Certificate issue

kundarsa · December 11, 2025, 10:55pm

I installed a lets encrypt certificate using certbot onto my router. i found my router did not have a renewed cert once it expired, so i started troubleshooting using certbot –dry-run to test my deploy script. this installed an invalid cert to my router as its dates are invalid.

3 L T name="certbot-certLlK" digest-algorithm=sha384 trusted=yes
common-name="router.wa02.teliot.dev"
subject-alt-name=DNS:router.wa02.teliot.dev
issuer=C=US,O=Let's Encrypt,CN=E7 key-type=ec key-size=prime256v1
key-usage=digital-signature,tls-server,tls-client days-valid=89
invalid-before=2162-01-17 19:17:03
invalid-after=2162-04-17 19:17:02
serial-number="066ef3118f2cc7c7c3b300f611032a2d530f"
akid=ae489edc871d44a06fdaa2e560740478c29c0080
skid=debd7fc58d8dd85d753916995c594070d70b9920
fingerprint="741e7685e4d03be03371e0a2d8a69dd5cb88b1254764f24db6ea426
738cc18aa"
expires-after=13w2h25m24s

When i go to remove the cert it will not delete. It shows it as gone, and i have rebooted and now put 3 random letters on the end of the cert name to try and get around any cache issues but it will not delete.

when i SCP the cert and key over i can see the following:

Running command: /file print detail
STDOUT: 0 name=certafN.pem type=.pem file size=1322 last-modified=2025-12-10 09:50:03
contents=
-----BEGIN CERTIFICATE-----
MIIDojCCAyigAwIBAgISBm7zEY8sx8fDswD2EQMqLVMPMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NzAeFw0yNTEyMTEyMDQ4NDdaFw0yNjAzMTEyMDQ4NDZaMCExHzAdBgNVBAMTFnJv
dXRlci53YTAyLnRlbGlvdC5kZXYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATV
NjZxqF0MySW6agcVCM7igwtAKz1bp2JbOuOHXSvri2t1aUTKOpDJ257WxyUb25tO
1vqWX98IgjBzXZSmJy29o4ICLTCCAikwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTe
vX/FjY3YXXU5FplcWUBw1wuZIDAfBgNVHSMEGDAWgBSuSJ7chx1EoG/aouVgdAR4
wpwAgDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNy5pLmxl
bmNyLm9yZy8wIQYDVR0RBBowGIIWcm91dGVyLndhMDIudGVsaW90LmRldjATBgNV
HSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vZTcuYy5s
ZW5jci5vcmcvMTYuY3JsMIIBDQYKKwYBBAHWeQIEAgSB/gSB+wD5AHcAlpdkv1VY
l633Q4doNwhCd+nwOtX2pPM2bkakPw/KqcYAAAGbD2H4AgAABAMASDBGAiEAjedq
LzoBeS7YFNBLxjhTukqTJLzjZ6YqDpTR4w7kU9ECIQDdhyAKDY7TN3rTse1bjxx5
7BzcWAc2gNZmci7g/dsAjwB+AOMjjfKNoojgquCs8PqQyYXwtr/10qUnsAH8HERY
xLboAAABmw9h+JMACAAABQAryOsfBAMARzBFAiBBxLmj4reduBJMko78AbHy2CGE
RWvD1i8dT/LvxbouugIhAOfrKj5ow5q6tzd73Kao9v3iiKQZQps9gNvuOLR+FNtt
MAoGCCqGSM49BAMDA2gAMGUCMQDiXapo7bT6q+cSq+3TjjQI2JEUcBT4d15AfZqO
lj+Mj5DofCkAQ4eJ9gDm2JHsBXgCMC9ozK/sG1th1Ps94k1NDRbKczunIpjh+tgn
Xr5JzMQN3tUO2RnuYxft2jPblx+JSA==
-----END CERTIFICATE-----

which is a valid cert

notBefore=Dec 11 20:48:47 2025 GMT
notAfter=Mar 11 20:48:46 2026 GMT

It runs on a script with a bunch of delays now inserted to keep everything as sane as possible but i have run out of ideas. all the files in the live folder have the correct date.

key = ''.join(random.choices(string.ascii_letters, k=3))
print("Transferring files via SCP to router, ")
with SCPClient(ssh.get_transport()) as scp:
scp.put('/home/certbot/router.wa02.teliot.dev/config/live/router.wa02.teliot.dev/privkey.pem', f'privkey{key}.pem')
scp.put('/home/certbot/router.wa02.teliot.dev/config/live/router.wa02.teliot.dev/cert.pem', f'cert{key}.pem')
print("done")

router has the right date

[admin@MikroTik] > /system clock print
time: 10:54:00
date: 2025-12-10
time-zone-autodetect: yes
time-zone-name: America/Los_Angeles
gmt-offset: -08:00
dst-active: no
[admin@MikroTik] >

[admin@MikroTik] > /system resource print
uptime: 32m53s
version: 7.19.3 (stable)
build-time: 2025-07-03 11:23:04
factory-software: 7.11.2
free-memory: 667.3MiB
total-memory: 1024.0MiB
cpu: ARM64
cpu-count: 4
cpu-frequency: 864MHz
cpu-load: 0%
free-hdd-space: 94.0MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 170
write-sect-total: 610639
bad-blocks: 0%
architecture-name: arm64
board-name: hAP ax^3
platform: MikroTik
[admin@MikroTik] >

how do i delete the cert to replace it?

EmanK · December 12, 2025, 1:15pm

Hello,

First of all, I advice you to upgrade to 7.19.6, I remember somes changes have been done in 7.19 dealing with certificates

Then, how do you remove the certificate ? CLI, Winbox, WebFig ?

I did not try to change the “storage location” in certificates settings, maybe it is related ? For my part, I store certificates with the default setting, “ram” (and not “system”).

I hope it helps,

ghostinthenet · December 12, 2025, 4:42pm

Before you go thinking that it’s invalid, have a look at the certificate in WinBox. I’ve run into what looks like a bug and have reported it to MikroTik support (SUP-206490) for them to have a look.

It appears that RouterOS reports wildly inaccurate dates for certificates’ invalid-before and invalid-after values when examined from the CLI. The certificates still work and the dates are reported properly in WinBox, so it’s possible that you’re trying to address a problem that doesn’t really exist.

kundarsa · December 16, 2025, 10:40pm

Thanks everyone for the help!

I was able to get back to this and found the dates were correct in the web gui. Not sure if it was time or a different interface. Updated to new OS. I found the cert did not have an associated KEY. I have changed my setup to import the cert first and then the key.

www-ssl is working now.