certs: E1 / E5 -> ISRG Root X2

In the beginning of Let's Encrypt their root certificate ISRG Root X1
was not widely trusted, at least some older and/or mobile platforms were
missing that certificate in their root certificate store.
At that time Let's Encrypt was using an alternative chain of trust,
where a certificate was cross-signed with DST Root CA X3.

To make sure a valid chain of trust is available under all circumstances
a set of all certificates had to be supplied: both root vertificates
ISRG Root X1 & DST Root CA X3, and an intermediate certificate.
This was still true after DST Root CA X3 expired, as it could still be
used as a root anchor and was shipped by Let's Encrypt when requested. 🤪

This time is finally over, and we have a clean chain for trust ending in
ISRG Root X1 (or ISRG Root X2).
Well, actually it is the other way round... Let's Encrypt signs with
different tantamount intermediate certificates. There is not only E5, but
also E6 - and we can not know beforehand which one is used on renew.

So let's jetzt drop the intermediate certificates now, and rely on root
certificates only. We are perfectly fine with this these days.

Follow-up commits will do the same for *all* certificates.

The certificate is downloaded with:

    curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem

INITIAL-COMMANDS.md

@@ -17,13 +17,13 @@ Initial commands
 Run the complete base installation:
 
     {
-      /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/E5.pem" dst-path="letsencrypt-E5.pem" as-value;
+      /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="ISRG-Root-X2.pem" as-value;
       :delay 1s;
-      /certificate/import file-name=letsencrypt-E5.pem passphrase="";
-      :if ([ :len [ /certificate/find where fingerprint="e788d14b0436b5120bbee3f15c15badf08c1407fe72568a4f16f9151c380e1e3" or fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470" ] ] != 2) do={
+      /certificate/import file-name=ISRG-Root-X2.pem passphrase="";
+      :if ([ :len [ /certificate/find where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470" ] ] != 1) do={
         :error "Something is wrong with your certificates!";
       };
-      /file/remove [ find where name="letsencrypt-E5.pem" ];
+      /file/remove [ find where name="ISRG-Root-X2.pem" ];
       :delay 1s;
       /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ];
       :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={
@@ -34,7 +34,6 @@ Run the complete base installation:
       /system/scheduler/remove [ find where name="global-scripts" ];
       /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
       :global CertificateNameByCN;
-      $CertificateNameByCN "E5";
       $CertificateNameByCN "ISRG Root X2";
     };
 

README.md

@@ -69,34 +69,32 @@ download the certificates. If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
 
-    /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/E5.pem" dst-path="letsencrypt-E5.pem";
+    /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="ISRG-Root-X2.pem";
 
 ![screenshot: download certs](README.d/01-download-certs.avif)
 
 Note that the commands above do *not* verify server certificate, so if you
 want to be safe download with your workstations's browser and transfer the
-files to your MikroTik device.
+file to your MikroTik device.
 
 * [ISRG Root X2](https://letsencrypt.org/certs/isrg-root-x2.pem)
-* Let's Encrypt [E5](https://letsencrypt.org/certs/2024/e5.pem)
 
-Then we import the certificates.
+Then we import the certificate.
 
-    /certificate/import file-name=letsencrypt-E5.pem passphrase="";
+    /certificate/import file-name=ISRG-Root-X2.pem passphrase="";
 
 Do not worry that the command is not shown - that happens because it contains
 a sensitive property, the passphrase.
 
 ![screenshot: import certs](README.d/02-import-certs.avif)
 
-For basic verification we rename the certificates and print them by
-fingerprint. Make sure exactly these two certificates ("*E5*" and
-"*ISRG-Root-X2*") are shown. Also remove the left over file.
+For basic verification we rename the certificate and print it by
+fingerprint. Make sure exactly this one certificate ("*ISRG-Root-X2*")
+is shown. Also remove the left over file.
 
