Age | Commit message (Collapse) | Author | Files | Lines |
|
https://letsencrypt.org/2024/03/19/new-intermediate-certificates
https://letsencrypt.org/certificates/
But let's keep the old ones around for now, as some sites are still
using the old intermediate.
|
|
|
|
... and rename certificates in repository.
|
|
... used by Cloudflare.
|
|
The service now uses: GTS CA 1P5 -> GTS Root R1
|
|
old chain: R3 / ISRG Root X1
new chain: E1 / ISRG Root X2
No user interaction or migration is required for existing installations
as we install 'E1' and 'ISRG Root X2' for some time already.
|
|
... for later use.
|
|
... for later use.
|
|
So let's check for the correct one, and drop the other.
|
|
|
|
This is used by Google DNS (8.8.8.8).
$CertificateAvailable "GTS CA 1C3"
/ip dns set use-doh-server=https://8.8.8.8/dns-query verify-doh-cert=yes
|
|
|
|
This is used by Cloudflare DNS (1.1.1.1) and Quard9 (9.9.9.9).
$CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1"
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
$CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1"
/ip dns set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes
|
|
Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root
X1") on July 8, 2019, but postponed several times.
Finally they found another solution: A certificate 'ISRG Root X1', but
cross-signed with 'DST Root CA X3' and with a livetime that exceeds that
of the root CA. This is said to work for most operating system where root
certificate authorities are just 'trust anchors'.
I doubt this is true for RouterOS, where certificates are just imported
into the certificate store. So let's migrate to 'ISRG Root X1' now.
|
|
CA-3" now
|
|
Also order certificates, so we have:
* intermediate
* root
* alternative root, if any
Let's add 'ISRG Root X1' for 'E1' as there will be a valid cross-signed
chain 'E1' -> 'ISRG Root X2' -> 'ISRG Root X1'.
|
|
|
|
https://letsencrypt.org/certificates/
|
|
This is used by DNS over HTTPS services:
https://dns.google/dns-query
|
|
This is used by DNS over HTTPS services:
https://cloudflare-dns.com/dns-query
https://dns9.quad9.net/dns-query (secured)
https://dns10.quad9.net/dns-query (unsecured)
https://github.com/curl/curl/wiki/DNS-over-HTTPS
|
|
Now that we have a proper $UrlEncode function... Fetch certificates
by CommonName.
Also remove the PEM after import.
|
|
|
|
This should prevent endless certificate switching for Let's Encrypt
cross-signed intermediate certificates.
|
|
This is used by Let's Encrypt to cross-sign.
|
|
|
|
Signed-off-by: Christian Hesse <mail@eworm.de>
|