ACME Certificate Client - Implementation of Auto-Renewal, Seeking Advice

RouterOS General
1

Hello Mikrotik Friends,

For several years, I’ve used a script to renew the Let’s Encrypt certificate that we use for our Hotspot and SSTP VPN. This has worked perfectly. The script basically enables a firewall rule which allows Port 80 on the Input Chain, Enables the WWW service, removes the old certificate, gets a new one, then sets the certificate for SSPT and Hotspot, disables the firewall rule and WWW Service, and does this every 75 days or so on a schedule… worked like a charm.

I see now that there’s a new ACME Client built into RoS 7.22, the commands are different, and of course, my script is now broken.

I’ve just renewed the certificate manually using:

/certificate/add-acme directory-url=https://acme-v02.api.letsencrypt.org/directory domain-names=[DOMAIN_NAME]

[Taken from: Certificates - RouterOS - MikroTik Documentation]

My questions:

  • we disable port 80 and WWW service on our firewall for security - how can I make use of the automatic renewal feature of the now built-in ACME client?

Our Firewall setup looks like this:

/ip firewall filter add action=accept chain=input comment=LetsEncrypt disabled=yes dst-port=80 log=yes log-prefix="Lets Encrypt:" protocol=tcp
/ip firewall filter add action=drop chain=input comment="Block all not coming from LAN" in-interface-list=!INTERNAL log-prefix="DROPPED: "
/ip firewall filter add action=drop chain=input comment="Block incoming from internet" in-interface=pppoe-out1

[These are the last 3 rules of the INPUT chain, in the order top-to-bottom as they are applied - the last rule probably a bit redundant, but belts and braces and all that]

It’s been suggested to me to:

  • Leave the WWW Service permanently enabled
  • Add some firewall rules to allow only new connections for ACME renewals, like this:

/ip firewall filter add chain=input protocol=tcp dst-port=80 connection-state=new action=accept comment="ACME allow"

/ip firewall filter add chain=input protocol=tcp dst-port=80 action=drop comment="ACME drop"

[These rules should be added above the first of the INPUT Chain Drop rules, above, apparently]

I’m extremely nervous about just simply enabling Port 80 and the WWW Service all the while… does anyone have any thoughts/comments/advice here please?

Thank you in advance.

2

Check this thread:
Please help me with schedule the update https certificate (Let's encrypt)

and links in It.

3

Thanks @jaclaz

I had a look at the post, and there’s a really interesting approach proposed in one of the links - using a mangle rule to dynamically update an address list with a timeout, whenever the request is made to the renewal server.

The only thing I see here is that (if I’ve understood how Let’s Encrypt works properly, and please correct me if I’m wrong), the response will not come back from the same IP Address to which the request was made… therefore, the response will always get dropped?

The proposed firewall rules that I listed above seem to just open things up and that’s the end of it… which I clearly don’t want either.

4

I don't know how the whole stuff works (or fails to).

I believe that the thread and the approach by Sindy is the "state of the art" or the "best we can have", though (personally) I prefer the slightly modified approach here (using firewall filter instead of mangle) only because it looks more easy to read/understand in 6 month time when reviewing the configuration:

Lets Encrypt - #42 by Deslack

Let's wait if someone with specific experience comes out with better ideas/methods.

1 Like
5

The only requirement AFAIK is to have the www-service enabled and under ip/service/webserver have acme-plain: yes. That's it. You don't need to allow port 80 in firewall IIRC. The acme client creates dynamic allow filter input rule for the duration of acme client is running - though I did not observe that but it is my guess.

6

The documentation, already updated with add-acme still says:

Domain names must resolve to the router, and TCP port 80 must be accessible from the WAN (HTTP-01 challange is used).

though. I don't think any dynamic accept rule is added.

I prefer to use my explicitly scheduled script, becaused I don't want www to run needlessly with a few FW rules being active all the time. Especially if the FW rule is in mangle postrouting, because it affects every non-fasttracked packets (not even having the benefit of being skipped due to "established,related").

And also because I need to make sure the other services are updated to use the renewed certificate. The automatic renewal currently doesn't have any scripting hook.

1 Like
7

Thank you so much @CGGXANNX - I took your base script and then updated like 3-4 lines or so for my use case and it worked perfectly!!!

Thank you so much!!!