Community discussions

MikroTik App
 
User avatar
kiler129
Member
Member
Topic Author
Posts: 352
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Updating certificate store requires very strange permissions

Sun Jul 24, 2022 5:53 am

Let's start from a script I'm running, which is a modification of a script from viewtopic.php?t=169662
{
  :do {
      :local verifySSL
      :set verifySSL "yes"
      :if ([:len [/certificate/find name~"cacert_update.pem_"]] = 0) do={
          :log warning ("System has no certificate store - seeding without TLS verification");
          :set verifySSL "no"
      }
      /tool/fetch url="https://mkcert.org/generate/" check-certificate=$verifySSL dst-path=cacert_update.pem;
      /certificate/remove [ find where authority expired ];
      /certificate/import file-name=cacert_update.pem passphrase="";
      /file/remove cacert_update.pem;
      :log info ("Updated certificate trust store");
  } on-error={
      :log error ("Failed to update certificate trust store");
  };
}
Everything works great, maybe except failing every other time when no certificates are updated, but the strangest thing are permissions required to run the trust store update:
  • read: ok, makes sense
  • write: sure, why not
  • test: maybe...
  • sniff
  • reboot
I'm running the code on v7.4. Can someone maybe explain what's going on here? :D
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Updating certificate store requires very strange permissions

Sun Jul 24, 2022 9:05 am

Not an answer to your question, but som script cleaning.
Removed outer {} that is not needed.
Removed all ; at end of line. Only needed between multiple commands on same line. You did have it on some line, not all.
Removed :set verifySSL "yes". You can set ut while declare the variable.

:do {
	:local verifySSL "yes"
	:if ([:len [/certificate/find name~"cacert_update.pem_"]] = 0) do={
		:log warning ("System has no certificate store - seeding without TLS verification")
		:set verifySSL "no"
	}
	/tool/fetch url="https://mkcert.org/generate/" check-certificate=$verifySSL dst-path=cacert_update.pem
	/certificate/remove [ find where authority expired ]
	/certificate/import file-name=cacert_update.pem passphrase=""
	/file/remove cacert_update.pem
	:log info ("Updated certificate trust store")
} on-error={
	:log error ("Failed to update certificate trust store")
}

Who is online

Users browsing this forum: No registered users and 10 guests