The current version of RouterOS 7 has built-in support for Let’s Encrypt certificate request and renewal. Here is the relevant part in the documentation:
Certificates - RouterOS - MikroTik Documentation
In case you use the IP Cloud subdomain provided by MikroTik (xxxxxx.sn.mynetname.net
), you’ll only need to run this once:
/certificate enable-ssl-certificate
and the router will automatically request a LE certificate for the IP Cloud subdomain, and will also perform the future renewals.
But if you use your own subdomain instead, you’ll need to ensure the followings at the moment of certificate request and renewals:
- The service
www
must be running.
- TCP Port 80 to the router (chain input) must not be blocked for incoming requests from the internet, for either IPv4 or IPv6 or both (you can block access for IPv4 while keep it open for IPv6 and it would work too).
The command for certificate request/renewal would then be:
/certificate enable-ssl-certificate dns-name=my.domain.com
The certificate will be listed under System → Certificates and can be used by SSTP. Of course, the SSTP clients will have to use the same subdomain to establish the connection to the router.
While the certificate can be automatically renewed by the router, RouterOS only automatically updates the certificate setting for the www-ssl
service and will not modify the setting of the SSTP server after renewal. You’ll need to do it manually or schedule a script that does it for you.
Furthermore, in case you use a custom domain, and not the one provided by IP Cloud (xxxxxx.sn.mynetname.net
), you’ll have to make sure that www
is running and port 80 is open when the automatic renewal runs. However, it’s normally not wise to have www
and port 80 expose to the internet. It would be better if you keep the service disabled and the port blocked by the firewall, and write your own scheduled script that performs these steps every 80 days or so:
- Temporarily enable the
www
service
- Unblock TCP port 80 on chain input (only for IPv6 if you have IPv6, otherwise for IPv4)
- Execute
/certificate enable-ssl-certificate dns-name=my.domain.com
- Block TCP port 80 on chain input again
- Disable the
www
service
- Update SSTP with the certificate name currently assigned to
www-ssl
(Or you can manually perform those tasks every 80 days if you don’t know how to script)