-    /certificate/set name="E5" [ find where common-name="E5" ];
     /certificate/set name="ISRG-Root-X2" [ find where common-name="ISRG Root X2" ];
-    /certificate/print proplist=name,fingerprint where fingerprint="e788d14b0436b5120bbee3f15c15badf08c1407fe72568a4f16f9151c380e1e3" or fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
-    /file/remove [ find where name="letsencrypt-E5.pem" ];
+    /certificate/print proplist=name,fingerprint where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
+    /file/remove [ find where name="ISRG-Root-X2.pem" ];
 
 ![screenshot: check certs](README.d/03-check-certs.avif)
 

certs/E1.pem

@@ -1,124 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            b3:bd:df:f8:a7:84:5b:bc:e9:03:a0:41:35:b3:4a:45
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Validity
-            Not Before: Sep  4 00:00:00 2020 GMT
-            Not After : Sep 15 16:00:00 2025 GMT
-        Subject: C = US, O = Let's Encrypt, CN = E1
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:24:5c:2d:a2:2a:fd:1c:4b:a6:5d:97:73:27:31:
-                    ac:b2:a0:69:62:ef:65:e8:a6:b0:f0:ac:4b:9f:ff:
-                    1c:0b:70:0f:d3:98:2f:4d:fc:0f:00:9b:37:f0:74:
-                    05:57:32:97:2e:05:ef:2a:43:25:a3:fb:6e:34:27:
-                    13:f6:4f:7e:69:d3:02:99:5e:eb:24:47:92:c1:24:
-                    9b:e6:b1:21:8f:c1:24:81:fc:68:cc:1f:69:ba:58:
-                    f5:19:22:f7:74:c6:16
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Client Authentication, TLS Web Server Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC
-            X509v3 Authority Key Identifier: 
-                keyid:7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
-
-            Authority Information Access: 
-                CA Issuers - URI:http://x2.i.lencr.org/
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://x2.c.lencr.org/
-
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.2.1
-                Policy: 1.3.6.1.4.1.44947.1.1.1
-
-    Signature Algorithm: ecdsa-with-SHA384
-         30:64:02:30:7b:74:d5:52:13:8d:61:fe:0d:ba:3f:03:00:9d:
-         f3:d7:98:84:d9:57:2e:bd:e9:0f:9c:5c:48:04:21:f2:cb:b3:
-         60:72:8e:97:d6:12:4f:ca:44:f6:42:c9:d3:7b:86:a9:02:30:
-         5a:b1:b1:b4:ed:ea:60:99:20:b1:38:03:ca:3d:a0:26:b8:ee:
-         6e:2d:4a:f6:c6:66:1f:33:9a:db:92:4a:d5:f5:29:13:c6:70:
-         62:28:ba:23:8c:cf:3d:2f:cb:82:e9:7f
------BEGIN CERTIFICATE-----
-MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL
-MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo
-IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN
-MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j
-cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c
-S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj
-+240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB
-BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
-MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V
-yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB
-BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E
-IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG
-Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+
-Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q
-YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Validity
-            Not Before: Sep  4 00:00:00 2020 GMT
-            Not After : Sep 17 16:00:00 2040 GMT
-        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:cd:9b:d5:9f:80:83:0a:ec:09:4a:f3:16:4a:3e:
-                    5c:cf:77:ac:de:67:05:0d:1d:07:b6:dc:16:fb:5a:
-                    8b:14:db:e2:71:60:c4:ba:45:95:11:89:8e:ea:06:
-                    df:f7:2a:16:1c:a4:b9:c5:c5:32:e0:03:e0:1e:82:
-                    18:38:8b:d7:45:d8:0a:6a:6e:e6:00:77:fb:02:51:
-                    7d:22:d8:0a:6e:9a:5b:77:df:f0:fa:41:ec:39:dc:
-                    75:ca:68:07:0c:1f:ea
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:30:7b:79:4e:46:50:84:c2:44:87:46:1b:45:70:ff:
-         58:99:de:f4:fd:a4:d2:55:a6:20:2d:74:d6:34:bc:41:a3:50:
-         5f:01:27:56:b4:be:27:75:06:af:12:2e:75:98:8d:fc:02:31:
-         00:8b:f5:77:6c:d4:c8:65:aa:e0:0b:2c:ee:14:9d:27:37:a4:
-         f9:53:a5:51:e4:29:83:d7:f8:90:31:5b:42:9f:0a:f5:fe:ae:
-         00:68:e7:8c:49:0f:b6:6f:5b:5b:15:f2:e7
------BEGIN CERTIFICATE-----
-MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
-CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
-R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
-MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
-ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
-EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
-+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
-ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
-zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
-tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
-/q4AaOeMSQ+2b1tbFfLn
------END CERTIFICATE-----

