Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2024-11-02 | doc/mod/notification-ntfy: link to 'certificate name from browser' | 2 | -0/+6 | ||
2024-11-02 | doc/mod/notification-matrix: link to 'certificate name from browser' | 2 | -0/+8 | ||
2024-11-02 | introduce CERTIFICATES, guide to find root certificate | 5 | -0/+74 | ||
2024-10-30 | global-functions: $CertificateAvailable: fail without CommonName | 1 | -0/+5 | ||
2024-10-29 | certs: check cert for matrix.org | 1 | -0/+1 | ||
2024-10-29 | doc/mod/notification-matrix: better document certificate import | 1 | -0/+7 | ||
2024-10-25 | ipv6-update: create a dynamic address-list entry only | 2 | -6/+10 | ||
This should make sure that the script runs once after reboot, even if the prefix does not change. An existing static entry needs to be removed to make this work! https://github.com/eworm-de/routeros-scripts/issues/85 | |||||
2024-10-23 | ipv6-update: ignore if address was acquired | 1 | -0/+6 | ||
https://github.com/eworm-de/routeros-scripts/issues/85 | |||||
2024-10-23 | fw-addr-lists: spamhaus.org requires 'ISRG Root X1' now | 2 | -3/+3 | ||
2024-10-23 | packages-update: check for explicit state...routeros-7.17beta4-2 | 1 | -3/+1 | ||
... as all device-mode properties are given since RouterOS 7.14beta4. Let's assume we do not have to care about RouterOS 7.14beta2 any more... As older versions will not match the check we can now merge right away. | |||||
2024-10-22 | backup-partition: drop warning on lock in device-moderouteros-7.17beta4-1 | 1 | -8/+0 | ||
... as switching partitions is possible again in RouterOS 7.17beta4. | |||||
2024-10-10 | doc/netwatch-notify: fix typo(s) | 1 | -3/+3 | ||
2024-10-10 | doc/netwatch-notify: give an extra example for resolving AAAA records | 1 | -1/+6 | ||
2024-10-10 | doc/netwatch-notify: always give a host... | 1 | -2/+2 | ||
... as that is a required property. Any ip address is fine, it is changed anyway. | |||||
2024-10-09 | backup-partition: log the warning just once | 1 | -1/+2 | ||
2024-10-02 | update list of contributors | 1 | -0/+1 | ||
2024-10-01 | update list of contributors | 1 | -0/+1 | ||
2024-10-01 | mod/notification-ntfy: fix ntfy overrides | 1 | -2/+2 | ||
2024-09-30 | log-forward: get last message from log... | 1 | -2/+3 | ||
... not only from matched massages. | |||||
2024-09-30 | packages-update: give warning on lock in device-moderouteros-7.17beta2-2 | 1 | -0/+8 | ||
RouterOS 7.17beta2 introduced some extra security measures, including some to prevent downgrade attacks for the installation. Detect early and exit with message and error. https://help.mikrotik.com/docs/display/ROS/Device-mode | |||||
2024-09-30 | backup-partition: give warning on lock in device-moderouteros-7.17beta2-1 | 1 | -0/+7 | ||
RouterOS 7.17beta2 introduced some extra security measures, including some to prevent downgrade attacks for the installation. Thus switching partitions (which can hold quite old installations) is denied by device-mode now by default. Warn about that... https://help.mikrotik.com/docs/display/ROS/Device-mode | |||||
2024-09-26 | global-functions: $CertificateDownload: add another check... | 1 | -0/+6 | ||
... that the certificate is really available. Turns out that mkcert.org ships certificates where OU or whatever matches - that's not what we want. | |||||
2024-09-25 | hotspot-to-wpa-cleanup: only match access-list with mac-address | 3 | -3/+3 | ||
2024-09-16 | check-routeros-update: use $VersionToNum to calculate bitmask | 1 | -2/+5 | ||
2024-09-13 | backup-partition: use $VersionToNum to calculate bitmask | 1 | -1/+2 | ||
2024-09-13 | global-functions: $VersionToNum: support "zero"... | 1 | -1/+2 | ||
... to have a clean way to generate bitmasks. [admin@mikrotik] > :put [ $VersionToNum 0.255zero0 ] 16711680 [admin@mikrotik] > :put 0x00ff0000 16711680 Once implemented everywhere the internal calculation could be changed easily. | |||||
