SSL encryption error when trying to access user manager

RouterOS General
1

Hi,
I’m getting the following error in Firefox when I try to access user manager over SSL:
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)

I read http://forum.mikrotik.com/t/how-to-set-up-www-ssl/24138/1 and tried rebooting it but it is still stuck.

The SSL certificate was generated on a Ubuntu Linux machine with OpenSSL version “0.9.8g 19 Oct 2007” following the directions on http://wiki.mikrotik.com/wiki/User_Manager/User_payments#HTTPS_connection_enabling
This is on a RB450 initially running 3.22 and now running 4.0beta2 (wanted to see if upgrading fixed it)
The certificate was signed by GeoTrust RapidSSL.

I’ve tried using a encrypted key and also decrypting the key before putting it on the router.

adminuser@mke-hsgate1] > /certificate print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
 0 QR name="cert1" subject=C=US,O=mke-hsgate1.netwurx.net,OU=GT44209601,OU=See http://www.rapidssl.com,resources,cps (c)09,OU=Domain Control
                         Validated - RapidSSL(R),CN=mke-hsgate1.netwurx.net
      issuer=C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness CA-1 serial-number="0B1E11"
      invalid-before=mar/25/2009 15:22:54 invalid-after=mar/26/2010 15:22:54 ca=no

[adminuser@mke-hsgate1] > /ip service print
Flags: X - disabled, I - invalid
 #   NAME                               PORT  ADDRESS            CERTIFICATE
=SNIP=
 4   www-ssl                            443   0.0.0.0/0          cert1
=SNIP=

Any suggestions?

2

Well, I just tried and you have http on port 80 alive and well, am able to see webbox and usermanager. But no response at all from your server on port 443 for SSL.
I would check for any firewall blocking that maybe going on? Either on your Mikrotik or further upstream? Or have you recently turned off www-ssl as it wasn’t working?!

3

I had www-ssl disabled for a few days.

Just to be sure I copy-pasted the openssl commands from the User Manager Wiki page and the problem still occurs.

Trying to connect with the openssl client returns a handshake failure.

~$ openssl s_client -connect mke-hsgate1.netwurx.net:443
CONNECTED(00000003)
22579:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:578:
4

Can you re-enable www-ssl so I can test?

5

Yes. I’ve left it enabled.

Also to rule out OpenSSL generating a corrupt cert I’ve generated another self-signed cert using OpenSSL 0.9.8j on a Solaris 10 box.

This box isn’t doing anything else so I can put a different version of RouterOS on it if there is one you think will work better.

6

I’m working around this by using a PC instead of a RB450.

I initially installed 4.0beta2 and it wouldn’t handle the certificate key properly.

I got it to work by clearing the cert, downgrading to 3.23, installing the cert and testing SSL, and then upgrading back to 4.0beta2.

7

Hi All,

Realise this is an old post, but I’ve just encountered the same issue. Looking at moving my hotspots to signed SSL login pages but get this same error.

Secure Connection Failed
An error occurred during a connection to mydomain.co.nz.

Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)

Anyone come up with a solution?

8

All docs are wrong (applies to v5.21)

do this with openssl:

openssl genrsa -out mikroTik.ca.key.pem 2048
openssl req -new -x509 -nodes -days 9999 -key mikroTik.ca.key.pem -out mikroTik.ca.cert.pem

Drag and drop both files into winBox, then import both files. Cert will show up with KR flag.
Use it for www-ssl and you are done. No fuss!