certs/E5.pem

@@ -1,119 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            18:6e:75:d4:ee:b0:a0:5d:fd:2d:a8:20:86:5d:1e:31
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X2
-        Validity
-            Not Before: Mar 13 00:00:00 2024 GMT
-            Not After : Mar 12 23:59:59 2027 GMT
-        Subject: C=US, O=Let's Encrypt, CN=E5
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:0d:0b:3a:8a:6b:61:8e:b6:ef:dc:5f:58:e7:c6:
-                    42:45:54:ab:63:f6:66:61:48:0a:2e:59:75:b4:81:
-                    02:37:50:b7:3f:16:79:dc:98:ec:a1:28:97:72:20:
-                    1c:2c:cf:d5:7c:52:20:4e:54:78:5b:84:14:6b:c0:
-                    90:ae:85:ec:c0:51:41:3c:5a:87:7f:06:4d:d4:fe:
-                    60:d1:fa:6c:2d:e1:7d:95:10:88:a2:08:54:0f:99:
-                    1a:4c:e6:ea:0a:ac:d8
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                TLS Web Client Authentication, TLS Web Server Authentication
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:0
-            X509v3 Subject Key Identifier: 
-                9F:2B:5F:CF:3C:21:4F:9D:04:B7:ED:2B:2C:C4:C6:70:8B:D2:D7:0D
-            X509v3 Authority Key Identifier: 
-                7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
-            Authority Information Access: 
-                CA Issuers - URI:http://x2.i.lencr.org/
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.2.1
-            X509v3 CRL Distribution Points: 
-                Full Name:
-                  URI:http://x2.c.lencr.org/
-    Signature Algorithm: ecdsa-with-SHA384
-    Signature Value:
-        30:64:02:30:1b:6d:2e:45:41:1c:45:3e:d9:5f:34:18:74:67:
-        13:79:ba:ab:29:b5:b6:10:4e:83:27:4a:8b:45:4e:c7:7b:cf:
-        f4:40:30:1d:61:a5:e6:1c:6d:a4:90:09:92:6e:46:4b:02:30:
-        46:29:18:84:34:7a:bc:fb:de:d8:1b:d8:19:a7:04:f5:cb:7e:
-        e7:6d:84:d9:da:8e:ea:ce:36:30:b9:a2:80:4c:2c:e6:60:12:
-        4b:a9:76:aa:e8:6d:95:47:da:72:09:0c
------BEGIN CERTIFICATE-----
-MIICtDCCAjugAwIBAgIQGG511O6woF39Lagghl0eMTAKBggqhkjOPQQDAzBPMQsw
-CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
-R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yNDAzMTMwMDAwMDBaFw0y
-NzAzMTIyMzU5NTlaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNy
-eXB0MQswCQYDVQQDEwJFNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABA0LOoprYY62
-79xfWOfGQkVUq2P2ZmFICi5ZdbSBAjdQtz8WedyY7KEol3IgHCzP1XxSIE5UeFuE
-FGvAkK6F7MBRQTxah38GTdT+YNH6bC3hfZUQiKIIVA+ZGkzm6gqs2KOB+DCB9TAO
-BgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIG
-A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJ8rX888IU+dBLftKyzExnCL0tcN
-MB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEBBCYw
-JDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzATBgNVHSAEDDAK
-MAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5v
-cmcvMAoGCCqGSM49BAMDA2cAMGQCMBttLkVBHEU+2V80GHRnE3m6qym1thBOgydK
-i0VOx3vP9EAwHWGl5hxtpJAJkm5GSwIwRikYhDR6vPve2BvYGacE9ct+522E2dqO
-6s42MLmigEws5mASS6l2quhtlUfacgkM
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Validity
-            Not Before: Sep  4 00:00:00 2020 GMT
-            Not After : Sep 17 16:00:00 2040 GMT
-        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X2
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:cd:9b:d5:9f:80:83:0a:ec:09:4a:f3:16:4a:3e:
-                    5c:cf:77:ac:de:67:05:0d:1d:07:b6:dc:16:fb:5a:
-                    8b:14:db:e2:71:60:c4:ba:45:95:11:89:8e:ea:06:
-                    df:f7:2a:16:1c:a4:b9:c5:c5:32:e0:03:e0:1e:82:
-                    18:38:8b:d7:45:d8:0a:6a:6e:e6:00:77:fb:02:51:
-                    7d:22:d8:0a:6e:9a:5b:77:df:f0:fa:41:ec:39:dc:
-                    75:ca:68:07:0c:1f:ea
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:30:7b:79:4e:46:50:84:c2:44:87:46:1b:45:70:ff:
-         58:99:de:f4:fd:a4:d2:55:a6:20:2d:74:d6:34:bc:41:a3:50:
-         5f:01:27:56:b4:be:27:75:06:af:12:2e:75:98:8d:fc:02:31:
-         00:8b:f5:77:6c:d4:c8:65:aa:e0:0b:2c:ee:14:9d:27:37:a4:
-         f9:53:a5:51:e4:29:83:d7:f8:90:31:5b:42:9f:0a:f5:fe:ae:
-         00:68:e7:8c:49:0f:b6:6f:5b:5b:15:f2:e7
------BEGIN CERTIFICATE-----
-MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
-CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
-R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
-MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
-ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
-EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
-+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
-ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
-zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
-tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
-/q4AaOeMSQ+2b1tbFfLn
------END CERTIFICATE-----

