I’ve successfully generated a Let’s Encrypt certificate on my MikroTik router using the built-in ACME client. The certificate is used for HTTPS communication and appears as trusted by another certificate (Let’s Encrypt R10).
Does the ACME client in RouterOS automatically renew this certificate before expiration, or do I need to inject a script (e.g., via scheduler) to handle the renewal and re-import process manually?
Also, if manual steps are required:
What is the best practice for automating this (e.g., script examples)?
Does it require web service port reopening (TCP 80) every 90 days?
Any guidance or confirmation from others who have implemented automatic renewals would be appreciated.
I never use letsencrypt in ROS but by the looks it’s not auto renewed, you have to create a scheduler for sure let say every 2 months to renew the certs and of course part of it you have to open www during the renewal process same as you did the first time
edit: i have no excuse now to try this I realized i can use this for SSTP VPN on windows
Goal: I want to manage all MikroTik routers via HTTPS (www-ssl, port 443) from my own central server.
To do this, each router needs a valid certificate. Instead of logging into each router manually, I want to automate the import of the same self-signed certificate (valid for 10 years or more) into every router.
Once that’s done, my server can use the MikroTik REST API securely over HTTPS without any restrictions.
I’m looking for the best way to:
Script this bulk certificate import across all routers
How do I properly install and trust the same self-signed certificate on both the routers and the server so that they can communicate securely?
You might be able to use the SCEP server and have the other routers pull a self-signed cert from a one router configured as a SCEP server.
While you still have to configure each router to be a SCEP client, that’s only a couple commands. Verse…,half dozen or more commands needed to add/generate certs manually in scripting and then pushing them out – possible, but a lot of REST commands that have to line up. Plus, SCEP be easier going forward since you just add the pull from SCEP as part your standard config.
@Amm0 The SCEP approach sounds like exactly what I was looking for. Having one MikroTik act as the SCEP server and letting other routers pull the certificate simplifies things a lot much better than pushing certs manually via script and REST calls.
I’ll experiment with setting up the CA on one router, then configuring the rest as SCEP clients. If it works as smoothly as described, I’ll definitely add this to our provisioning flow.
Thanks again for pointing me in the right direction!
