Feature Request: GUI supported Let's Encrypt with SSL Offloading

I am a big fan of Let’s encrypt mainly because the certificate administration is so much easier.

I propose that RouterOS gets on the Let’s Encrypt bandwagon and support easy certificate handling with SSL offloading capabilities directly from the GUI.

I think the feature should work like this

In the GUI you first you supply the domain names you wish to get SSL certificates for.
In this step you probably also needs to supply which of your public IPs you wish to use (if you expose more than one).
We need a specific page for this I guess.

The RouterOS then briefly opens the required port 80 to handle the Let’s Encrypt response.
(If port 80 is already used for something else there might be an issue)

The RouterOS will periodically (maybe once every 30 days or what ever Let’s Encrypt recommends) renew the certificates.
Probably a good idea to make this changeable.

From the GUI (I am thinking IP:Firewall.NAT) you can in your individual rules decide if you want to use the SSL offloading functionality.
The rules is easily setup to accept eg. port 443 to a destination port 80 with the use of the certificate.
It should be possible to make multiple rules where you use the domain name from the SSL certicate to decide where the traffic goes.
(This would enable you to have multiple web servers on the internal network and still only use a single public IP for all domain names.

It might seem obvious but you should be able to use an SSL certificate for the RouterOS management interface as well.

Looking forward to the feedback.

There’s already long thread about Let’s Encrypt support:

Support for ACME/Let’s Encrypt certificate management

Few notes:

1. You don’t need to do anything with IP addresses, certificates use hostnames. They can contain IP addresses too, but Let’s Encrypt won’t give you certificate for them.

2. It will be an issue, you can’t rely on port 80 being free to use.

3. You’re asking for alternative of stunnel, but web still exists as http too, not only https, and you want both to work (and if not you, others would). For that, you’d need proper reverse proxy, which is another topic. It would be useful, but some people would argue to death how proper routers should never do such thing. And there are definitely more important features. Maybe if MikroTik took something existing and made it into optional package, but it seems they like to implement things themselves.

Thanks for the reply.

Could you recommend an alternative - maybe some simple SSL offloading firewall I can route all 443 traffic throu?

As reverse proxy for http(s) I use Nginx, previously Pound, I also know about HAProxy, and there’s probably more. There’s also stunnel which is not specifically for https, but can do other interesting stuff. Downside of all of these is that you can’t put them directly on router, you need another machine, and that might be overkill if it’s only for something small.