I tried to create a LetsEncrypt certificate.
/certificate enable-ssl-certificate dns-name=my.domain.com
and got this ERROR:
progress: [error] http challenge validation failed, please make sure www service is enabled and your device is accessible by letsencrypt.org servers
/ip/service www and www-ssl are enabled
A webserver is behind the router reachable under my.domain.com with browser.
Port 80 and 443 are open from all IPs and route to webserver IP /ip/dns/static 192.x.y.z is OK.
What else is missing to get the cert onto the router?
my.domain.com at the webserver is reachable and has already a letsencrypt cert.
my ISP is managing the DDNS entries of the router and the webserver urls. i have a routerscript for this.
DNS service there is no A or AAAA entry neccesary for the webservers urls either.
Now I’m not sure what is going on it looks more complicated than simple SSL.
so from what I experienced with let’s encrypt
if you want it in RouterOS then 1 - firewall allow 2- www enable cuz it uses it for verifying 3- public IP
And you have all of them so I can’t tell where is the problem but the error you got I only saw it when the ISP won’t allow traffic over 80.
I still can’t figure out what the rule of your webserver is here.
my ISP is managing the DDNS entries of the router and the web server urls
Do I understand it correctly that there’s another webserver behind your router, and there’s dstnat for port 80 going there? If so, how many IP addresses do you have? Because if it’s just one, then the port can go either to webserver or to router, but not to both.
Yes I have dstnat port 80 to webserver behind router. The private IP-range is 192.168.1.0/24 with 254 IPs. Lets say webserver has static IP 192.168.1.200.
The dstnat is OK, because the webserver can be reached from internet. I found this solution in some mikrotik support forums.
You ask if I have “another webserver”. Does the router have its own webserver that can process the letsencrypt query via port 80?
So I could dnsnat the port only for the cert-check and renewal to the router webserver. (probably with scripting)
I have already tried to dstnat port 80 to the router IP. 192.168.1.1 with no success and the same letsencrypt Error.
Router runs its own web server, mostly it’s used for WebFig. It’s also used to process letsencrypt handshake.
You don’t dst-nat port to router’s own address, you disable dst-nat for a while and allow connections towards port 80 in firewall for chain=input (preferrably only for a few IP addresses from which letsencrypt performs that handshake).
Another possibility is to configure your internal web server to reverse-proxy that URL to your router. If you allow WebFig access from where web server resides, then no change is needed on router. Surely you have to reconfigure internal web server only during router’s certificate renewal.
Yet another possibility is to use internal web server to perform certificate renewal and then script installation of new certificate to router … no configuration change whatsoever is needed in this case.
But personally I’d rather go with the reverse proxy idea. Or even with the other one, to let webserver do everything and then upload resulting certificate to router.