aboutsummaryrefslogtreecommitdiffstats
path: root/global-config.rsc
AgeCommit message (Collapse)AuthorFilesLines
13 dayscerts: Cloudflare Inc ECC CA-3 -> Baltimore CyberTrust RootGravatar Christian Hesse1-2/+2
13 dayscerts: Certum Domain Validation CA SHA2 -> Certum Trusted Network CAGravatar Christian Hesse1-1/+1
13 dayscerts: GlobalSign Atlas R3 DV TLS CA 2022 Q3 -> GlobalSignGravatar Christian Hesse1-2/+2
13 dayscerts: R3 / R10 -> ISRG Root X1Gravatar Christian Hesse1-1/+1
13 dayscerts: E1 / E5 -> ISRG Root X2Gravatar Christian Hesse1-3/+3
In the beginning of Let's Encrypt their root certificate ISRG Root X1 was not widely trusted, at least some older and/or mobile platforms were missing that certificate in their root certificate store. At that time Let's Encrypt was using an alternative chain of trust, where a certificate was cross-signed with DST Root CA X3. To make sure a valid chain of trust is available under all circumstances a set of all certificates had to be supplied: both root vertificates ISRG Root X1 & DST Root CA X3, and an intermediate certificate. This was still true after DST Root CA X3 expired, as it could still be used as a root anchor and was shipped by Let's Encrypt when requested. 🤪 This time is finally over, and we have a clean chain for trust ending in ISRG Root X1 (or ISRG Root X2). Well, actually it is the other way round... Let's Encrypt signs with different tantamount intermediate certificates. There is not only E5, but also E6 - and we can not know beforehand which one is used on renew. So let's jetzt drop the intermediate certificates now, and rely on root certificates only. We are perfectly fine with this these days. Follow-up commits will do the same for *all* certificates. The certificate is downloaded with: curl -d '["ISRG Root X2"]' https://mkcert.org/generate/ | grep -v '^$' > certs/ISRG-Root-X2.pem
2024-06-19Let's Encrypt changed their intermediate certificatesGravatar Christian Hesse1-3/+3
https://letsencrypt.org/2024/03/19/new-intermediate-certificates https://letsencrypt.org/certificates/ But let's keep the old ones around for now, as some sites are still using the old intermediate.
2024-05-23backup-partition: support copy before feature updateGravatar Christian Hesse1-0/+2
2024-05-14fw-addr-lists: add 'strongips' list from blocklist.dechange-128Gravatar Christian Hesse1-0/+2
2024-04-15mod/notification-ntfy: support basic authchange-127Gravatar Christian Hesse1-0/+2
Closes #59
2024-03-20global-config: put example fw-addr-lists into repositoryGravatar Christian Hesse1-3/+3
2024-03-18global-config: prepare a (commented) address-list for MikrotikGravatar Christian Hesse1-0/+4
This is AS51894: https://bgp.he.net/AS51894
2024-03-12global-config: merge loading overlay and snippetsGravatar Christian Hesse1-10/+4
2024-03-12global-config: support loading snippetschange-122Gravatar Christian Hesse1-0/+10
This adds support for loading snippets, which need a name starting with "global-config-overlay.d/". This allows to split off configuration if desired.
2024-01-30packages-update: support deferred reboot on auto-updatechange-117Gravatar Christian Hesse1-0/+3
Closes #56
2024-01-01update copyright for 2024Gravatar Christian Hesse1-1/+1
2023-11-30fw-addr-lists: support timeout per listGravatar Christian Hesse1-1/+1
This works with something like this: :global FwAddrLists { "allow"={ { url="https://eworm.de/ros/fw-addr-lists/allow"; cert="E1"; timeout=1w }; }; ... } All urls for one named list should have the same timeout! With different timeout values and identical addresses the behavior is besically undefined, depending on order.
2023-10-26global: switch eworm.de to new certificate chain (E1 / ISRG Root X2)Gravatar Christian Hesse1-2/+2
old chain: R3 / ISRG Root X1 new chain: E1 / ISRG Root X2 No user interaction or migration is required for existing installations as we install 'E1' and 'ISRG Root X2' for some time already.
2023-10-17global-functions: $ScriptInstallUpdate: drop support for scripts from storagechange-110Gravatar Christian Hesse1-2/+1
Nobody ever used that, no? (Well, except me - just before I implemented fetching. 😜)
2023-10-17introduce mod/notification-ntfy...change-109Gravatar Christian Hesse1-3/+9
... for sending notifications via Ntfy (https://ntfy.sh/). TODO: use proper formatting once supported in Android app: https://github.com/binwiederhier/ntfy/issues/889
2023-10-17log-forward: add 'packet' in default filter...Gravatar Christian Hesse1-1/+1
... which is used when logging raw packets from dns and ssh, and possibly others.
2023-10-16mod/notification-telegram: drop support for non-fixed width fontchange-107Gravatar Christian Hesse1-2/+0
2023-10-05log-forward: add 'raw' in default filter...Gravatar Christian Hesse1-1/+1
... which is used when logging raw packets or commands.
2023-08-31check-routeros-update: support update from specific neighbor(s)change-105Gravatar Christian Hesse1-0/+1
... by matching the identity property.
2023-06-27global-config: escaping question mark is no longer requiredGravatar Christian Hesse1-1/+1
2023-06-13fw-addr-lists: prepare lists from spamhaus.org in configGravatar Christian Hesse1-0/+4
2023-06-13fw-addr-lists: add lists from abuse.ch in configGravatar Christian Hesse1-0/+4
2023-06-13introduce fw-addr-listschange-101Gravatar Christian Hesse1-0/+15
2023-05-31global-config: end all (array) variables with a semicolonGravatar Christian Hesse1-4/+4
2023-04-26global-config: restore variables still used in ipsec-to-dns (for now)Gravatar Christian Hesse1-0/+4
2023-04-26global-config: be more verbose about domainGravatar Christian Hesse1-1/+2
2023-04-24dhcp-to-dns: get domain from dhcp server's network definitionchange-99Gravatar Christian Hesse1-3/+0
2023-03-07rename scripts and add file extension ".rsc"change-95Gravatar Christian Hesse1-0/+220
No functional change for the user... The migration is done automatically.
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 05:14:13 +0000