From 4427cabd0eac9f8a5b18f939198284621933fa36 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 21 Dec 2020 00:02:49 +0100 Subject: update Let's Encrypt trust chain Drop 'DST Root CA X3', use 'ISRG Root X1' instead. The migration code makes sure that... * the intermediate certificate 'R3' is signed by 'ISRG Root X1' * 'ISRG Root X1' is self-signed, not cross-signed by 'DST Root CA X3' * 'DST Root CA X3' is finally gone --- global-config | 2 +- global-config-overlay | 2 +- global-config.changes | 2 ++ global-functions | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/global-config b/global-config index a02d840..6730a45 100644 --- a/global-config +++ b/global-config @@ -8,7 +8,7 @@ # Make sure all configuration properties are up to date and this # value is in sync with value in script 'global-functions'! -:global GlobalConfigVersion 51; +:global GlobalConfigVersion 52; # This is used for DNS and backup file. :global Domain "example.com"; diff --git a/global-config-overlay b/global-config-overlay index 6ff1a9e..f90abd6 100644 --- a/global-config-overlay +++ b/global-config-overlay @@ -8,7 +8,7 @@ # Make sure all configuration properties are up to date and this # value is in sync with value in script 'global-functions'! # Comment or remove to disable news and change notifications. -:global GlobalConfigVersion 51; +:global GlobalConfigVersion 52; # Copy configuration from global-config here and modify it. diff --git a/global-config.changes b/global-config.changes index 4bada85..cfaf649 100644 --- a/global-config.changes +++ b/global-config.changes @@ -55,10 +55,12 @@ 49="Dropped '\$EmailBackupTo' & '\$EmailBackupCc' from configuration, use settings override if required."; 50="Added support for dynamic address update in 'netwatch-notify'."; 51="Added 'ipsec-to-dns' to add DNS records for IPSec peers from mode-config."; + 52="Updated Let's Encrypt trust chain to use root certificate 'ISRG Root X1'. Do not re-import the old chain!"; }; # Migration steps to be applied on script updates :global GlobalConfigMigration { 41=":global SendNotification; \$SendNotification (\"Migration mechanism\") (\"Congratulations!\nSuccessfully tested the new migration mechanism.\");"; 47="/ certificate remove [ find where fingerprint=\"731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568\" or fingerprint=\"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d\" ];"; + 52=":global CertificateDownload; :if ([ :len [ / certificate find where fingerprint=\"67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd\" or fingerprint=\"96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6\" ] ] < 2) do={ \$CertificateDownload \"R3\"; }; / certificate remove [ find where fingerprint=\"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739\" ];"; }; diff --git a/global-functions b/global-functions index 92995c9..86a6494 100644 --- a/global-functions +++ b/global-functions @@ -8,7 +8,7 @@ # https://git.eworm.de/cgit/routeros-scripts/about/ # expected configuration version -:global ExpectedConfigVersion 51; +:global ExpectedConfigVersion 52; # global variables not to be changed by user :global GlobalFunctionsReady false; -- cgit v1.2.3-70-g09d2