certs/ISRG-Root-X2.pem

@@ -0,0 +1,21 @@
+# Issuer: CN=ISRG Root X2 O=Internet Security Research Group
+# Subject: CN=ISRG Root X2 O=Internet Security Research Group
+# Label: "ISRG Root X2"
+# Serial: 87493402998870891108772069816698636114
+# MD5 Fingerprint: d3:9e:c4:1e:23:3c:a6:df:cf:a3:7e:6d:e0:14:e6:e5
+# SHA1 Fingerprint: bd:b1:b9:3c:d5:97:8d:45:c6:26:14:55:f8:db:95:c7:5a:d1:53:af
+# SHA256 Fingerprint: 69:72:9b:8e:15:a8:6e:fc:17:7a:57:af:b7:17:1d:fc:64:ad:d2:8c:2f:ca:8c:f1:50:7e:34:45:3c:cb:14:70
+-----BEGIN CERTIFICATE-----
+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+/q4AaOeMSQ+2b1tbFfLn
+-----END CERTIFICATE-----

global-config.rsc

@@ -92,11 +92,11 @@
 :global FwAddrLists {
 #  "allow"={
 #    { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/allow";
-#      cert="E5"; timeout=1w };
+#      cert="ISRG Root X2"; timeout=1w };
 #  };
   "block"={
 #    { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/block";
-#      cert="E5" };
+#      cert="ISRG Root X2" };
     { url="https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt";
       cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
     { url="https://sslbl.abuse.ch/blacklist/sslipblacklist.txt";
@@ -112,7 +112,7 @@
   };
 #  "mikrotik"={
 #    { url="https://git.eworm.de/cgit/routeros-scripts/plain/fw-addr-lists.d/mikrotik";
-#      cert="E5"; timeout=1w };
+#      cert="ISRG Root X2"; timeout=1w };
 #  };
 };
 :global FwAddrListTimeOut 1d;

global-functions.rsc

@@ -999,7 +999,7 @@
   :global SymbolForNotification;
   :global ValidateSyntax;
 
-  :if ([ $CertificateAvailable "E5" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X2" ] = false) do={
     $LogPrint warning $0 ("Downloading certificate failed, trying without.");
   }