I followed the steps in this wiki article https://wiki.mikrotik.com/wiki/Manual:Webfig#Enabling_HTTPS
for enabling https, ie. the www-ssl service. There a local private certificate is created on the device and then the www-ssl service started.
But the browser FireFox gives this error:
Unable to connect
Firefox can’t establish a connection to the server at 192.168.88.1.
Another browser, Chrome, says
This site can’t be reached192.168.88.1 refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
How to fix this?
In the above link the word “Webfig” is used in cert creation. Should this rather be “WebFig”? Can this be the reason for the error?
Btw, what does the “Fig” in WebFig stand for?
And: why is an extra certificate required for www-ssl whereas for ssh none is required, or a default internal one gets used; why then not use the same cert also for www-ssl ?
A “refused to connect” is unrelated to the certificate. Make sure the service is enabled and the firewall does not block it.
I think “Webfig” is short for “Webconfig”, no?
The https certificate is used to authenticate the host, a valid certificate is verified by trust chain to root CAs in your browser. SSH works a bit different: A host key is generate, on first connect you are asked whether you trust that key.
(The latter is very similar to acknowledging a self-signed certificate in the browser.)
@eworm, is your https-access to WebFig running ok? Do you have the beta5 installed?
And: do you mean, the web-ssl service will work even w/o creating me the cert first? But the wiki page above indicates different.
As can be seen below, in my case the web-ssl is activated and a cert named “Webfig” is installed:
[admin2@MikroTik] > /ip service print
Flags: X - DISABLED, I - INVALID
Columns: NAME, PORT, ADDRESS, CERTIFICATE
# NAME PORT ADDRESS CERTIF
0 X telnet 23 192.168.0.0/17
1 X ftp 21 192.168.0.0/17
2 www 80 192.168.0.0/17
3 ssh 22 192.168.0.0/17
4 www-ssl 443 192.168.0.0/17 Webfig
5 X api 8728 192.168.0.0/17
6 X winbox 8291 192.168.0.0/17
7 X api-ssl 8729 192.168.0.0/17 none
But nmap does not find the https port (443) as running:
$ nmap -v -sT 192.168.88.1 -p0-65535
Starting Nmap 6.47 ( http://nmap.org ) at 2020-04-21 10:52 CEST
Initiating ARP Ping Scan at 10:52
Scanning 192.168.88.1 [1 port]
Completed ARP Ping Scan at 10:52, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:52
Completed Parallel DNS resolution of 1 host. at 10:52, 0.01s elapsed
Initiating Connect Scan at 10:52
Scanning 192.168.88.1 [65536 ports]
Discovered open port 80/tcp on 192.168.88.1
Discovered open port 22/tcp on 192.168.88.1
Discovered open port 564/tcp on 192.168.88.1
Completed Connect Scan at 10:52, 2.44s elapsed (65536 total ports)
Nmap scan report for 192.168.88.1
Host is up (0.0030s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
564/tcp open 9pfs
MAC Address: C4:AD:34:78:E1:88 (Unknown)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.88 seconds
Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
Update: Ok, after disabling the www-ssl service and then re-enabling it, now the service has finally startet (nmap finds it)… [so there is a bug in service status display, cf. above]
Update2: Ok, now https-access to the device works fine, and I can disable the insecure http-access. Problem solved now!
But I wonder why the “ip service print” list does not show any certificate for the ssh service.
Can ssh ever function w/o such a certificate? I must admit I’ve never seen/read about that very case.
For some reason, until I change the port from 443 to 4443 for www-ssl /(ip > services), I still got the error. Once I switch to 4443 (or other non std port), it worked. I think a note needs to be added to https://wiki.mikrotik.com/wiki/Manual:Webfig#Enabling_HTTPS
