I’m trying to use the /certificate enable-ssl-certificate command to install a certificate from Let’s Encrypt. The certificate successfully gets issued and installed, but the intermediate CA certificate is missing:
[admin@mtdev] /certificate> enable-ssl-certificate dns-name=mtdev.example.com
progress: [success] ssl certificate updated
[admin@mtdev] /certificate> print detail
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired;
T - trusted
0 K T name="mtdev.example.com" issuer=C=US,O=Let's Encrypt,CN=R10 digest-algorithm=sha256 key-type=rsa
common-name="mtdev.example.com" key-size=2048 subject-alt-name=DNS:mtdev.example.com
days-valid=89 trusted=yes key-usage=digital-signature,key-encipherment,tls-server,tls-client
serial-number="044b227f92cdb0c874d223ba9303f9620c38"
fingerprint="9679a8b338793ca433353d7d6f61b9cf58ca93bb50fe167f8cb35d11171f05b0"
akid=bbbcc347a5e4bca9c6c3a4720c108da235e1c8e8 skid=8daf30d0f89604889672d5228b2737762d046fb6
invalid-before=2024-10-15 12:22:26 invalid-after=2025-01-13 12:22:25
expires-after=12w5d22h31m59s
Trying to connect to https with curl gives me an error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
Running openssl s_client -connect <host>:443 -showcerts confirms that the HTTPS server on the RouterOS device is only sending a single certificate, and not the intermediate needed to verify. I can successfully connect with Firefox, but I’m pretty sure that Firefox does some caching of certificate chains that will allow it to work if I happened to visit another site that’s signed with the same intermediate.
Is this a bug? The documentation at https://help.mikrotik.com/docs/display/ROS/Certificates#Certificates-Let’sEncryptcertificates doesn’t mention any other commands needed.