Age | Commit message (Collapse) | Author | Files | Lines |
|
... as this is done automatically with RouterOS 7.15rc1 and later.
|
|
... now that global-functions requires RouterOS 7.14 anyway.
|
|
In the beginning of Let's Encrypt their root certificate ISRG Root X1
was not widely trusted, at least some older and/or mobile platforms were
missing that certificate in their root certificate store.
At that time Let's Encrypt was using an alternative chain of trust,
where a certificate was cross-signed with DST Root CA X3.
To make sure a valid chain of trust is available under all circumstances
a set of all certificates had to be supplied: both root vertificates
ISRG Root X1 & DST Root CA X3, and an intermediate certificate.
This was still true after DST Root CA X3 expired, as it could still be
used as a root anchor and was shipped by Let's Encrypt when requested. 🤪
This time is finally over, and we have a clean chain for trust ending in
ISRG Root X1 (or ISRG Root X2).
Well, actually it is the other way round... Let's Encrypt signs with
different tantamount intermediate certificates. There is not only E5, but
also E6 - and we can not know beforehand which one is used on renew.
So let's jetzt drop the intermediate certificates now, and rely on root
certificates only. We are perfectly fine with this these days.
Follow-up commits will do the same for *all* certificates.
The certificate is downloaded with:
curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
|
|
https://letsencrypt.org/2024/03/19/new-intermediate-certificates
https://letsencrypt.org/certificates/
But let's keep the old ones around for now, as some sites are still
using the old intermediate.
|
|
Required as RouterOS 7.15rc1 removes it automatically.
|
|
... now that global-functions requires RouterOS 7.13 anyway.
|
|
|
|
|
|
|
|
This should not ultimately destroy user's configuration.
|
|
... to make sure it does not fail on (partly) installed scripts. This
should work to fix borked base installation now.
|
|
|
|
old chain: R3 / ISRG Root X1
new chain: E1 / ISRG Root X2
No user interaction or migration is required for existing installations
as we install 'E1' and 'ISRG Root X2' for some time already.
|
|
No functional change for the user... The migration is done
automatically.
|
|
|
|
We had...
◀ Go back to main README
▲ Go back to top
... and switch to...
⬅️ Go back to main README
⬆️ Go back to top
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Github copy function skips all line breaks, so add some extra
semicolons to fix syntax.
|
|
Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root
X1") on July 8, 2019, but postponed several times.
Finally they found another solution: A certificate 'ISRG Root X1', but
cross-signed with 'DST Root CA X3' and with a livetime that exceeds that
of the root CA. This is said to work for most operating system where root
certificate authorities are just 'trust anchors'.
I doubt this is true for RouterOS, where certificates are just imported
into the certificate store. So let's migrate to 'ISRG Root X1' now.
|
|
This allows to drop the ignore flag.
|
|
|
|
|
|
|
|
Using 'print count-only' always prints a number to terminal, even if the
value is evaluated in a condition or assigned to a variable. This can be
quite annoying. Behavior will not chance (SUP-25503), so replacing the
code...
|
|
|
|
|
|
|
|
|
|
This is not intended for installation...
|