problem with port 443 & mikrotik ssl certificate

RouterOS Beginner Basics
1

Hello! I’m new with mikrotik.

I have web-server with port 8000 and forward from 443 port
On the server, I have SSL certificates but when I try to go to port 443 - Chrome say ‘Secure Connection Failed’

  • as I found out, the browser wants to use the Mikrotik certificate and not my server

Please Help me! Thanks

2

All that browser does is it verifies server’s certificate to its own information (such as FQDN used to connect to server). It is server which sends certificate back.

So when you’re connecting to Mikrotik port 443 (or is it port 8000?) and it returns Mikrotiks certificate instead of server’s one, this means that port forwarding most probably doesn’t work as intended.

3

Thank you for replay

  • I try to connect to port 443 (I have domain with https ) and forward to 8000 (it is my server) - don’t work
  • when I connect to port 4432 and forward to 4332 (it is another server) it is ok.
4

Can you post output of /ip firewall export (and obfuscate your public IP address if it’s somewhere in exported data)? I still think it’s something about your configuration … or perhaps your ISP is interfering, but let’s check your config first.

5

Here what I have
https://screenshots.firefox.com/4Nj4QWAEbAs9jTY3/null
https://screenshots.firefox.com/LJqgSChBNTv3tE8V/null
https://screenshots.firefox.com/QxoXONtll7mA35Th/null

When I turn off ssl - it even does not open port ( as I understand).

Thanks you

6

Please execute command I wrote in my previous post (in italic) in a terminal window … screenshots are really hard to analyze, most of time they don’t show all the needed information.

BTW, do you have to expose WebFig over https? Because that’s the /ip service all about. You don’t have to enable it just to forward connection to some LAN host …

7

Thanks you

Because that’s the /ip service all about. You don’t have to enable it just to forward connection to some LAN host – I understand now

/ip firewall nat
add action=dst-nat chain=dstnat connection-limit=100,32 dst-port=443 hotspot="" in-interface=ether1 protocol=tcp to-addresses=192.168.88.247 to-ports=8000
add action=dst-nat chain=dstnat dst-port=44331 in-interface=ether1 protocol=tcp to-addresses=192.168.88.247 to-ports=22222
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.88.247
add action=dst-nat chain=dstnat dst-port=23452 in-interface=ether1 protocol=tcp to-addresses=192.168.88.247 to-ports=3344
add action=dst-nat chain=dstnat dst-port=3244 in-interface=ether1 protocol=tcp to-addresses=192.168.88.247 to-ports=3000
add action=dst-nat chain=dstnat dst-port=44444 in-interface=ether1 protocol=tcp to-addresses=192.168.88.247 to-ports=42237
add action=dst-nat chain=dstnat dst-port=33 in-interface=ether1 protocol=tcp to-addresses=192.168.88.247 to-ports=22332
add action=masquerade chain=srcnat out-interface=ether1
8

Thank you! I remove hotspot & connection-limit - and It is working now

Totaly thank you