netwatch-dns: support downloading / importing certificate

Author: eworm-de

doc/netwatch-dns.md

@@ -43,6 +43,13 @@ Giving a specific query url for DoH is possible:
 
 Note that using a name in DoH url may introduce a chicken-and-egg issue!
 
+Importing a certificate automatically is possible, at least if available in
+the repository (see `certs` sub directory).
+
+    /tool/netwatch/add comment="doh, doh-cert=DigiCert TLS Hybrid ECC SHA384 2020 CA1" host=1.1.1.1;
+    /tool/netwatch/add comment="doh, doh-cert=DigiCert TLS Hybrid ECC SHA384 2020 CA1" host=9.9.9.9;
+    /tool/netwatch/add comment="doh, doh-cert=GTS CA 1C3" host=8.8.8.8;
+
 Sometimes using just one specific (possibly internal) DNS server may be
 desired, with fallback in case it fails. This is possible as well:
 

netwatch-dns

@@ -10,6 +10,7 @@
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 
+:global CertificateAvailable;
 :global EitherOr;
 :global LogPrintExit2;
 :global ParseKeyValueStore;
@@ -58,6 +59,7 @@ $ScriptLock $0;
 
 :local DohServer "";
 :local DohCurrent [ /ip/dns/get use-doh-server ];
+:local DohCert;
 
 :foreach Host in=[ /tool/netwatch/find where comment~"doh" !disabled ] do={
   :local HostVal [ /tool/netwatch/get $Host ];
@@ -67,12 +69,19 @@ $ScriptLock $0;
        $HostInfo->"disabled" != true && $DohServer = "") do={
     :set DohServer [ $EitherOr ($HostInfo->"doh-url") \
         ("https://" . $HostVal->"host" . "/dns-query") ];
+    :set DohCert ($HostInfo->"doh-cert");
   }
 }
 
 :if ($DohServer != "") do={
   :if ($DohServer != $DohCurrent) do={
     $LogPrintExit2 info $0 ("Updating DoH server: " . $DohServer) false;
+    :if ([ :len $DohCert ] > 0) do={
+      /ip/dns/set use-doh-server="";
+      :if ([ $CertificateAvailable $DohCert ] = false) do={
+        $LogPrintExit2 warning $0 ("Downloading certificate failed, trying without.") false;
+      }
+    }
     /ip/dns/set use-doh-server=$DohServer;
     /ip/dns/cache/flush;
   }