Age | Commit message (Expand) | Author | Files | Lines |
2024-11-06 | fw-addr-lists: simplify looping lines•••With `:deserialize` the **record** separator is always a new line. The
property `delimiter=` is a **field** reparator, so you can parse a lines
into an array.
We do not want (or need) that, so use new line as field separator. This
will result in an array with just one element, and we use that.
Also convert the data to line feed explicitly, just to be sure.
routeros-7.16-1 | Christian Hesse | 1 | -4/+3 |
2024-11-02 | doc/netwatch-dns: link to 'certificate name from browser' | Christian Hesse | 2 | -2/+4 |
2024-11-02 | doc/fw-addr-lists: link to 'certificate name from browser' | Christian Hesse | 2 | -3/+8 |
2024-11-02 | doc/mod/notification-ntfy: link to 'certificate name from browser' | Christian Hesse | 2 | -0/+6 |
2024-11-02 | doc/mod/notification-matrix: link to 'certificate name from browser' | Christian Hesse | 2 | -0/+8 |
2024-11-02 | introduce CERTIFICATES, guide to find root certificate | Christian Hesse | 5 | -0/+74 |
2024-10-30 | global-functions: $CertificateAvailable: fail without CommonName | Christian Hesse | 1 | -0/+5 |
2024-10-29 | certs: check cert for matrix.org | Christian Hesse | 1 | -0/+1 |
2024-10-29 | doc/mod/notification-matrix: better document certificate import | Christian Hesse | 1 | -0/+7 |
2024-10-25 | ipv6-update: create a dynamic address-list entry only•••This should make sure that the script runs once after reboot, even if
the prefix does not change.
An existing static entry needs to be removed to make this work!
https://github.com/eworm-de/routeros-scripts/issues/85
| Christian Hesse | 2 | -6/+10 |
2024-10-23 | ipv6-update: ignore if address was acquired•••https://github.com/eworm-de/routeros-scripts/issues/85
| Christian Hesse | 1 | -0/+6 |
2024-10-23 | fw-addr-lists: spamhaus.org requires 'ISRG Root X1' now | Christian Hesse | 2 | -3/+3 |
2024-10-23 | packages-update: check for explicit state...•••... as all device-mode properties are given since RouterOS 7.14beta4.
Let's assume we do not have to care about RouterOS 7.14beta2 any more...
As older versions will not match the check we can now merge right away.
routeros-7.17beta4-2 | Christian Hesse | 1 | -3/+1 |
2024-10-22 | backup-partition: drop warning on lock in device-mode•••... as switching partitions is possible again in RouterOS 7.17beta4.
routeros-7.17beta4-1 | Christian Hesse | 1 | -8/+0 |
2024-10-10 | doc/netwatch-notify: fix typo(s) | Christian Hesse | 1 | -3/+3 |
2024-10-10 | doc/netwatch-notify: give an extra example for resolving AAAA records | Christian Hesse | 1 | -1/+6 |
2024-10-10 | doc/netwatch-notify: always give a host...•••... as that is a required property. Any ip address is fine, it is
changed anyway.
| Christian Hesse | 1 | -2/+2 |
2024-10-09 | backup-partition: log the warning just once | Christian Hesse | 1 | -1/+2 |
2024-10-02 | update list of contributors | Christian Hesse | 1 | -0/+1 |
2024-10-01 | update list of contributors | Christian Hesse | 1 | -0/+1 |
2024-10-01 | mod/notification-ntfy: fix ntfy overrides | Ignacio Serrano | 1 | -2/+2 |
2024-09-30 | log-forward: get last message from log...•••... not only from matched massages.
| Christian Hesse | 1 | -2/+3 |
2024-09-30 | packages-update: give warning on lock in device-mode•••RouterOS 7.17beta2 introduced some extra security measures, including
some to prevent downgrade attacks for the installation. Detect early
and exit with message and error.
https://help.mikrotik.com/docs/display/ROS/Device-mode
routeros-7.17beta2-2 | Christian Hesse | 1 | -0/+8 |
2024-09-30 | backup-partition: give warning on lock in device-mode•••RouterOS 7.17beta2 introduced some extra security measures, including
some to prevent downgrade attacks for the installation. Thus switching
partitions (which can hold quite old installations) is denied by
device-mode now by default. Warn about that...
https://help.mikrotik.com/docs/display/ROS/Device-mode
routeros-7.17beta2-1 | Christian Hesse | 1 | -0/+7 |
2024-09-26 | global-functions: $CertificateDownload: add another check...•••... that the certificate is really available.
