My described process is meant for custom domains (including wildcard domains / subdomains), such as, let's say, the hotspot that has the URL guest-wifi.my-restaurant-name.com, and I own the domain my-restaurant-name.com. And let's say the restaurant only has one RouterOS device that also manages the hotspot. Currently with the built-in RouterOS tool we have to have guest-wifi.my-restaurant-name.com A or AAAA record pointing to the IP address, or guest-wifi.my-restaurant-name.com CNAME to the IP cloud or similar DDNS subdomain. Then during the renewal, currently we need to keep www running and port 80 open (and/or DSTNATed to the RouterOS device) if not using IP Cloud. But using IP Cloud still doesn't support wildcard domains, and the domain still has to point to the public side IP address (through CNAME) even if not needed. The alternative is to request the certificate with external tools/services, and transferring it to the RouterOS device.
It would be better if the RouterOS device supported the proposed DNS-01 challenge workflow. The restaurant owner would only need to create a _acme-challenge.guest-wifi.my-restaurant-name.com CNAME record (once) pointing to 6a58297848d3864fa2dd706a2875f75ebb9b1c0a9306bfb93982d3d8.acme.mynetname.net (an example hash generated from the secret set in the entry on the router). No DNS record even needs to exit on the internet for guest-wifi.my-restaurant-name.com (because that subdomain is only used inside the hotspot network). RouterOS will take care of the rest when generating / renewing the certificate. It will perform the DNS-01 challenge, with the step where the TXT record needs to be updated is done through RouterOS sending the challenge text and the secret to MikroTik server so that the temporary TXT record for 6a58297848d3864fa2dd706a2875f75ebb9b1c0a9306bfb93982d3d8.acme.mynetname.net can be present for a couple of minutes. No need for www running or inbound port 80 access.
RouterOS would have a table where entries for multiple custom domains/subdomains can be managed. Each entry only requires an additional field (beside the name of the subdomain) for the secret string, and maybe a "Is Wildcard" checkbox, and can display the calculated matching xxxxxx.acme.mynetname.net subdomain (so that the user can create the required CNAME record). Renewal for the whole table can be performed automatically by RouterOS. The domains can point to arbitrary IP address (including local) or don't need any record (when the TLS certificate is only used for RADIUS for example).