Updating certificate store requires very strange permissions

RouterOS Scripting
1

Let’s start from a script I’m running, which is a modification of a script from http://forum.mikrotik.com/t/updating-ca-root-certs-regularly/144990/1

{
  :do {
      :local verifySSL
      :set verifySSL "yes"
      :if ([:len [/certificate/find name~"cacert_update.pem_"]] = 0) do={
          :log warning ("System has no certificate store - seeding without TLS verification");
          :set verifySSL "no"
      }
      /tool/fetch url="https://mkcert.org/generate/" check-certificate=$verifySSL dst-path=cacert_update.pem;
      /certificate/remove [ find where authority expired ];
      /certificate/import file-name=cacert_update.pem passphrase="";
      /file/remove cacert_update.pem;
      :log info ("Updated certificate trust store");
  } on-error={
      :log error ("Failed to update certificate trust store");
  };
}

Everything works great, maybe except failing every other time when no certificates are updated, but the strangest thing are permissions required to run the trust store update:

  • read: ok, makes sense
  • write: sure, why not
  • test: maybe…
  • sniff
  • reboot

I’m running the code on v7.4. Can someone maybe explain what’s going on here? :smiley:

2

Not an answer to your question, but som script cleaning.
Removed outer {} that is not needed.
Removed all ; at end of line. Only needed between multiple commands on same line. You did have it on some line, not all.
Removed :set verifySSL “yes”. You can set ut while declare the variable.


:do {
	:local verifySSL "yes"
	:if ([:len [/certificate/find name~"cacert_update.pem_"]] = 0) do={
		:log warning ("System has no certificate store - seeding without TLS verification")
		:set verifySSL "no"
	}
	/tool/fetch url="https://mkcert.org/generate/" check-certificate=$verifySSL dst-path=cacert_update.pem
	/certificate/remove [ find where authority expired ]
	/certificate/import file-name=cacert_update.pem passphrase=""
	/file/remove cacert_update.pem
	:log info ("Updated certificate trust store")
} on-error={
	:log error ("Failed to update certificate trust store")
}