Support for ACME/Let's Encrypt certificate management

RouterOS General
61

+1+

62

We need this! +1

63

My contribution

https://www.ollegustafsson.com/en/letsencrypt-routeros/

64

Awesome!

65

If mikrotik sites use ssl certificates of let’s encrypt (https://routerboard.com and https://forum.mikrotik.com) why they have not yet integrated the solution to the routeros?

66

because sites are hosted not by routeros?..

67

Have you tried this tutorial? Simple enough:

68

Awesome!!!..Thank you!!


M.

69

I created a deploy script for acme.sh to deploy to a routeros server

If anyone would like to have a look at it.
https://github.com/Neilpang/acme.sh/pull/706

70

+1 acme for renewing cert on mynetname.net would be just YIIIHHHAA!

71

+1

Just a thought and pardon if I fall out the window on this…

What if the created ROS package for this did an inspection of the TLS SNI Domain Hint but only during the setup of a cert if using TLS-SNI mode?
This way it could capture the validation requests and respond appropriately completing the setup for it .
I say during setup only as this would have obvious impacts to resources and services while it inspects.
If users are looking for this feature they might be willing to take that knock during the small setup window every 3months per cert.
(if you don’t want to, then don’t install the package or setup any certs on it)

How I envisage the package options:

  • Global settings for ACME protocol requirements (notification email address, etc…) or maybe allow this to also be set per cert (if anyone has the need for this?)
  • allow for more than one cert (you might want different certs for different things)
  • allow for multiple SANs per cert, where the first SAN in the list will be the name of the cert (the SNI domain hint inspection would look for all of these during that cert’s setup/re-validation)
  • allow for auto adding of Cloud DNS to a SAN (makes it easier to not fat finger it)
  • allow for service(s) to be specified for use with that cert (hotspot, SSTP, OpenVPN, API-SSL, WWW-SSL, etc) further improving its automation ability
  • Allow for different strength keys (more robustness and control)

Notes: why only SAN names… Common Name field removal is well underway (see more on this here: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/IGT2fLJrAeo)
however if users want the CN, so be it, I have no objections to it.

Thoughts?

72

+1+

73

After trying the script at https://www.ollegustafsson.com/en/letsencrypt-routeros/ for updating an SSTP certificate, I decided to write one that only relies on a BASH script:
Bash script for updating and installing a new LetsEncrypt certificate on MikroTik routers · GitHub

You'll need the following:

  1. Create a DSA SSH Key so that the host running the BASH script can login to MikroTik.
  2. Install acme.sh as per the instructions in https://www.ollegustafsson.com/en/letsencrypt-routeros/
  3. Update the following:

ACME=/root/.acme.sh/acme.sh
DOMAIN=remote.mydomain.tld
CERTPATH=/var/router-certs
CERT=$DOMAIN.cer
KEY=$DOMAIN.key
ROUTER=router_os_IP
ROUTER_USER=username_to_login_to_routeros

If the script is run on a cron, it should renew certificates and when they renew, the commands should be run on the Mikrotik to update the cert.

74

I’ve got a couple routers that I use LetsEncrypt certificates for SSTP. Since it took me a bit to figure out why things weren’t working at first, I’ve included my tweaked scripts below. Additionally, I created a dedicated user on my Linux server for managing certificates and set it up to log into my routers with certificate login. If the username is identical on both systems, it can be omitted in the command as well.

This script runs shortly after acme.sh in cron to upload the certificates to the routers. Yes, I know this would have been more graceful as a foreach loop, but I’ve only got 2 routers and I was in a hurry.

#!/usr/bin/env bash
set -e
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
DOMAIN=vpn1.example.net
CERT=vpn1.example.net.cer
KEY=vpn1.example.ne.key
ROUTER=<Router 1 IP Address>

cd $DIR/$DOMAIN

if [ -f $CERT ]; then
        echo -n "Uploading $DOMAIN certificate $ROUTER router..."
        scp -q $CERT $ROUTER:$CERT
        scp -q $KEY $ROUTER:$KEY
        echo "done!"
        exit 0
fi

DOMAIN=vpn2.example.net
CERT=vpn2.example.net.cer
KEY=vpn2.example.ne.key
ROUTER=<Router 2 IP Address>

cd $DIR/$DOMAIN

if [ -f $CERT ]; then
        echo -n "Uploading $DOMAIN certificate $ROUTER router..."
        scp -q $CERT $ROUTER:$CERT
        scp -q $KEY $ROUTER:$KEY
        rm $CERT $KEY
        echo "done!"
        exit 0
fi

On my routers, I have this script scheduled to run 30 minutes after the files are scheduled to be uploaded:


:if ([:len [/file find name=vpn1.example.net]] > 0) do={ 
    
    :put "Deleting Old Certificate"
        /certificate remove vpn1.example.net.cer_0
        :delay 1
    :put "Importing new Certificate"
        /certificate import file-name=vpn1.example.net.cer passphrase=""
        /certificate import file-name=vpn1.example.net.key passphrase=""
        :delay 1
    :put "Assigning certificate to SSTP Server"
        /interface sstp-server server set certificate=vpn1.example.net.cer_0
        :delay 1
    :put "Cleaning up files"
        /file remove vpn1.example.net.cer
        /file remove vpn1.example.net.key
    :put "Certificate installation complete"
}
75

Hi there,
developed my own solution with a MetaROUTER Instance to renew Let’s Encrypt certificates on the router itself.
Have a look at https://www.administrator.de/contentid/355746 for a tutorial (german).

Best regards
@colinardo

76

Unfortunately metarouter is pretty much a forgotten feature by MikroTIk.

Currently MetaRouter can be used on

RB400, RB700 series except models with SPI flash, RB900 series except models with SPI flash, RB2011 boards
Listed PPC boards: RB1000, RB1100, RB1100AH and RB800.

In other words, CCR, RB3011, RB850Gx2, RB1100AHx4, etc which have enough cpu/storage/memory resources are not supported.

77

[b:1p6b7dx6]You can use Let’s Encrypt RouterOS / Mikrotik script [/b:1p6b7dx6]
How it works:
[list:1p6b7dx6]
[:1p6b7dx6]Dedicated Linux renew and push certificates to RouterOS / Mikrotik[/:m:1p6b7dx6]
[:1p6b7dx6]After CertBot renew your certificates[/:m:1p6b7dx6]
[:1p6b7dx6]The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)[/:m:1p6b7dx6]
[:1p6b7dx6]Delete previous certificate files[/:m:1p6b7dx6]
[:1p6b7dx6]Delete the previous certificate[/:m:1p6b7dx6]
[:1p6b7dx6]Upload two new files: Certificate and Key[/:m:1p6b7dx6]
[:1p6b7dx6]Import Certificate and Key[/:m:1p6b7dx6]
[:1p6b7dx6]Change SSTP Server Settings to use new certificate[/:m:1p6b7dx6]
[:1p6b7dx6]Delete certificate and key files form RouterOS / Mikrotik storage[/:m:1p6b7dx6][/list:u:1p6b7dx6]

https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
[code:1p6b7dx6]certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh[/code:1p6b7dx6]

78

Dedicated Linux renew and push certificates to RouterOS / Mikrotik

this is the only sad part. My CCR should be able to do it by itself! :frowning:

79

+1
Maybe the acme.sh code helps you to find an easy solution: https://github.com/Neilpang/acme.sh
Thats the easiest way for letsencrypt that i know.

80

+1 would be really handy