From f2433b8091a7966db6cf2a8bc6890e576b592d13 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Tue, 30 Apr 2019 15:11:54 +0200 Subject: drop certificate DST Root CA X3 Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root X1") on July 8, 2019, but postponed several times. Finally they found another solution: A certificate 'ISRG Root X1', but cross-signed with 'DST Root CA X3' and with a livetime that exceeds that of the root CA. This is said to work for most operating system where root certificate authorities are just 'trust anchors'. I doubt this is true for RouterOS, where certificates are just imported into the certificate store. So let's migrate to 'ISRG Root X1' now. --- INITIAL-COMMANDS.md | 3 +-- README.md | 16 +++-------- certs/R3.pem | 77 ----------------------------------------------------- 3 files changed, 5 insertions(+), 91 deletions(-) diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md index fa32654..9df69fa 100644 --- a/INITIAL-COMMANDS.md +++ b/INITIAL-COMMANDS.md @@ -10,7 +10,7 @@ procedure please follow [the long way in detail](README.md#the-long-way-in-detai / tool fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/R3.pem" dst-path="letsencrypt-R3.pem"; :delay 1s; / certificate import file-name=letsencrypt-R3.pem passphrase=""; - :if ([ :len [ / certificate find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ] ] != 3) do={ + :if ([ :len [ / certificate find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ] ] != 2) do={ :error "Something is wrong with your certificates!"; } / file remove "letsencrypt-R3.pem"; @@ -22,7 +22,6 @@ procedure please follow [the long way in detail](README.md#the-long-way-in-detai :global CertificateNameByCN; $CertificateNameByCN "R3"; $CertificateNameByCN "ISRG Root X1"; - $CertificateNameByCN "DST Root CA X3"; } Optional to update the scripts automatically: diff --git a/README.md b/README.md index e102202..c5c0ba5 100644 --- a/README.md +++ b/README.md @@ -66,30 +66,22 @@ files to your MikroTik device. Then we import the certificates. [admin@MikroTik] > / certificate import file-name=letsencrypt-R3.pem passphrase="" - certificates-imported: 3 + certificates-imported: 2 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0 For basic verification we rename the certificates and print their count. Make -sure the certificate count is **three**. +sure the certificate count is **two**. [admin@MikroTik] > / certificate set name="R3" [ find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" ] [admin@MikroTik] > / certificate set name="ISRG-Root-X1" [ find where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ] - [admin@MikroTik] > / certificate set name="DST-Root-CA-X3" [ find where fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ] - [admin@MikroTik] > / certificate print count-only where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" - 3 + [admin@MikroTik] > / certificate print count-only where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" + 2 Always make sure there are no certificates installed you do not know or want! -Actually we do not require the certificate named `DST Root CA X3`, but as it -is used by `Let's Encrypt` to cross-sign we install it anyway - this makes -sure things do not go wrong if the intermediate certificate is replaced. -The IdenTrust certificate *should* be available from their -[download page](https://www.identrust.com/support/downloads). The site is -crap and a good example how to *not* do it. - Now let's download the main scripts and add them in configuration on the fly. [admin@MikroTik] > :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script) output=user as-value]->"data"); } diff --git a/certs/R3.pem b/certs/R3.pem index ac322ec..837b709 100644 --- a/certs/R3.pem +++ b/certs/R3.pem @@ -235,80 +235,3 @@ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b - Signature Algorithm: sha1WithRSAEncryption - Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 - Validity - Not Before: Sep 30 21:12:19 2000 GMT - Not After : Sep 30 14:01:15 2021 GMT - Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: - 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: - c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: - ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: - 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: - a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: - 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: - 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: - 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: - 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: - 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: - 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: - 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: - d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: - eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: - 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: - 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: - 02:5d - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 - Signature Algorithm: sha1WithRSAEncryption - a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: - 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: - a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: - 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: - b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: - 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: - dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: - e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: - 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: - 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: - 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: - 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: - b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: - 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: - 82:35:35:10 ------BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- -- cgit v1.2.3-54-g00ecf From 4427cabd0eac9f8a5b18f939198284621933fa36 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 21 Dec 2020 00:02:49 +0100 Subject: update Let's Encrypt trust chain Drop 'DST Root CA X3', use 'ISRG Root X1' instead. The migration code makes sure that... * the intermediate certificate 'R3' is signed by 'ISRG Root X1' * 'ISRG Root X1' is self-signed, not cross-signed by 'DST Root CA X3' * 'DST Root CA X3' is finally gone --- global-config | 2 +- global-config-overlay | 2 +- global-config.changes | 2 ++ global-functions | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/global-config b/global-config index a02d840..6730a45 100644 --- a/global-config +++ b/global-config @@ -8,7 +8,7 @@ # Make sure all configuration properties are up to date and this # value is in sync with value in script 'global-functions'! -:global GlobalConfigVersion 51; +:global GlobalConfigVersion 52; # This is used for DNS and backup file. :global Domain "example.com"; diff --git a/global-config-overlay b/global-config-overlay index 6ff1a9e..f90abd6 100644 --- a/global-config-overlay +++ b/global-config-overlay @@ -8,7 +8,7 @@ # Make sure all configuration properties are up to date and this # value is in sync with value in script 'global-functions'! # Comment or remove to disable news and change notifications. -:global GlobalConfigVersion 51; +:global GlobalConfigVersion 52; # Copy configuration from global-config here and modify it. diff --git a/global-config.changes b/global-config.changes index 4bada85..cfaf649 100644 --- a/global-config.changes +++ b/global-config.changes @@ -55,10 +55,12 @@ 49="Dropped '\$EmailBackupTo' & '\$EmailBackupCc' from configuration, use settings override if required."; 50="Added support for dynamic address update in 'netwatch-notify'."; 51="Added 'ipsec-to-dns' to add DNS records for IPSec peers from mode-config."; + 52="Updated Let's Encrypt trust chain to use root certificate 'ISRG Root X1'. Do not re-import the old chain!"; }; # Migration steps to be applied on script updates :global GlobalConfigMigration { 41=":global SendNotification; \$SendNotification (\"Migration mechanism\") (\"Congratulations!\nSuccessfully tested the new migration mechanism.\");"; 47="/ certificate remove [ find where fingerprint=\"731d3d9cfaa061487a1d71445a42f67df0afca2a6c2d2f98ff7b3ce112b1f568\" or fingerprint=\"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d\" ];"; + 52=":global CertificateDownload; :if ([ :len [ / certificate find where fingerprint=\"67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd\" or fingerprint=\"96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6\" ] ] < 2) do={ \$CertificateDownload \"R3\"; }; / certificate remove [ find where fingerprint=\"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739\" ];"; }; diff --git a/global-functions b/global-functions index 92995c9..86a6494 100644 --- a/global-functions +++ b/global-functions @@ -8,7 +8,7 @@ # https://git.eworm.de/cgit/routeros-scripts/about/ # expected configuration version -:global ExpectedConfigVersion 51; +:global ExpectedConfigVersion 52; # global variables not to be changed by user :global GlobalFunctionsReady false; -- cgit v1.2.3-54-g00ecf