global-functions: $CertificateDownload: try fallback to mkcert.org

There's a nice API that allows to download certificate by exact common name. Let's use that, as a fallback at least. https://mkcert.org/
2025-06-21 01:15:42 +02:00 · 2024-06-20 12:25:26 +02:00 · 2024-06-20 12:25:26 +02:00 · cdb553d39b
commit cdb553d39b
parent b35c7b6703
2 changed files with 31 additions and 11 deletions
--- a/global-functions.rsc
+++ b/global-functions.rsc
@ -12,7 +12,7 @@
 :local ScriptName [ :jobname ];

 # expected configuration version
-:global ExpectedConfigVersion 130;
+:global ExpectedConfigVersion 131;

 # global variables not to be changed by user
 :global GlobalFunctionsReady false;
@ -135,6 +135,7 @@
  :global ScriptUpdatesBaseUrl;
  :global ScriptUpdatesUrlSuffix;

+  :global CertificateAvailable;
  :global CertificateNameByCN;
  :global CleanName;
  :global FetchUserAgentStr;
@ -143,22 +144,40 @@

  $LogPrint info $0 ("Downloading and importing certificate with " . \
      "CommonName '" . $CommonName . "'.");
+  :local FileName ([ $CleanName $CommonName ] . ".pem");
  :do {
-    :local FileName ([ $CleanName $CommonName ] . ".pem");
    /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $0 ] }) \
      ($ScriptUpdatesBaseUrl . "certs/" . $FileName . $ScriptUpdatesUrlSuffix) \
      dst-path=$FileName as-value;
    $WaitForFile $FileName;
-    /certificate/import file-name=$FileName passphrase="" as-value;
-    :delay 1s;
-    /file/remove [ find where name=$FileName ];
-
-    :foreach Cert in=[ /certificate/find where name~("^" . $FileName . "_[0-9]+\$") ] do={
-      $CertificateNameByCN [ /certificate/get $Cert common-name ];
-    }
  } on-error={
-    $LogPrint warning $0 ("Failed importing certificate with CommonName '" . $CommonName . "'!");
-    :return false;
+    $LogPrint warning $0 ("Failed downloading certificate with CommonName '" . $CommonName . \
+      "' from repository! Trying fallback to mkcert.org...");
+    :do {
+      :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
+        $LogPrint error $0 ("Downloading required certificate failed.");
+        :return false;
+      }
+      /tool/fetch check-certificate=yes-without-crl http-header-field=({ [ $FetchUserAgentStr $0 ] }) \
+        "https://mkcert.org/generate/" http-data=[ :serialize to=json ({ $CommonName }) ] \
+        dst-path=$FileName as-value;
+      $WaitForFile $FileName;
+      :if ([ /file/get $FileName size ] = 0) do={
+        /file/remove $FileName;
+        :error false;
+      }
+    } on-error={
+      $LogPrint warning $0 ("Failed downloading certificate with CommonName '" . $CommonName . "'!");
+      :return false;
+    }
+  }
+
+  /certificate/import file-name=$FileName passphrase="" as-value;
+  :delay 1s;
+  /file/remove [ find where name=$FileName ];
+
+  :foreach Cert in=[ /certificate/find where name~("^" . $FileName . "_[0-9]+\$") ] do={
+    $CertificateNameByCN [ /certificate/get $Cert common-name ];
  }
  :return true;
 }
--- a/news-and-changes.rsc
+++ b/news-and-changes.rsc
@ -55,6 +55,7 @@
  128="Added another list from blocklist.de to default configuration for 'fw-addr-lists'.";
  129="Extended 'backup-partition' to support RouterOS copy-over - interactively or before feature update.";
  130="Dropped intermediate certificates, depending on just root certificates now.";
+  131="Enhanced certificate download to fallback to mkcert.org, so all (commonly trusted) root certificates are available now.";
 };

 # Migration steps to be applied on script updates