2024-09-11 | fw-addr-lists: use lists in JSON format for spamhaus.org | 1 | -1/+3 | ||
2024-09-11 | fw-addr-lists: handle JSON format from spamhaus.org | 1 | -1/+6 | ||
Closes: https://github.com/eworm-de/routeros-scripts/issues/79 | |||||
2024-09-05 | netwatch-dns: give warning on CRL use | 1 | -0/+4 | ||
2024-09-04 | certs: add poor man's check 😜 | 1 | -0/+31 | ||
2024-08-28 | certs: drop 'Baltimore CyberTrust Root' | 1 | -28/+0 | ||
2024-08-28 | fw-addr-lists: drop edrop.txt, which does no longer exist | 1 | -2/+0 | ||
2024-08-28 | fw-addr-lists: spamhaus.org requires 'GTS Root R4' now | 1 | -2/+2 | ||
Fixes: https://github.com/eworm-de/routeros-scripts/issues/78 | |||||
2024-08-27 | certs: drop 'DigiCert Global Root CA' | 1 | -29/+0 | ||
2024-08-27 | doc/netwatch-dns: 'DigiCert Global Root G3' for Quad9 | 1 | -1/+1 | ||
2024-08-27 | certs: add 'DigiCert Global Root G3'... | 1 | -0/+22 | ||
... for quad9.net which can be used for DoH: $CertificateAvailable "DigiCert Global Root G3"; /ip/dns/set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes; | |||||
2024-08-20 | check-routeros-update: support switching to stable channel... | 1 | -0/+9 | ||
... with a feature update in testing channel. | |||||
2024-08-19 | netwatch-dns: disable DoH if time not sync... | 1 | -0/+8 | ||
... as it is possible that time is off, DNS via DoH fails (cert invalid), and finally syncing time fails due to failing DNS. | |||||
2024-08-19 | INITIAL-COMMANDS: match the certificate file name from Let's Encrypt website... | 1 | -2/+2 | ||
... and our README. 😜 | |||||
2024-08-19 | README: match the certificate file name from Let's Encrypt website... | 2 | -2/+2 | ||
... so import from manually downloaded and transferred file works out of the box as well. | |||||
2024-08-19 | README: make the QR code a link | 1 | -1/+1 | ||
2024-07-25 | telegram-chat: drop extra conversionrouteros-7.15-3 | 2 | -3/+3 | ||
The JSON parser was actually fixed in RouterOS 7.15beta4, but let's bump the required version to next stable release instead. | |||||
2024-07-25 | daily-psk: drop workaround for old RouterOSrouteros-7.15-2 | 5 | -11/+7 | ||
2024-07-25 | netwatch-notify: do not switch type when resolvingrouteros-7.15-1 | 2 | -3/+4 | ||
This requires RouterOS 7.15beta4, but let's bump the required version to next stable release instead. | |||||
2024-07-25 | INITIAL-COMMANDS: drop command to remove certificate file... | 1 | -1/+0 | ||
... as this is done automatically with RouterOS 7.15rc1 and later. | |||||
2024-07-25 | README: drop command to remove certificate file... | 2 | -2/+1 | ||
... as this is done automatically with RouterOS 7.15rc1 and later. Not bumping the required RouterOS version (badge) here... Worst thing that can happen is a stale certificate file left on storage. | |||||
2024-07-22 | global-functions: $EitherOr: revert... | 1 | -3/+1 | ||
... but leave a comment. | |||||
2024-07-22 | global-functions: $EitherOr: pass boolean value | 1 | -0/+3 | ||
Note that literal "true" or "false" (even without quotes) is converted to string. So you may have to enclose it in parentheses for a boolean value: > :put [ :typeof [ $EitherOr true false ] ]; str > :put [ :typeof [ $EitherOr (true) (false) ] ]; bool | |||||
2024-07-16 | Merge branch 'line-breaks' into nextrouteros-7.14-1 | 123 | -152/+140 | ||
2024-07-16 | bump RouterOS requirement for all scripts and modules... | 116 | -116/+116 | ||
... now that global-functions requires RouterOS 7.14 anyway. | |||||
2024-07-16 | mod/ipcalc: use :tocrlf | 2 | -5/+4 | ||
2024-07-16 | mod/inspectvar: use :tocrlf | 2 | -4/+3 | ||
2024-07-16 | global-functions: $Unix2Dos: use :tocrlf | 1 | -6/+1 | ||
2024-07-16 | global-functions: $PrettyPrint: use :tocrlf | 1 | -5/+1 | ||
2024-07-16 | global-functions: $Dos2Unix: use :tolf | 1 | -5/+1 | ||
2024-07-16 | global-functions: $ScriptInstallUpdate: support storing with CRLF | 1 | -1/+3 | ||
