mikrotik.com is broken, certificate chain is incomplete

RouterOS General
1

Looks like mikrotik.com is broken for some clients. According to SSL Labs and Internet.nl the certificate chain is incomplete.

Example using curl on Debian 11:


$ curl --version
curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1n zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

$ curl -Ivv https://mikrotik.com
*   Trying 2a02:610:7501:2000::205:443...
* Connected to mikrotik.com (2a02:610:7501:2000::205) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

$ curl -Ivv --insecure https://mikrotik.com
*   Trying 2a02:610:7501:2000::205:443...
* Connected to mikrotik.com (2a02:610:7501:2000::205) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=LV; serialNumber=40003286799; C=LV; L=Riga; O=Mikrotikls SIA; CN=mikrotik.com
*  start date: Jan 26 00:00:00 2022 GMT
*  expire date: Feb 26 23:59:59 2023 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> HEAD / HTTP/1.1
> Host: mikrotik.com
> User-Agent: curl/7.74.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 23 Jan 2023 17:36:51 GMT
Date: Mon, 23 Jan 2023 17:36:51 GMT
< Server: Apache
Server: Apache
< Vary: Referer,Host
Vary: Referer,Host
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< X-Frame-Options: sameorigin
X-Frame-Options: sameorigin
< X-Permitted-Cross-Domain-Policies: master-only
X-Permitted-Cross-Domain-Policies: master-only
< Strict-Transport-Security: max-age=63072000; includeSubDomains
Strict-Transport-Security: max-age=63072000; includeSubDomains
< Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
Pragma: no-cache
< Expires: -1
Expires: -1
< Access-Control-Allow-Origin: http(s)?://(www\.)?mikrotik.com$
Access-Control-Allow-Origin: http(s)?://(www\.)?mikrotik.com$
< Content-Security-Policy: default-src 'self';object-src 'self' *.cdn.datatables.net cdn.datatables.net;connect-src 'self' *.mt.lv maps.googleapis.com fonts.googleapis.com *.doubleclick.net;script-src 'self' 'unsafe-inline' 'unsafe-eval' data: unpkg.com i.mt.lv *.google.com gstatic.com code.jquery.com *.gstatic.com www.google-analytics.com googleapis.com *.googleapis.com *.mikrotik.com mikrotik.com;style-src 'self' 'unsafe-inline' i.mt.lv fonts.googleapis.com unpkg.com *.mikrotik.com mikrotik.com code.jquery.com use.typekit.net www.mikrotik.com;img-src 'self' data: i.mt.lv i.ytimg.com api.tiles.mapbox.com *.tile.openstreetmap.org unpkg.com *.arcgisonline.com stats.g.doubleclick.net www.google-analytics.com mikrotik.com www.mikrotik.com forum.mikrotik.com 1.aerial.maps.cit.api.here.com 2.aerial.maps.cit.api.here.com 3.aerial.maps.cit.api.here.com 4.aerial.maps.cit.api.here.com gstatic.com http://services.ga.gov.au *.gstatic.com *.googleapis.com *.arcgisonline.com *.google.com *.google.lv *.routerboard.com;frame-src 'self' youtu.be youtube.com www.youtube.com www.google.com;font-src 'self' data: mikrotik.com fonts.gstatic.com www.mikrotik.com i.mt.lv;frame-ancestors 'self';
Content-Security-Policy: default-src 'self';object-src 'self' *.cdn.datatables.net cdn.datatables.net;connect-src 'self' *.mt.lv maps.googleapis.com fonts.googleapis.com *.doubleclick.net;script-src 'self' 'unsafe-inline' 'unsafe-eval' data: unpkg.com i.mt.lv *.google.com gstatic.com code.jquery.com *.gstatic.com www.google-analytics.com googleapis.com *.googleapis.com *.mikrotik.com mikrotik.com;style-src 'self' 'unsafe-inline' i.mt.lv fonts.googleapis.com unpkg.com *.mikrotik.com mikrotik.com code.jquery.com use.typekit.net www.mikrotik.com;img-src 'self' data: i.mt.lv i.ytimg.com api.tiles.mapbox.com *.tile.openstreetmap.org unpkg.com *.arcgisonline.com stats.g.doubleclick.net www.google-analytics.com mikrotik.com www.mikrotik.com forum.mikrotik.com 1.aerial.maps.cit.api.here.com 2.aerial.maps.cit.api.here.com 3.aerial.maps.cit.api.here.com 4.aerial.maps.cit.api.here.com gstatic.com http://services.ga.gov.au *.gstatic.com *.googleapis.com *.arcgisonline.com *.google.com *.google.lv *.routerboard.com;frame-src 'self' youtu.be youtube.com www.youtube.com www.google.com;font-src 'self' data: mikrotik.com fonts.gstatic.com www.mikrotik.com i.mt.lv;frame-ancestors 'self';
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

< 
* Connection #0 to host mikrotik.com left intact

$

This issue seems to have started today around 9:40 UTC.

2

Thank you! Fixed.

3

Not sure if it’s a DNS issue from my side but ”mikrotik.com” works but not ”www.mikrotik.com

4

Thanks! It is now fixed for mikrotik.com.

But as @Larsa mentioned, there seems to be another issue with www.mikrotik.com.


$ host -t A mikrotik.com
mikrotik.com has address 159.148.172.205

$ host -t A www.mikrotik.com
www.mikrotik.com has address 159.147.172.205

It seems that someone mistyped the IP for www.mikrotik.com (159.147.172.205). I guess it should be the same as in mikrotik.com (159.148.172.205).

IPv6 is OK and working fine:


$ host -t AAAA mikrotik.com
mikrotik.com has IPv6 address 2a02:610:7501:2000::205

$ host -t AAAA www.mikrotik.com
www.mikrotik.com has IPv6 address 2a02:610:7501:2000::205
5

Fixed again, sorry :slight_smile: