This is used by Cloudflare DNS Quard9 (9.9.9.9).
$CertificateAvailable "DigiCert Global Root CA";
/ip/dns/set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes;
This is used by Cloudflare DNS (1.1.1.1).
$CertificateAvailable "DigiCert Global Root G2";
/ip/dns/set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes;
In the beginning of Let's Encrypt their root certificate ISRG Root X1
was not widely trusted, at least some older and/or mobile platforms were
missing that certificate in their root certificate store.
At that time Let's Encrypt was using an alternative chain of trust,
where a certificate was cross-signed with DST Root CA X3.
To make sure a valid chain of trust is available under all circumstances
a set of all certificates had to be supplied: both root vertificates
ISRG Root X1 & DST Root CA X3, and an intermediate certificate.
This was still true after DST Root CA X3 expired, as it could still be
used as a root anchor and was shipped by Let's Encrypt when requested. 🤪
This time is finally over, and we have a clean chain for trust ending in
ISRG Root X1 (or ISRG Root X2).
Well, actually it is the other way round... Let's Encrypt signs with
different tantamount intermediate certificates. There is not only E5, but
also E6 - and we can not know beforehand which one is used on renew.
So let's jetzt drop the intermediate certificates now, and rely on root
certificates only. We are perfectly fine with this these days.
Follow-up commits will do the same for *all* certificates.
The certificate is downloaded with:
curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
... as we still want to deduplicate it when it is inside the input
string. This also unbreak certificate import for "Go Daddy Secure
Certificate Authority - G2" (and more)...
RouterOS 7.15beta4 fixed a bug in JSON parser:
*) console - do not convert string to array in ":deserialize" command;
Before that change commands with a comma caused very crazy issues. Let's
convert the message to a string. This does not give exactly the expected
result, but mitigates telegram-chat to explode.
A command like...
/ip/address/print proplist=address,network;
... is converted to...
/ip/address/print proplist=address;network;
... and results in:
Columns: ADDRESS
# ADDRESS
0 10.0.0.1/24
1 127.0.0.1/8
bad command name network (line 1 column 36)
RouterOS 7.15beta8 came with this change:
*) wifi - show inherited properties with "print" command (replaces "actual-configuration") and added "print config" for showing only configured values;
While the old code is bad syntax with RouterOS 7.15, the new code is
valid for older RouterOS, but produces different (and more or less
unexpected) results. 🥴
Let's use the new code, and add a check on the RouterOS version.
With old RouterOS this now sends the notification even if the interface
is disabled.
