mirror.MikroTik/eworm.routeros-scripts
1
0
Fork 0
mirror of https://git.eworm.de/cgit/routeros-scripts synced 2025-07-31 00:04:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
eworm.routeros-scripts/INITIAL-COMMANDS.md
Christian Hesse d1693a241b certs: E1 / E5 -> ISRG Root X2 
In the beginning of Let's Encrypt their root certificate ISRG Root X1
was not widely trusted, at least some older and/or mobile platforms were
missing that certificate in their root certificate store.
At that time Let's Encrypt was using an alternative chain of trust,
where a certificate was cross-signed with DST Root CA X3.

To make sure a valid chain of trust is available under all circumstances
a set of all certificates had to be supplied: both root vertificates
ISRG Root X1 & DST Root CA X3, and an intermediate certificate.
This was still true after DST Root CA X3 expired, as it could still be
used as a root anchor and was shipped by Let's Encrypt when requested. 🤪

This time is finally over, and we have a clean chain for trust ending in
ISRG Root X1 (or ISRG Root X2).
Well, actually it is the other way round... Let's Encrypt signs with
different tantamount intermediate certificates. There is not only E5, but
also E6 - and we can not know beforehand which one is used on renew.

So let's jetzt drop the intermediate certificates now, and rely on root
certificates only. We are perfectly fine with this these days.

Follow-up commits will do the same for *all* certificates.

The certificate is downloaded with:

    curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
2024-06-21 15:55:45 +02:00

3.2 KiB
Raw Blame History

Initial commands

GitHub stars GitHub forks GitHub watchers required RouterOS version Telegram group @routeros_scripts donate with PayPal

⬅️ Go back to main README

⚠️ Warning: These command are inteneded for initial setup. If you are not aware of the procedure please follow the long way in detail.

Run the complete base installation:

{
  /tool/fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/ISRG-Root-X2.pem" dst-path="ISRG-Root-X2.pem" as-value;
  :delay 1s;
  /certificate/import file-name=ISRG-Root-X2.pem passphrase="";
  :if ([ :len [ /certificate/find where fingerprint="69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470" ] ] != 1) do={
    :error "Something is wrong with your certificates!";
  };
  /file/remove [ find where name="ISRG-Root-X2.pem" ];
  :delay 1s;
  /system/script/set name=("global-config-overlay-" . [ /system/clock/get date ] . "-" . [ /system/clock/get time ]) [ find where name="global-config-overlay" ];
  :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={
    /system/script/remove [ find where name=$Script ];
    /system/script/add name=$Script owner=$Script source=([ /tool/fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script . ".rsc") output=user as-value]->"data");
  };
  /system/script { run global-config; run global-functions; };
  /system/scheduler/remove [ find where name="global-scripts" ];
  /system/scheduler/add name="global-scripts" start-time=startup on-event="/system/script { run global-config; run global-functions; }";
  :global CertificateNameByCN;
  $CertificateNameByCN "ISRG Root X2";
};

Then continue setup with scheduled automatic updates or editing configuration.

Fix existing installation

The initial commands above allow to fix an existing installation in case it ever breaks. If global-config-overlay did exist before it is renamed with a date and time suffix (like global-config-overlay-2024-01-25-09:33:12). Make sure to restore the configuration overlay if required.

⬅️ Go back to main README
⬆️ Go back to top