cant' activate purchased SSL certificate for hotspot

RouterOS General
1

Hi, I’m trying to setup an HTTPs Hotspot.
I purchased an SSL certificate on namecheap.com and I created the certificate request with:

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
create-certificate-request
template	ca-template
key-passphrase	mypassphrase

but when I try to activate it pasting the content of certificate-request.pem as csr, I get this error: “Domain name is invalid or contains a typo. Please use only a-z, 0-9, dot or hyphen in CSR domains”

what am I doing wrong? Thanks

2

You need a FQDN to be able to get a valid CA signed cert. Namecheap isn’t going to allow you to sign “myCa” since you have no proof of ownership over that name.

Use something like hotspot.your-isp.com.

3

So I just have to use my own domain?

4

Yes, you need to be able to prove ownership of it in some way, eg email to postmaster@example.com should be receivable or if you use free Let’s Encrypt cert, challenge files at example.com/.well-known/acme-challenge.

5

I uploaded to the router the .crt file from namecheap.com and I imported it with:

/certificate
import file-name=mydomain_com.crt
passphrase	*****
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
import file-name=certificate-request_key.pem
passphrase	*****
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

(certificate-request_key.pem is the file created from the router)
then I setup the https:

/ip service set www-ssl certificate=mydomain_com.crt_0
/ip hotspot profile set hsprof1 login-by=https ssl-certificate=mydomain_com.crt_0

but when I try to connect to the hotspot, I get this error:
net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH

6

Make sure your RouterOS is up to date. You can use something like https://testssl.sh for verifying that TLS support is working correctly.

7

I have RouterOS v6.40.1, do I have to update to the last one?

I didn’t understand how to use it on the router, can you help me?

8

If you’re running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc).

You use testssl.sh from any Linux system and test it against your hotspot. If your hotspot is publicly reachable you can also post the link here for testing.

9

I upgraded to v6.42.3 and now when I connect to the hotspot and the popup opens, I get this warning:
Untrusted SSL certificate
The security certificate for this network does not come from a trusted authority. The connection to this is not recommended.
Unfortunately I don’t have a linux installation, I tried with a live version but unsuccesfully. Is there a windows equivalent?

10

That message means the .crt you supplied to the hotspot wasn’t signed properly. Make sure it’s the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!

11

Here is the .crt file from namecheap, i renamed it because of invalid file extension. my domain is uala.datalit.it
uala_datalit_it.txt (2.21 KB)

12

There seems to be a missing intermediary cert, I’m not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
uala_datalit_intermediate.txt (4.31 KB)

13

I renamed your file into uala_datalit_intermediate.crt and I tried to import it with:

import file-name=uala_datalit_intermediate.crt
passphrase	*****

but when I try:

import file-name=certificate-request_key.pem
passphrase	*****

I get:

     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0

maybe I have to delete the old one?
the wiki talks about a .key file that I didn’t have, before I used certificate-request_key.pem but I’m not sure this is right.
https://wiki.mikrotik.com/wiki/SSL_Certificate_setup
https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example

14

I deleted the certificate and I tried to recreate the request and reimport the certificate adding your intermediate cert as you did.

/certificate> import file-name=uala_datalit_intermediate.crt 
passphrase: *******
     certificates-imported: 2
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

/certificate> import file-name=certificate-request_key.pem     
passphrase: *******
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

Then I selected the certificata in services and in hotspot, but now I get
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

maybe I should buy a certificate from a provider indicated in the wiki such as rapidssl, godaddy, register, opensrs, thawte, but they are more expensive and there are lot of possibilities, which one should I buy?

15

Any signed cert should be fine, price is not important, even a free one from Let’s Encrypt should work.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn’t using modern protocols / ciphers. I don’t know if there are any options in RouterOS, but make sure to disable SSL 2.0 / SSL 3.0 and only use TLS 1.0 / 1.1 / 1.2.

16

This old doc says SSLv2, SSLv3, TLS but you can’t select which protocols use
https://mikrotik.com/testdocs/ros/3.0/system/certificate.php

17

Hi all,
@Michele did you later resolve this issue?

I also want to purchase SSL certificate from namecheap and will really appreciate if there can be a comprehensive guide on how to really go about getting a trusted signed SSL certificate on a LAN Hotspot. I already have a domain with namecheap abcdomain.com and my LAN hotspot DNS name is hotspot.abcdomain.com.

Any guidance will be highly appreciated.

Below are instructions from namecheap.

in order to secure your website, it is necessary to obtain an SSL certificate and complete all the required steps:

  1. CSR code generation
  2. SSL certificate activation
  3. SSL certificate validation
  4. SSL certificate installation

Due to the security reasons, it is recommended to generate the CSR code on your hosting server.

However, you can use any online tool instead. You are welcome to generate the CSR code using this online tool: > https://decoder.link/csr_generator

Once the CSR code is generated, you will see the pop-up window with 3 tabs: “CSR”, “Private key” and “Certificate”.

The first “CSR” tab contains your CSR code that includes the following tags: “-----BEGIN CERTIFICATE REQUEST-----" and “-----END CERTIFICATE REQUEST-----”.

On the second “Private key” tab, there will be your private key. Your private key should begin with: -----BEGIN RSA PRIVATE KEY----- and end with: -----END RSA PRIVATE KEY-----

Please keep in mind that it is necessary to save the private key in order order to use it for the SSL certificate installation.

The third “Certificate” tab you will see a self-signed SSL certifcate that should not be used instead of your Comodo SSL certificate.

Please copy your CSR code and paste it into the “CSR” field on the fist step of activation in order to activate the certificate.

For more information how to activate an SSL certificate, feel free to check this guide: > https://www.namecheap.com/support/knowledgebase/article.aspx/794/67/how-do-i-activate-an-ssl-certificate> .

There are 3 DCV (Domain Control Validation) methods that you can choose from: the email-based, the HTTP-based and the DNS-based one.

For more information, feel free to check this guide about SSL Validation: > https://www.namecheap.com/support/knowledgebase/article.aspx/9637/68/how-can-i-complete-the-domain-control-validation-dcv-for-my-ssl-certificate

Please keep in mind that once the activation and validation are completed and the certificate is issued by Comodo, it is necessary to install the SSL certificate on your hosting server.

More information on how to install an SSL certificate can be found via this link: > https://www.namecheap.com/support/knowledgebase/article.aspx/795/69/how-to-install-ssl-certificates

You can check the installation of your certificate using this tool: > https://decoder.link/sslchecker

18

I read here https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example that

Note: Browser will still warn end-user about redirection even with CA signed certificate! This warning message cannot be avoided> .

Can someone kindly explain if this is the true case. Even with CA signed Certificates?

19

Maybe and sometimes..

If your redirection is doing a re-direct when someone opens https://www.google.com then yes, it will warn the user because you are not google.com..

The error will be be domain mis-match though.

The newer OSs, mobile and Windows 10 (not sure about MacOS), pop up an alert now when connecting to Hotspots that require authentication, ‘tap here to authenticate’, then it opens the webpage for the AP to ‘accept’ or ‘enter code/password’. I have no idea how to use this feature though. I don’t know the back-end process though. Likely documented somewhere. haha

Get your certificate imported correctly, you should be able to access the hotspot page with no errors using the domain your certificate it for. After that, look into that process. Just opening your browser’s homepage, yes, that will still cause a name mismatch.