Adding this in `global-config-overlay` make the scripts being stored with CRLF line breaks: :global ScriptUpdatesCRLF true; Handle with care, I do not recommend it. Thus it's just a hidden setting. | |||||
2024-07-16 | ppp-on-up: support scripts with CRLF line breaks | 1 | -1/+1 | ||
2024-07-16 | news-and-changes: support scripts with CRLF line breaks | 1 | -1/+1 | ||
2024-07-16 | capsman-download-packages: support scripts with CRLF line breaks | 3 | -3/+3 | ||
2024-07-16 | global-functions: $ScriptInstallUpdate: allow CRLF on device | 1 | -1/+2 | ||
2024-07-16 | global-functions: $ScriptInstallUpdate: forcibly convert to LF... | 1 | -2/+2 | ||
... to make sure we do not have unintended CRLF line breaks. | |||||
2024-07-16 | README: use :tocrlf to convert global-config-overlay | 1 | -2/+2 | ||
2024-07-16 | doc/mod/ssh-keys-import: drop hint on older RouterOS | 1 | -5/+1 | ||
2024-07-11 | capsman-download-packages: support running several scripts... | 3 | -9/+15 | ||
... as it is possible to have more than just one providing the functionality. | |||||
2024-07-11 | capsman-{download-packages,rolling-upgrade}: run matching script | 6 | -6/+6 | ||
It is possible to run old and new CAPsMAN on one system simultaneously (... since RouterOS 7.13?). Thus it may make sense to have both variants of these scripts installed, and we have to make sure to run the correct one. | |||||
2024-07-10 | update list of contributors | 1 | -0/+1 | ||
2024-07-08 | backup-partition: check that target is inactive | 1 | -2/+2 | ||
2024-07-08 | backup-partition: check the fallback partition actually exists... | 1 | -8/+16 | ||
... and use its id for actions. | |||||
2024-07-05 | backup-partition: rename variable | 1 | -8/+8 | ||
2024-07-04 | packages-update: run backups before package download | 1 | -26/+26 | ||
This reduces memory pressure, especially on device with very limited RAM like mAP with its 64 MB. | |||||
2024-07-04 | global-functions: $MkDir: enable tmpfs if disabled | 1 | -1/+6 | ||
2024-07-02 | global-functions: $GetMacVendor: cert 'GTS Root R4' | 2 | -1/+21 | ||
2024-06-25 | check-certificates: limit scope for $CertNew... | 1 | -4/+3 | ||
... into block where certificate is replaced. This should unbreak renewing with a certificate updated in place. | |||||
2024-06-21 | global-functions: $CertificateDownload: try fallback to mkcert.orgchange-131 | 2 | -11/+31 | ||
There's a nice API that allows to download certificate by exact common name. Let's use that, as a fallback at least. https://mkcert.org/ | |||||
2024-06-21 | Merge branch 'root-certificates' into next | 36 | -2456/+334 | ||
2024-06-21 | notify on changes regarding certificateschange-130 | 2 | -1/+2 | ||
2024-06-21 | certs: DigiCert TLS Hybrid ECC SHA384 2020 CA1 -> DigiCert Global Root CA | 3 | -175/+30 | ||
This is used by Cloudflare DNS Quard9 (9.9.9.9). $CertificateAvailable "DigiCert Global Root CA"; /ip/dns/set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes; | |||||
2024-06-21 | certs: DigiCert Global G2 TLS RSA SHA256 2020 CA1 -> DigiCert Global Root G2 | 3 | -183/+30 | ||
This is used by Cloudflare DNS (1.1.1.1). $CertificateAvailable "DigiCert Global Root G2"; /ip/dns/set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes; | |||||
2024-06-21 | certs: Go Daddy Secure Certificate Authority - G2 -> Go Daddy Root ↵ | 4 | -180/+32 | ||
Certificate Authority - G2 | |||||
2024-06-21 | certs: GTS CA 1C3 / GTS CA 1P5 -> GTS Root R1 | 5 | -482/+40 | ||
2024-06-21 | certs: Starfield Secure Certificate Authority - G2 -> Starfield Root ↵ | 3 | -180/+31 | ||
Certificate Authority - G2 | |||||
2024-06-21 | certs: Cloudflare Inc ECC CA-3 -> Baltimore CyberTrust Root | 3 | -165/+30 | ||
2024-06-21 | certs: Certum Domain Validation CA SHA2 -> Certum Trusted Network CA | 3 | -177/+30 | ||
2024-06-21 | certs: GlobalSign Atlas R3 DV TLS CA 2022 Q3 -> GlobalSign | 3 | -179/+30 | ||
2024-06-21 | certs: R3 / R10 -> ISRG Root X1 | 6 | -471/+41 | ||
