Enable-ssl-certificate procedure doesn't add .well-known files for local ACME (in time)

paulh01 · July 15, 2025, 4:50am

Hi all,

I’m on RouterOS 7.19.3 (latest stable at time of writing) and have the following issue when trying to create a SSL certificate on my router issuing a request to my local ACME server:

[admin@mikrotik] > /certificate/enable-ssl-certificate directory-url=https://ca.example.com/acme/directory dns-name=mikrotik.example.com

progress: [error] failed to update ssl certificate

On my local freeipa server (that hosts the CA), the endpoints are being hit:

[root@freeipa]$ cat /var/log/pki/pki-tomcat/localhost_access_log.2025-07-14.txt
10.xxx.yyy.12 - - [14/Jul/2025:07:00:59 +0930] "POST /ca/ocsp HTTP/1.1" 200 2662
10.xxx.yyy.1 - - [14/Jul/2025:11:46:55 +0930] "GET /acme/v1/directory HTTP/1.1" 200 430

The following error is identified:

[root@freeipa]$#$ grep -A2 -B10 mikrotik `find /var/log/pki/pki-tomcat -type f`

/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Payload:
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAPDatabase: Searching acmeAuthorizationId=hHsVPfgE99,ou=authorizations,ou=acme,o=ipaca
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAPDatabase: Searching ou=challenges,ou=acme,o=ipaca
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Valid authorization: hHsVPfgE99
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Authorization status: pending
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Challenges:
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: - dns-01: pending
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: - http-01: processing
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Created nonce: {"id":"z_ySz1WuvxECeyghzsEMvA","expires":"2025-07-14T00:04:47+09:30"}
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [Thread-13] INFO: Key authorization: 351B5ERUDcFEoz9OJrD6kg.XhHDv2NBu-NC218YSXi-iy8Kvh0OH5pmDYcCZE1dLe0
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log:2025-07-13 23:34:47 [Thread-13] INFO: Retrieving http://mikrotik.example.com/.well-known/acme-challenge/351B5ERUDcFEoz9OJrD6kg
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [Thread-13] INFO: Response: <h1>404</h1><p>Not found</p>
/var/log/pki/pki-tomcat/acme/debug.2025-07-13.log-2025-07-13 23:34:47 [Thread-13] SEVERE: Invalid response: <h1>404</h1><p>Not found</p>
...

Here, the mikrotik router is not placing the challenge token file in the right location, at least not by the time the query for the well-known token is made by the ACME CA component.

The mikrotik router returns a 404 error, the challenge fails, and the certificate is unable to be issued.

Would anyone know what could be the issue here? Cheers

CGGXANNX · July 15, 2025, 6:21am

Make sure DNS resolves the domain to the correct IP address (the one of the router). That 404 content doesn’t look like something produced by the www service from RouterOS. This is what RouterOS produces as response for 404:

<!doctype html>
<html lang=en>
<title>Error 404 : Not Found</title>
<h1>Error 404 : Not Found</h1>

The IP address is probably pointing to another device.

And don’t forget to enable the www service and allow port TCP 80 on chain input.

paulh01 · July 15, 2025, 1:18pm

Thanks for your response @CGGXANNX, I appreciate it

The router DNS name resolves to the correct IP. It’s all internal, nothing connected directly to the internet.

The curl output for the .well-known output is different from a 404 error from a different, non-existent, URL.

$ curl -v http://mikrotik.example.com/.well-known/acme-challenge/351B5ERUDcFEoz9OJrD6kg
*   Trying 10.xxx.yyy.1:80...
* Connected to mikrotik.example.com (10.xxx.yyy.1) port 80 (#0)
> GET /.well-known/acme-challenge/351B5ERUDcFEoz9OJrD6kg HTTP/1.1
> Host: mikrotik.example.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Cache-Control: no-store
< Connection: Keep-Alive
< Content-Length: 28
< Date: Tue, 15 Jul 2025 12:50:54 GMT
< Expires: Wed, 15 Jul 2026 12:50:54 GMT
< X-Frame-Options: sameorigin
<
* Connection #0 to host mikrotik.example.com left intact
<h1>404</h1><p>Not found</p>

$ curl -v http://10.xxx.yyy.1/.well-known/acme-challenge/351B5ERUDcFEoz9OJrD6kg
*   Trying 10.xxx.yyy.1:80...
* Connected to 10.xxx.yyy.1 (10.xxx.yyy.1) port 80 (#0)
> GET /.well-known/acme-challenge/351B5ERUDcFEoz9OJrD6kg HTTP/1.1
> Host: 10.xxx.yyy.1
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Cache-Control: no-store
< Connection: Keep-Alive
< Content-Length: 28
< Date: Tue, 15 Jul 2025 12:51:15 GMT
< Expires: Wed, 15 Jul 2026 12:51:15 GMT
< X-Frame-Options: sameorigin
<
* Connection #0 to host 10.xxx.yyy.1 left intact
<h1>404</h1><p>Not found</p>

$ curl -v http://10.xxx.yyy.1/sdklfjsldkjfs
*   Trying 10.xxx.yyy.1:80...
* Connected to 10.xxx.yyy.1 (10.xxx.yyy.1) port 80 (#0)
> GET /sdklfjsldkjfs HTTP/1.1
> Host: 10.xxx.yyy.1
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Cache-Control: no-store
< Connection: Keep-Alive
< Content-Length: 99
< Content-Type: text/html
< Date: Tue, 15 Jul 2025 12:59:16 GMT
< Expires: 0
< Pragma: no-cache
< X-Frame-Options: sameorigin
<
<!doctype html>
<html lang=en>
<title>Error 404 : Not Found</title>
<h1>Error 404 : Not Found</h1>
* Connection #0 to host 10.xxx.yyy.1 left intact

My board’s details are:

Architecture: mipsbe
Board: hEX PoE
Installed Version: 7.19.3 (stable)

Cheers!