Let's Encrypt - only 1 certificate allowed?

ColinSlater · December 24, 2022, 8:24am

Good morning Mikrotik Community,

Quick question - is it only possible / allowed to install 1 Let’s Encrypt certificate on the mikrotik at a time?
Just tried to install a second one using the enable-ssl-certificate dns-name=xxx command and it went through the process, but at the end said “certificate updated” and only the original certificate remained untouched.

Thanks

Colin

rextended · December 24, 2022, 8:32am

Nice question,
but probably is Let’s Encrypt limit, if I do not remember bad, to 6 cert/month or similar.
If you do some test, the counter decrease, if you exaust the limit, nothing is done.

Sob · December 24, 2022, 11:30am

No, it’s RouterOS. The whole thing is basically like an early alpha version that leaked out prematurely. It’s fine as techdemo, but not actually usable yet. You can get one certificate, it works, and that’s it. It doesn’t even renew, at least not automatically.

You can’t request another one (for different hostname), to have one e.g. for WebFig and another for SSTP, even though it’s not any far fetched idea.

Changing hostname doesn’t seem to work either. I had router with one expired certificate for and tried “/certificate/enable-ssl-certificate dns-name=”. It seemed to complete successfully, but certificate list still shows only old expired certificate for . When exported, it’s valid new certificate for , so it looks like display error in RouterOS. But it’s something more, because WebFig doesn’t work with it either.

rextended · December 24, 2022, 11:34am

ColinSlater · March 4, 2023, 2:07pm

Anyone got any ideas if the new v7.8 addresses this issue?
I couldn’t see any mention of this in the release notes.

Thanks

Colin

Amm0 · March 4, 2023, 2:26pm

One certificate, many names. You should be able to add multiple DNS names in the dns-name= field (e.g.

/certificate enable-ssl-certificate dns-name=www.example.com,myrouter.example.com

As long as they are “valid” (e.g. LE can reach RouterOS by ALL of them), that should work. But if one doesn’t complete validation, the entire request fails.

Amm0 · March 4, 2023, 3:38pm

To be clear, this is an accurate description:

Since one never know if things change, I just tested the on V7.8 with an expired cert. But everything here is manual. Since these things expire after 90 days, some practice here. I remove manually any old LE certs to be sure. And after the updating the cert, the internal web server doesn’t always seems to use it right away, so you have to toggle the /ip/service of https and/or reboot in my experience after it updates the certificate. But the dns-names with multiple does produce the “2.5.29.17” with all of them in the LE certs. And you can see the /certificate/enable-ssl-certificate go through the validation step for EACH domain name in the CLI.

That being said, to @Sob point… When I care about TLS working publicly, I just pay for a wildcard one to get a longer expiration. But LE be fine in these cases – IF only just renewed automatically (and used DNS validation to avoid port 80). It is quite annoying. But the multiple names problem I ran into early, I like service-based DNS names (e.g. webfig., sstp., etc) – even only one router today, unwinding client to split these things up later is annoying.

Sob · March 4, 2023, 7:35pm

I like LE for the automation alone. Being free is nice bonus. Paid certificates always required some annoying manual work. It wasn’t too bad when they had very long validity (I don’t know what was the maximum, but I used to have some five-year ones), but now we’re down to one year. And if it goes even lower (some want it to), LE will be clear winner, except in places where there’s really no chance to automate things.

I believe that RouterOS will do the right thing eventually. Working automatic renewals, DNS validation, or anything else one might need. It’s not like any of that should be too difficult once the main part is done.

DNS validation with custom domains would require external DNS server, but it’s pretty easy for people who need it. And for xxx.sn.mynetname.net it could be done by MikroTik, if they wanted to, then RouterOS could get certificates without exposing any service to internet. It could confuse some people who would think that incoming connection would work even if they don’t public address (they of course wouldn’t), but it would be useful when you do have some incoming ports, just not 80.

ColinSlater · March 11, 2023, 7:23am

Hi Guys,
Thanks for the replies here.
To answer the point about automatic renewal, I already encountered this problem and got around it with a script (as you’ll see in the post, it’s a modified version of something someone else had written)
http://forum.mikrotik.com/t/renewing-lets-encrypt-ssl-certificate/160888/1

I’ll have a play with the multiple DNS Names thing though.

Thanks

Colin

suidroot · November 1, 2023, 6:28pm

Hi,

I’ve been using this approach to create a LE cert with multiple dns alt names for quite a while but not it does not work any more.
It tries to lookup the list as one hostname and fails:

[admin@MikroTik] /certificate> enable-ssl-certificate dns-name=mikrotik.mydomain.net,mikrotik.some.otherdomain.net
  progress: [error] could not resolve 'mikrotik.mydomain.net,mikrotik.some.otherdomain.net'

Current Firmware 7.11.2

Any ideas?

Thanks!
Suid