b5:d0:f7:22:69:c8:f1:80:c4:7b:40:8f:
-                    cf:68:87:26:5c:39:89:f1:4d:91:4d:da:89:8b:e4:
-                    03:c3:43:e5:bf:2f:73
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                0A:BC:08:29:17:8C:A5:39:6D:7A:0E:CE:33:C7:2E:B3:ED:FB:C3:7A
-            X509v3 Authority Key Identifier: 
-                keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
-
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.digicert.com
-                CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalRootCA.crt
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl3.digicert.com/DigiCertGlobalRootCA.crl
-
-            X509v3 Certificate Policies: 
-                Policy: 2.16.840.1.114412.2.1
-                Policy: 2.23.140.1.1
-                Policy: 2.23.140.1.2.1
-                Policy: 2.23.140.1.2.2
-                Policy: 2.23.140.1.2.3
-
-    Signature Algorithm: sha384WithRSAEncryption
-         47:59:81:7f:d4:1b:1f:b0:71:f6:98:5d:18:ba:98:47:98:b0:
-         7e:76:2b:ea:ff:1a:8b:ac:26:b3:42:8d:31:e6:4a:e8:19:d0:
-         ef:da:14:e7:d7:14:92:a1:92:f2:a7:2e:2d:af:fb:1d:f6:fb:
-         53:b0:8a:3f:fc:d8:16:0a:e9:b0:2e:b6:a5:0b:18:90:35:26:
-         a2:da:f6:a8:b7:32:fc:95:23:4b:c6:45:b9:c4:cf:e4:7c:ee:
-         e6:c9:f8:90:bd:72:e3:99:c3:1d:0b:05:7c:6a:97:6d:b2:ab:
-         02:36:d8:c2:bc:2c:01:92:3f:04:a3:8b:75:11:c7:b9:29:bc:
-         11:d0:86:ba:92:bc:26:f9:65:c8:37:cd:26:f6:86:13:0c:04:
-         aa:89:e5:78:b1:c1:4e:79:bc:76:a3:0b:51:e4:c5:d0:9e:6a:
-         fe:1a:2c:56:ae:06:36:27:a3:73:1c:08:7d:93:32:d0:c2:44:
-         19:da:8d:f4:0e:7b:1d:28:03:2b:09:8a:76:ca:77:dc:87:7a:
-         ac:7b:52:26:55:a7:72:0f:9d:d2:88:4f:fe:b1:21:c5:1a:a1:
-         aa:39:f5:56:db:c2:84:c4:35:1f:70:da:bb:46:f0:86:bf:64:
-         00:c4:3e:f7:9f:46:1b:9d:23:05:b9:7d:b3:4f:0f:a9:45:3a:
-         e3:74:30:98
------BEGIN CERTIFICATE-----
-MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI
-eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
-BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ
-qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v
-c6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5
-bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G
-A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYI
-KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
-b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp
-Q2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2Ny
-bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAE
-NjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgG
-BmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr
-6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsY
-kDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/
-BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hos
-Vq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEh
-xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA==
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-        Validity
-            Not Before: Nov 10 00:00:00 2006 GMT
-            Not After : Nov 10 00:00:00 2031 GMT
-        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
-                    8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
-                    cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
-                    e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
-                    df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
-                    7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
-                    39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
-                    74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
-                    c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
-                    a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
-                    6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
-                    a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
-                    91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
-                    14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
-                    d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
-                    3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
-                    f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
-                    af:27
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
-            X509v3 Authority Key Identifier: 
-                keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
-
-    Signature Algorithm: sha1WithRSAEncryption
-         cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
-         04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
-         f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
-         a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
-         63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
-         63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
-         ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
-         79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
-         e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
-         cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
-         3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
-         91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
-         47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
-         f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
-         95:95:6d:de
------BEGIN CERTIFICATE-----
-MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
-CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
-nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
-43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
-T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
-gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
-BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
-TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
-DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
-hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
-06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
-PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
-YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
-CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
------END CERTIFICATE-----
diff --git a/doc/netwatch-dns.md b/doc/netwatch-dns.md
index 3d2c6be..9fe486e 100644
--- a/doc/netwatch-dns.md
+++ b/doc/netwatch-dns.md
@@ -63,7 +63,7 @@ Importing a certificate automatically is possible, at least if available in
 the repository (see `certs` sub directory).
 
     /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root G2" host=1.1.1.1;
-    /tool/netwatch/add comment="doh, doh-cert=DigiCert TLS Hybrid ECC SHA384 2020 CA1" host=9.9.9.9;
+    /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root CA" host=9.9.9.9;
     /tool/netwatch/add comment="doh, doh-cert=GTS Root R1" host=8.8.8.8;
 
 Sometimes using just one specific (possibly internal) DNS server may be

From 1a6812ef797a1683cec9678062cfaca367500ad0 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 20 Jun 2024 20:51:46 +0200
Subject: [PATCH 11/11] notify on changes regarding certificates

---
 global-functions.rsc | 2 +-
 news-and-changes.rsc | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/global-functions.rsc b/global-functions.rsc
index ca8ecb1..eb9f638 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -12,7 +12,7 @@
 :local ScriptName [ :jobname ];
 
 # expected configuration version
-:global ExpectedConfigVersion 129;
+:global ExpectedConfigVersion 130;
 
 # global variables not to be changed by user
 :global GlobalFunctionsReady false;
diff --git a/news-and-changes.rsc b/news-and-changes.rsc
index b20bbaf..cf17e7a 100644
--- a/news-and-changes.rsc
+++ b/news-and-changes.rsc
@@ -54,6 +54,7 @@
   127="Added support for authentication to Ntfy notification module.";
   128="Added another list from blocklist.de to default configuration for 'fw-addr-lists'.";
   129="Extended 'backup-partition' to support RouterOS copy-over - interactively or before feature update.";
+  130="Dropped intermediate certificates, depending on just root certificates now.";
 };
 
 # Migration steps to be applied on script updates