Let's Encrypt certificate automatic renewal in ROS v7

RouterOS Beginner Basics
1

Hi there!

I was expecting that the certificate generated by the command below would be renewed automatically, but that hasn’t happened. Mine has just expired and I do not see any signs of incoming connections to port 80. The www and www-ssl IP services are running and port 80 is open for Let’s Encrypt hosts:

/certificate enable-ssl-certificate dns-name=my.domain.com

In the terminal I see that the certificate has expired (E flag). WinBox displayed it as valid until I restarted the application :slight_smile:.

> /certificate/print 
Flags: K - PRIVATE-KEY; E - EXPIRED; T - TRUSTED
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME
#     NAME                                      COMMON-NAME                            SUBJECT-ALT-NAME     
0   T dns-nextdns-io.pem_0                      USERTrust ECC Certification Authority                       
1 KET letsencrypt-autogen_2022-12-11T14:48:10Z  <removed>.ddns.net                      DNS:<removed>.ddns.net

Shall I run the /certificate/enable-ssl-certificate again to remove the expired certificate and generate a new one?

LetsEncrypt temporary port 80 ? or DNS API ? VPN certificates, 2FA etc.
Firewall for Ikev2 + letsencrypt + radius
2

Auto-renewal doesn’t work. You can use scripts for renewal later on.

3

The /certificate enable-ssl-certificate command removed previously generated certificate and imported a new one. To automate this I’ve created a script and set it to run every 90 days in the scheduler. Thank you!

/ip service enable www;
/ip firewall filter enable [find comment=letsencrypt];
/log info "Let's Encrypt certificate renewal started";

/certificate enable-ssl-certificate dns-name=<removed>.ddns.net;

/ip service disable www;
/ip firewall filter disable [find comment=letsencrypt];
/log info "Let's Encrypt certificate renewal completed";

And the firewall rule:

> /ip/firewall/filter/print where comment=letsencrypt
Flags: X - disabled, I - invalid; D - dynamic 
 0 X  ;;; letsencrypt
      chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=80 log=yes log-prefix=""
4

Where can I find documentation about enable-ssl-certificate’s options? I need to set it to use staging server to debug my script without running into rate limit.

ROS 7.12.1 - enable-ssl-certificate with UserManager
5

How? Let’s Encrypt doesn’t publish their servers.

6

I don’t think you can do that. The documentation states that “dns-name” is the only option available for this command.

7

[quote=wfburton post_id=1050530 time=1705883945 user_id=215408]
Let’s Encrypt and dynamic Address List firewall rules
[/quote]
Cool



With their insistence on never giving up their list of servers, I’m surprised they made it that easy.. thinking Going to investigate this a lot more.



I am very curious why their IPs keep ending up on my automated blacklists, should be able to track them better if the list is accurate. :slight_smile:

8

I followed MikroTik’s video instructions where they suggested creating an address list and using it in a firewall rule for port 80.

That didn’t work for me, so I removed the address list, created a script that opens the port just before the certificate renewal and closes immediately after, and set it to run every 90 days.

9

I setup a second system, either container or VPS, NAT’d behind the router, it does the renewal and with a hook, pushes it to RouterOS.

My issue with the address list is, is it complete, have they added new server FQDNs.

10 



[tvv@MikroTik] /certificate> enable-ssl-certificate 
append     as-value     dns-name     do     duration     interval     once     without-paging

What do these options do?

11

Those are generic options that you may find in almost every print command. See the “print parameters” at the scripting help page. They have nothing to do with certificates or Let’s Encrypt.