Hello, tried to search for a script to update HTTPS Let’s Encrypt certificate and the only one suitable is from ilium007, here is an adapted version:
:local MyDDNS "my.dd.ns";
:local WANinterface "WAN";
:local RouterAddress "192.168.88.1";
:local ServiceWWW [/ip service find name=www];
:local ServiceWWWSSL [/ip service find name=www-ssl];
:local AllowedWWWaddress [/ip service get www value-name=address];
/ip firewall filter add action=accept chain=input comment="IP Service HTTP" dst-port=80 in-interface=$WANinterface protocol=tcp place-before=[find comment~"ICMP"];
/ip service set $ServiceWWW disabled=no;
/ip service set $ServiceWWW address=0.0.0.0/0;
certificate remove [find name~"letsencrypt"];
certificate remove [find common-name~"$MyDDNS"];
:do {/certificate enable-ssl-certificate dns-name="$MyDDNS"};
:delay 10s
/ip service set $ServiceWWW address=$AllowedWWWaddress;
/ip service set $ServiceWWWSSL address=$AllowedWWWaddress;
/ip firewall filter remove [find comment="IP Service HTTP"];
:local CertCName [/certificate find common-name~"$MyDDNS"];
:local CertName [/certificate get "$CertCName" value=name];
:do {/ip service set $ServiceWWWSSL certificate="$CertName" tls-version=only-1.2} on-error={:log warning "Failed to set HTTPS certificate!"};
/ip dns static remove [find name~"$MyDDNS"];
/ip dns static add address=$RouterAddress name="$MyDDNS";
/ip service set $ServiceWWW disabled=yes;
/ip service set $ServiceWWWSSL disabled=no;
:log warning "Let's Encrypt SSL Certificate updated!";
I have 0 knowledge on scripting, it probably contains some errors;
if you use a DDNS with capital letters you’ll find an error, should be useful to convert A-Z to a-z for MyDDNS
When Let’s Encrypt fail, the line “:local CertName [/certificate get “$CertCName” value=name];” return an error and block the script, should be useful to receive a log when fail
Sorry, but is better start from 0 than use your code.
Is the truth, sorry.
For example, why write this mess???
:local ServiceWWW [/ip service find name=www]
:local ServiceWWWSSL [/ip service find name=www-ssl]
/ip service set $ServiceWWW disabled=yes;
/ip service set $ServiceWWWSSL disabled=no;
Is not more simple to write:
/ip service set www disabled=yes
/ip service set www-ssl disabled=no
???
(or better:)
/ip service
set www disabled=yes
set www-ssl disabled=yes
And this? Is based on one rule that probably have only you that containing ICMP on comment:
/ip firewall filter add […] place-before=[find comment~“ICMP”]
Agree, it’s an adapted version from ilium007’s code. Feel free to delete the post if not useful.
As you correct, I have no knowledge, just trying to learn
If you learn from that line, then you learn “error-prone” programming.
It should be checked first as it may give errors, not “try and see if it fails”.
Be that as it may, the correct string is:
:do {/ip service set www-ssl certificate=$CertName} on-error={:log warning "Failed to set HTTPS certificate!"}
I did something similar to this. I will update it after the @rextended comments. Maybe this gives you ideas about how to write yours. Also, he might try to do his magic on it for me. :d
When you do your test, exclude the actual certificate renewal, it might hit the let’s encrypt limit.
