REST API basic help

DuncanCT · February 21, 2021, 8:50am

Trying to get a response from a hEX S (7.1beta4) installed from a Raspberry Pi.

Using:

$ curl -k -u admin: https://10.0.0.210/rest/system/resource

(https://help.mikrotik.com/docs/display/ROS/REST+API)

www-ssl enabled / all firewalls off / login tcp traffic to 443 / user: admin / password: none

This is the response I’m getting from the Pi:

curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Logs:

10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (SYN), 10.0.0.81:52228->10.0.0.210:443, len 60 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK), 10.0.0.81:52228->10.0.0.210:443, len 52 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK,PSH), 10.0.0.81:52228->10.0.0.210:443, len 569 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK), 10.0.0.81:52228->10.0.0.210:443, len 52 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK,FIN), 10.0.0.81:52228->10.0.0.210:443, len 52 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK), 10.0.0.81:52228->10.0.0.210:443, len 52

Any assistance would be appreciated. TIA.

mrz · February 21, 2021, 11:23am

Handshake can fail if there is a problem with certificate chain. Have you set certificate for www-ssl service on the router and have you imported CA certificate (used to sing the www-ssl service certificate) on the client device?

che · February 21, 2021, 1:05pm

Hi, I just tested this and it works as intended. You just need to generate and sign server certificate. This is how I do it (replace “your.server.url” if you like, it works anyway and is good enough for testing purposes):

/certificate
add name=ca-template days-valid=3650 common-name=your.server.url key-usage=key-cert-sign,crl-sign
add name=server-template days-valid=3650 common-name=your.server.url

/certificate
sign ca-template name=root-ca
:delay 3s
sign ca=root-ca server-template name=server
:delay 3s

/certificate
set root-ca trusted=yes
set server trusted=yes

/ip service
set www-ssl certificate=server disabled=no

DuncanCT · February 21, 2021, 6:49pm

Thanks, see my error now.

Is there way to do it using HTTP Basic Auth?

DuncanCT · February 22, 2021, 12:45pm

Hi, I just tested this and it works as intended. You just need to generate and sign server certificate. This is how I do it (replace “your.server.url” if you like, it works anyway and is good enough for testing purposes):
/certificate
add name=ca-template days-valid=3650 common-name=your.server.url key-usage=key-cert-sign,crl-sign
add name=server-template days-valid=3650 common-name=your.server.url

/certificate
sign ca-template name=root-ca
:delay 3s
sign ca=root-ca server-template name=server
:delay 3s

/certificate
set root-ca trusted=yes
set server trusted=yes

/ip service
set www-ssl certificate=server disabled=no

Thank you che!

aamirshan · April 10, 2022, 7:52am

what is your.server.url? can you please gave me example?

rextended · April 10, 2022, 8:01am

you need one example for understand the example?