2024-06-21 | certs: E1 / E5 -> ISRG Root X2 | 10 | -263/+38 | ||
In the beginning of Let's Encrypt their root certificate ISRG Root X1 was not widely trusted, at least some older and/or mobile platforms were missing that certificate in their root certificate store. At that time Let's Encrypt was using an alternative chain of trust, where a certificate was cross-signed with DST Root CA X3. To make sure a valid chain of trust is available under all circumstances a set of all certificates had to be supplied: both root vertificates ISRG Root X1 & DST Root CA X3, and an intermediate certificate. This was still true after DST Root CA X3 expired, as it could still be used as a root anchor and was shipped by Let's Encrypt when requested. 🤪 This time is finally over, and we have a clean chain for trust ending in ISRG Root X1 (or ISRG Root X2). Well, actually it is the other way round... Let's Encrypt signs with different tantamount intermediate certificates. There is not only E5, but also E6 - and we can not know beforehand which one is used on renew. So let's jetzt drop the intermediate certificates now, and rely on root certificates only. We are perfectly fine with this these days. Follow-up commits will do the same for *all* certificates. The certificate is downloaded with: curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem | |||||
2024-06-20 | doc/mod/notification-matrix: drop certificate hint... | 1 | -3/+0 | ||
... as matrix.org switched to Let's Encrypt with ISRG Root X2. | |||||
2024-06-19 | Let's Encrypt changed their intermediate certificates | 8 | -16/+366 | ||
https://letsencrypt.org/2024/03/19/new-intermediate-certificates https://letsencrypt.org/certificates/ But let's keep the old ones around for now, as some sites are still using the old intermediate. | |||||
2024-06-11 | unattended-lte-firmware-upgrade: check on valid version first | 1 | -1/+2 | ||
2024-06-11 | unattended-lte-firmware-upgrade: drop the AT reset | 1 | -2/+1 | ||
The AT command to reset is specific to modem. So this worked for some only... Let's just drop it, and update the log message. | |||||
2024-06-11 | unattended-lte-firmware-upgrade: omit just another once | 1 | -1/+1 | ||
2024-06-10 | backup-cloud: remove trailing spaces | 1 | -1/+1 | ||
How did I produce these!? 😳 | |||||
2024-06-10 | unattended-lte-firmware-upgrade: omit once | 1 | -1/+1 | ||
Omit `once` from the `/interface/lte/firmware-upgrade` command to make sure it does acutally return a valid result. Fixes #69 | |||||
2024-06-10 | check-lte-firmware-upgrade: omit once | 1 | -1/+1 | ||
Omit `once` from the `/interface/lte/firmware-upgrade` command to make sure it does acutally return a valid result. | |||||
2024-06-05 | backup-cloud: log note on previous connection errors | 1 | -0/+4 | ||
2024-06-01 | global-functions: $CleanName: no exception for dash... | 1 | -1/+1 | ||
... as we still want to deduplicate it when it is inside the input string. This also unbreak certificate import for "Go Daddy Secure Certificate Authority - G2" (and more)... | |||||
2024-05-25 | telegram-chat: drop extra parenthesis | 1 | -3/+3 | ||
2024-05-24 | telegram-chat: convert the message (command) to string | 1 | -10/+11 | ||
RouterOS 7.15beta4 fixed a bug in JSON parser: *) console - do not convert string to array in ":deserialize" command; Before that change commands with a comma caused very crazy issues. Let's convert the message to a string. This does not give exactly the expected result, but mitigates telegram-chat to explode. A command like... /ip/address/print proplist=address,network; ... is converted to... /ip/address/print proplist=address;network; ... and results in: Columns: ADDRESS # ADDRESS 0 10.0.0.1/24 1 127.0.0.1/8 bad command name network (line 1 column 36) | |||||
2024-05-23 | Merge branch 'backup-partition' into next | 5 | -4/+66 | ||
2024-05-23 | backup-partition: news on support for copy-overchange-129 | 2 | -1/+2 | ||