Hi I’m running a CHR @7.19.2, there I’ve set up an SSTP server connected to a Let’s encrypt certificate. After the first 90 days it stopped working and I can’t get it working more, the certificate looks uptate itself (even if the IP service on port 80 is disabled and there is not a firewall rule accepting input packets on tcp 80, I’ve forced an update on terminal with /certificate/enable-ssl-certificate dns=mikrotikcloudDDNSaddress (which I use to connect with SSTP) and it reported a succesful update, I can then see next to certificate the new expiring data, but Windows 10 SSTP keeps writing that the certificate i not in the velidity period.
I believe that Let’s encrypt connect to the local router by port 443 and 80 to check the site and do its things, despite the fact mikrotik says it accomplished sucessfully maybe it’ not that on the Let’s encrypt side, I’ve tried repeat the update by stopping the SSTP (letting the 443 for this task), enabling the services on 80 and allowing inputs on 80 and 443 on firewall, but this didn’t help.
WHat can I do? Should I create each time a new certificate?
to solve the problem I deleted it and built a new one, then assigned to SSTP.
For doing this it’s necessary to turn on the www service port 80, now I could see incoming connections from Let’s encrypt and it did the job. Now I have some questions:
Why Mikrotik reports sucessful update if it’s not? Chances are, it report this with 80 open or closed, and it updates also the cert date and expiration one, it knows it’s 89 days, somewhere it gest this date but Let’s encrypt didn’t renew. So Mikrotik is just guessing here?
My problem was with Let’s Encrypt that my cerificate expired and after that it’ impossible to update it more? Should then I create a new one? And why Mikrotik simply doesn’t report that?
Now I guess I need to schedule every 89 days to turn on www, send the request and turn off the www, someone has please a guide for that? Thank you!
If you use the IP Cloud domain (the one MikroTik provides), you no longer need www running and port TCP 80 open for the renewal, because MikroTik will use the DNS-01 challenge.
But the problem is that the renewed certificate is only automatically replaced for www-ssl. If you use it at other places, like SSTP, User Manager, Hotspot, etc..., as of version 7.20 you'll need to go to the corresponding settings, change the certificate used to none and then back to the LE one.
So yes, we need a scheduled script to trigger the renewal and update the settings that use the certificate except for www-ssl.
Try deleting the old cert and reissuing it manually. RouterOS sometimes shows the new expiry but keeps using the old cert file.