From 4427cabd0eac9f8a5b18f939198284621933fa36 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Mon, 21 Dec 2020 00:02:49 +0100
Subject: update Let's Encrypt trust chain

Drop 'DST Root CA X3', use 'ISRG Root X1' instead. The migration code
makes sure that...

 * the intermediate certificate 'R3' is signed by 'ISRG Root X1'
 * 'ISRG Root X1' is self-signed, not cross-signed by 'DST Root CA X3'
 * 'DST Root CA X3' is finally gone
---
 global-config         | 2 +-
 global-config-overlay | 2 +-
 global-config.changes | 2 ++
 global-functions      | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/global-config b/global-config
index a02d840..6730a45 100644
--- a/global-config
+++ b/global-config
@@ -8,7 +8,7 @@
 
 # Make sure all configuration properties are up to date and this
 # value is in sync with value in script 'global-functions'!
-:global GlobalConfigVersion 51;
+:global GlobalConfigVersion 52;
 
 # This is used for DNS and backup file.
 :global Domain "example.com";
diff --git a/global-config-overlay b/global-config-overlay
index 6ff1a9e..f90abd6 100644
--- a/global-config-overlay
+++ b/global-config-overlay
@@ -8,7 +8,7 @@
 # Make sure all configuration properties are up to date and this
 # value is in sync with value in script 'global-functions'!
 # Comment or remove to disable news and change notifications.
-:global GlobalConfigVersion 51;
+:global GlobalConfigVersion 52;
 
 # Copy configuration from global-config here and modify it.
 
diff --git a/global-config.changes b/global-config.changes
index 4bada85..cfaf649 100644
--- a/global-config.changes
+++ b/global-config.changes
@@ -55,10 +55,12 @@
   49="Dropped '\$EmailBackupTo' & '\$EmailBackupCc' from configuration, use settings override if required.";
   50="Added support for dynamic address update in 'netwatch-notify'.";
   51="Added 'ipsec-to-dns' to add DNS records for IPSec peers from mode-config.";
+  52="Updated Let's Encrypt trust chain to use root certificate 'ISRG Root X1'. Do not re-import the old chain!";
 };
 
 # Migration steps to be applied on script updates
 :global GlobalConfigMigration {
   41=":global SendNotification; \$SendNotification (\"Migration mechanism\") (\"Congratulations!\nSuccessfully tested the new migration mechanism.\");";
   47="/ certificate remove [ find where fingerprint=\"731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568\" or fingerprint=\"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d\" ];";
+  52=":global CertificateDownload; :if ([ :len [ / certificate find where fingerprint=\"67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd\" or fingerprint=\"96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6\" ] ] < 2) do={ \$CertificateDownload \"R3\"; }; / certificate remove [ find where fingerprint=\"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739\" ];";
 };
diff --git a/global-functions b/global-functions
index 92995c9..86a6494 100644
--- a/global-functions
+++ b/global-functions
@@ -8,7 +8,7 @@
 # https://git.eworm.de/cgit/routeros-scripts/about/
 
 # expected configuration version
-:global ExpectedConfigVersion 51;
+:global ExpectedConfigVersion 52;
 
 # global variables not to be changed by user
 :global GlobalFunctionsReady false;
-- 
cgit v1.2.3-54-g00ecf