Hi mates, every about 2 monts I'm running out of certificate, and my SSTP VPN on Windows doesn't work more, I need exactly this type of VPN, not other choices.
So I've simply tried to update certificate with terminal, using
certificate enable-ssl-certificate dns=xxxxxxxx
progress: [success] ssl certificate updated
even if it is update it didn't work, so I needed to:
delete the previous certificate
enable the www IP service (port 80) (the port is already open on internet)
obtan the new certificate
disable www service
set on server SSTP the new certificate
May please somebody help me with script for this? Thank you a lot!
Which RouterOS version are you running. Do you plan to stay on that version for a very long time?
Because from version 7.22, enable-ssl-certificate has been deprecated and no longer works, replaced by add-acme. If you do intend to upgrade your device soon, then it might be better to upgrade to the latest stable (7.22.1) and write your script with add-acme in mind.
If you don't upgrade and write the script with enable-ssl-certificate now, the script will break with future upgrades and will require adjustments then.
You can see this post from me for an example using add-acme:
You can set some parameters at the top to false if you don't need to upgrade User Manager or API-SSL. Set exportCertPath to the empty string "" if you don't need to save the certificate as a file.
Also, the script enables and disable an IPv6 firewall rule (selected based on the comment) that allows access to TCP port 80 from outside. If you don't need that, comment out the lines starting with /ipv6 firewall filter. Or if you use a rule for the IPv4 firewall, then adjust those lines to start with /ip firewall filter.
If you intend to stay on the versions <= 7.21.x for a very long time, then you'll need a version that uses enable-ssl-certificates
The bug you mentioned is a bug because enable-ssl-certificate was always supposed to update the setting of the www-ssl service. When it fails to do that then it's clearly a bug.
However, in case of OP, we are talking about the SSTP server, and same as with User Manager and Hotspot, enable-ssl-certificate has never made changes to those extra services to automatically put them on the renewed certificate. Those services keep referencing to the old certificate until you manually (or with a script) update their settings.
enable-ssl-certificate was only built to get and automatically update the cert for www-ssl.
With the new add-acme the automatic renewal does not create a new certificate (no new entry with new .id), so in theory after renewal the other services still point to the same certificate entry and require no setting update. However, I don't think that they (the services) automatically reload and use the new certificate, unless being restarted / rebooted.
For my usage I cannot rely on the automatic renewal, so my script linked above always use add-acme to generate a new cert and delete the old one.
thank you mates for your kind answers, I see this matter is actual and it looks I've opened this topic on the proper change time. I guess it's better to wait for me that maybe Mikrotik will fix this staff on the next releases, please let's be in touch about that, by the time I'll open an issue asking for an easier way for updating/schedule.
I don’t think you’ve got it right. The mechanism that Let’s Encrypt uses to verify that the the requestor of a certificate is reachable via the FQDN that is the certificate subject depends on ability of the certificate requestor to act as a web server and provide the proper answer to a HTTP request sent to that FQDN. So there is no way for it to work if access to TCP port 80 of the requesting device (your Mikrotik) from the whole internet is permanently blocked.
But there is no need to open access to TCP port 80 first and then manually trigger the certificate renewal - once you use enable-ssl-certificate once, RouterOS takes care of the renewal on its own, except that it does so after 4/5 of its validity period expires, whereas the Linux certbot does that after 2/3 of that period. And the renewal process starts by the Mikrotik sending a request as a client to a known FQDN, so you can temporarily enable access to TCP port 80 for a couple of seconds whenever you see a request towards that FQDN.
What is missing is a mechanism that would spawn, upon a successful renewal, a script that would copy the new certificate from the www-ssl service (that itself does not even have to be enabled by the way) to the service that actually uses it, in your case, the SSTP server. So instead, you need a scheduled script that will periodically check whether the two certificates match and if they don’t, update the SSTP server with the new one.
I have posted the whole setup of the firewall not long ago here in another topic.