Turns out that mkcert.org ships certificates where OU or whatever
matches - that's not what we want.
| Christian Hesse | 1 | -0/+6 |
2024-09-25 | hotspot-to-wpa-cleanup: only match access-list with mac-address | Christian Hesse | 3 | -3/+3 |
2024-09-16 | check-routeros-update: use $VersionToNum to calculate bitmask | Christian Hesse | 1 | -2/+5 |
2024-09-13 | backup-partition: use $VersionToNum to calculate bitmask | Christian Hesse | 1 | -1/+2 |
2024-09-13 | global-functions: $VersionToNum: support "zero"...•••... to have a clean way to generate bitmasks.
[admin@mikrotik] > :put [ $VersionToNum 0.255zero0 ]
16711680
[admin@mikrotik] > :put 0x00ff0000
16711680
Once implemented everywhere the internal calculation could be
changed easily.
| Christian Hesse | 1 | -1/+2 |
2024-09-11 | fw-addr-lists: use lists in JSON format for spamhaus.org | Christian Hesse | 1 | -1/+3 |
2024-09-11 | fw-addr-lists: handle JSON format from spamhaus.org•••Closes: https://github.com/eworm-de/routeros-scripts/issues/79
| Christian Hesse | 1 | -1/+6 |
2024-09-05 | netwatch-dns: give warning on CRL use | Christian Hesse | 1 | -0/+4 |
2024-09-04 | certs: add poor man's check ð | Christian Hesse | 1 | -0/+31 |
2024-08-28 | certs: drop 'Baltimore CyberTrust Root' | Christian Hesse | 1 | -28/+0 |
2024-08-28 | fw-addr-lists: drop edrop.txt, which does no longer exist | Christian Hesse | 1 | -2/+0 |
2024-08-28 | fw-addr-lists: spamhaus.org requires 'GTS Root R4' now•••Fixes: https://github.com/eworm-de/routeros-scripts/issues/78
| Christian Hesse | 1 | -2/+2 |
2024-08-27 | certs: drop 'DigiCert Global Root CA' | Christian Hesse | 1 | -29/+0 |
2024-08-27 | doc/netwatch-dns: 'DigiCert Global Root G3' for Quad9 | Christian Hesse | 1 | -1/+1 |
2024-08-27 | certs: add 'DigiCert Global Root G3'...•••... for quad9.net which can be used for DoH:
$CertificateAvailable "DigiCert Global Root G3";
/ip/dns/set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes;
| Christian Hesse | 1 | -0/+22 |
2024-08-20 | check-routeros-update: support switching to stable channel...•••... with a feature update in testing channel.
| Christian Hesse | 1 | -0/+9 |
2024-08-19 | netwatch-dns: disable DoH if time not sync...•••... as it is possible that time is off, DNS via DoH fails (cert invalid),
and finally syncing time fails due to failing DNS.
| Christian Hesse | 1 | -0/+8 |
2024-08-19 | INITIAL-COMMANDS: match the certificate file name from Let's Encrypt website...•••... and our README. ð
| Christian Hesse | 1 | -2/+2 |
2024-08-19 | README: match the certificate file name from Let's Encrypt website...•••... so import from manually downloaded and transferred file works
out of the box as well.
| Christian Hesse | 2 | -2/+2 |
2024-08-19 | README: make the QR code a link | Christian Hesse | 1 | -1/+1 |
2024-07-25 | telegram-chat: drop extra conversion•••The JSON parser was actually fixed in RouterOS 7.15beta4, but let's bump
the required version to next stable release instead.
routeros-7.15-3 | Christian Hesse | 2 | -3/+3 |
2024-07-25 | daily-psk: drop workaround for old RouterOSrouteros-7.15-2 | Christian Hesse | 5 | -11/+7 |
2024-07-25 | netwatch-notify: do not switch type when resolving•••This requires RouterOS 7.15beta4, but let's bump the required version
to next stable release instead.
routeros-7.15-1 | Christian Hesse | 2 | -3/+4 |
2024-07-25 | INITIAL-COMMANDS: drop command to remove certificate file...•••... as this is done automatically with RouterOS 7.15rc1 and later.
| Christian Hesse | 1 | -1/+0 |
2024-07-25 | README: drop command to remove certificate file...•••... as this is done automatically with RouterOS 7.15rc1 and later.
Not bumping the required RouterOS version (badge) here... Worst thing
that can happen is a stale certificate file left on storage.
| Christian Hesse | 2 | -2/+1 |
2024-07-22 | global-functions: $EitherOr: revert...•••... but leave a comment.
| Christian Hesse | 1 | -3/+1 |
2024-07-22 | global-functions: $EitherOr: pass boolean value•••Note that literal "true" or "false" (even without quotes) is converted
to string. So you may have to enclose it in parentheses for a boolean
value:
> :put [ :typeof [ $EitherOr true false ] ];
str
> :put [ :typeof [ $EitherOr (true) (false) ] ];
bool
| Christian Hesse | 1 | -0/+3 |
2024-07-16 | Merge branch 'line-breaks' into nextrouteros-7.14-1 | Christian Hesse | 123 | -152/+140 |
2024-07-16 | bump RouterOS requirement for all scripts and modules...•••... now that global-functions requires RouterOS 7.14 anyway.
| Christian Hesse | 116 | -116/+116 |
2024-07-16 | mod/ipcalc: use :tocrlf | Christian Hesse | 2 | -5/+4 |
2024-07-16 | mod/inspectvar: use :tocrlf | Christian Hesse | 2 | -4/+3 |
2024-07-16 | global-functions: $Unix2Dos: use :tocrlf | Christian Hesse | 1 | -6/+1 |
2024-07-16 | global-functions: $PrettyPrint: use :tocrlf | Christian Hesse | 1 | -5/+1 |
2024-07-16 | global-functions: $Dos2Unix: use :tolf | Christian Hesse | 1 | -5/+1 |
2024-07-16 | global-functions: $ScriptInstallUpdate: support storing with CRLF•••Adding this in `global-config-overlay` make the scripts being stored
with CRLF line breaks:
:global ScriptUpdatesCRLF true;
Handle with care, I do not recommend it. Thus it's just a hidden
setting.
| Christian Hesse | 1 | -1/+3 |
2024-07-16 | ppp-on-up: support scripts with CRLF line breaks | Christian Hesse | 1 | -1/+1 |
2024-07-16 | news-and-changes: support scripts with CRLF line breaks | Christian Hesse | 1 | -1/+1 |
2024-07-16 | capsman-download-packages: support scripts with CRLF line breaks | Christian Hesse | 3 | -3/+3 |
2024-07-16 | global-functions: $ScriptInstallUpdate: allow CRLF on device | Christian Hesse | 1 | -1/+2 |
2024-07-16 | global-functions: $ScriptInstallUpdate: forcibly convert to LF...•••... to make sure we do not have unintended CRLF line breaks.
| Christian Hesse | 1 | -2/+2 |
2024-07-16 | README: use :tocrlf to convert global-config-overlay | Christian Hesse | 1 | -2/+2 |
2024-07-16 | doc/mod/ssh-keys-import: drop hint on older RouterOS | Christian Hesse | 1 | -5/+1 |
2024-07-11 | capsman-download-packages: support running several scripts...•••... as it is possible to have more than just one providing
the functionality.
| Christian Hesse | 3 | -9/+15 |
2024-07-11 | capsman-{download-packages,rolling-upgrade}: run matching script•••It is possible to run old and new CAPsMAN on one system simultaneously
(... since RouterOS 7.13?). Thus it may make sense to have both variants
of these scripts installed, and we have to make sure to run the correct
one.
| Christian Hesse | 6 | -6/+6 |
2024-07-10 | update list of contributors | Christian Hesse | 1 | -0/+1 |
2024-07-08 | backup-partition: check that target is inactive | Christian Hesse | 1 | -2/+2 |
2024-07-08 | backup-partition: check the fallback partition actually exists...•••... and use its id for actions.
| Christian Hesse | 1 | -8/+16 |
2024-07-05 | backup-partition: rename variable | Christian Hesse | 1 | -8/+8 |
2024-07-04 | packages-update: run backups before package download•••This reduces memory pressure, especially on device with very limited RAM
like mAP with its 64 MB.
| Christian Hesse | 1 | -26/+26 |
2024-07-04 | global-functions: $MkDir: enable tmpfs if disabled | Christian Hesse | 1 | -1/+6 |
2024-07-02 | global-functions: $GetMacVendor: cert 'GTS Root R4' | Christian Hesse | 2 | -1/+21 |
2024-06-25 | check-certificates: limit scope for $CertNew...•••... into block where certificate is replaced.
This should unbreak renewing with a certificate updated in place.
| Christian Hesse | 1 | -4/+3 |
2024-06-21 | global-functions: $CertificateDownload: try fallback to mkcert.org•••There's a nice API that allows to download certificate by exact common
name. Let's use that, as a fallback at least.
https://mkcert.org/
change-131 | Christian Hesse | 2 | -11/+31 |
2024-06-21 | Merge branch 'root-certificates' into next | Christian Hesse | 36 | -2456/+334 |
2024-06-21 | notify on changes regarding certificateschange-130 | Christian Hesse | 2 | -1/+2 |
2024-06-21 | certs: DigiCert TLS Hybrid ECC SHA384 2020 CA1 -> DigiCert Global Root CA•••This is used by Cloudflare DNS Quard9 (9.9.9.9).
$CertificateAvailable "DigiCert Global Root CA";
/ip/dns/set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes;
| Christian Hesse | 3 | -175/+30 |
2024-06-21 | certs: DigiCert Global G2 TLS RSA SHA256 2020 CA1 -> DigiCert Global Root G2•••This is used by Cloudflare DNS (1.1.1.1).
$CertificateAvailable "DigiCert Global Root G2";
/ip/dns/set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes;
| Christian Hesse | 3 | -183/+30 |
2024-06-21 | certs: Go Daddy Secure Certificate Authority - G2 -> Go Daddy Root Certificat... | Christian Hesse | 4 | -180/+32 |
2024-06-21 | certs: GTS CA 1C3 / GTS CA 1P5 -> GTS Root R1 | Christian Hesse | 5 | -482/+40 |
2024-06-21 | certs: Starfield Secure Certificate Authority - G2 -> Starfield Root Certific... | Christian Hesse | 3 | -180/+31 |
2024-06-21 | certs: Cloudflare Inc ECC CA-3 -> Baltimore CyberTrust Root | Christian Hesse | 3 | -165/+30 |
2024-06-21 | certs: Certum Domain Validation CA SHA2 -> Certum Trusted Network CA | Christian Hesse | 3 | -177/+30 |
2024-06-21 | certs: GlobalSign Atlas R3 DV TLS CA 2022 Q3 -> GlobalSign | Christian Hesse | 3 | -179/+30 |
2024-06-21 | certs: R3 / R10 -> ISRG Root X1 | Christian Hesse | 6 | -471/+41 |
2024-06-21 | certs: E1 / E5 -> ISRG Root X2•••In the beginning of Let's Encrypt their root certificate ISRG Root X1
was not widely trusted, at least some older and/or mobile platforms were
missing that certificate in their root certificate store.
At that time Let's Encrypt was using an alternative chain of trust,
where a certificate was cross-signed with DST Root CA X3.
To make sure a valid chain of trust is available under all circumstances
a set of all certificates had to be supplied: both root vertificates
ISRG Root X1 & DST Root CA X3, and an intermediate certificate.
This was still true after DST Root CA X3 expired, as it could still be
used as a root anchor and was shipped by Let's Encrypt when requested. ðĪŠ
This time is finally over, and we have a clean chain for trust ending in
ISRG Root X1 (or ISRG Root X2).
Well, actually it is the other way round... Let's Encrypt signs with
different tantamount intermediate certificates. There is not only E5, but
also E6 - and we can not know beforehand which one is used on renew.
So let's jetzt drop the intermediate certificates now, and rely on root
certificates only. We are perfectly fine with this these days.
Follow-up commits will do the same for *all* certificates.
The certificate is downloaded with:
curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
| Christian Hesse | 10 | -263/+38 |
2024-06-20 | doc/mod/notification-matrix: drop certificate hint...•••... as matrix.org switched to Let's Encrypt with ISRG Root X2.
| Christian Hesse | 1 | -3/+0 |
2024-06-19 | Let's Encrypt changed their intermediate certificates•••https://letsencrypt.org/2024/03/19/new-intermediate-certificates
https://letsencrypt.org/certificates/
But let's keep the old ones around for now, as some sites are still
using the old intermediate.
| Christian Hesse | 8 | -16/+366 |
2024-06-11 | unattended-lte-firmware-upgrade: check on valid version first | Christian Hesse | 1 | -1/+2 |
2024-06-11 | unattended-lte-firmware-upgrade: drop the AT reset•••The AT command to reset is specific to modem. So this worked for some
only... Let's just drop it, and update the log message.
| Christian Hesse | 1 | -2/+1 |
2024-06-11 | unattended-lte-firmware-upgrade: omit just another once | Christian Hesse | 1 | -1/+1 |
2024-06-10 | backup-cloud: remove trailing spaces•••How did I produce these!? ðģ
| Christian Hesse | 1 | -1/+1 |
2024-06-10 | unattended-lte-firmware-upgrade: omit once•••Omit `once` from the `/interface/lte/firmware-upgrade` command to make
sure it does acutally return a valid result.
Fixes #69
| netravnen | 1 | -1/+1 |
2024-06-10 | check-lte-firmware-upgrade: omit once•••Omit `once` from the `/interface/lte/firmware-upgrade` command to make
sure it does acutally return a valid result.
| netravnen | 1 | -1/+1 |
2024-06-05 | backup-cloud: log note on previous connection errors | Christian Hesse | 1 | -0/+4 |
2024-06-01 | global-functions: $CleanName: no exception for dash...•••... as we still want to deduplicate it when it is inside the input
string. This also unbreak certificate import for "Go Daddy Secure
Certificate Authority - G2" (and more)...
| Christian Hesse | 1 | -1/+1 |
2024-05-25 | telegram-chat: drop extra parenthesis | Christian Hesse | 1 | -3/+3 |