/tool fetch https check-certificate=yes undocumented, not working...

RouterOS Scripting
1

Hello guys,

I am becoming completely crazy to make this check work. No matter what I do, I always get a failed error. This function is undocumented and no sample is provided. I want the script to connect to my website https://www.learn-digital.com, which has a valid certificate. What do I have to do in the /certificate store to make this chain work ? I have uploaded the CA certificate of DigiCert, even exported the chain from Chrome and imported in Mikrotik, nothing works.

Any suggestion anyone ?

Thank you,
Cheers,
Simone

2

Guys, really, no one ? This feature is pretty much essential for completely secure communication between the router and the server… A bit of hint in the right direction ?

I cannot find any post or any documentation about a working example of chain certificate validation.

Thank you,
Cheers,
Simone

3

Try the same, but validate without CRL check (there is a different option for that). If that has a different result, it could mean you don’t have all the needed CRL.
It is possible that the server gives out a different chain because RouterOS as a client is different than your browser. You should try to packet sniff and see the full chain that server sends to RouterOS.

It is very likely that server responds with a different certificate chain because RouterOS is not the same kind of client as a web browser.

4

Can you please update wiki to reflect the new options.

If I don’t read the forum wrong it is possible to set HttpHeaders!? how? Examples please and in wiki to…
http-data cli tells me:

http-data – POST or PUT request body data

So this tells me no headers can go into this field… How do I change Content-type for example?

5

Hi guys,

Thank you for your reply, but I don’t see where the option to validate withour crl is?
https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch

When I upload the CA I need, Mikrotik dynamically add a CRL in the list as follows:
URL http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
Certificate DigiCertCA.crt_0
Num 0
Revoked
Signature
Next Update Jan/01/1970 00:00:00
Last Update Jan/01/1970 00:00:00

I checked the URL and is valid.

I’ll wait for your reply,

Thank you,
Best Regards,
Simone

6

Oh my God… I just found it, in version 6.41

CheckCertificate ::= no | yes | yes-without-crl


[admin@1009] > /tool fetch check-certificate=

Yeah guys the Wiki should be updated, possibly with (as of version 6.41, additional option available).

Cheers,
Best Regards,
Simone

7

Yes, it finally works !!! You should update the guide with two working example, one with “yes” and one with “yes-without-crl”.

For the sake of the community, here’s how I made it work with DigiCert EV Certificate:

  • Of course, make sure your website is configured properly and green bar appears in Chrome/Firefox
  • From Chrome, export the EV CA Certificate of DigiCert
  • Upload the certificate in Router OS
  • Make sure you using v6.41..
  • Import the certificate under /system certificate (no passphrase)
  • /tool fetch mode=https address=www.yourdomain.com host=www.yourdomain.com check-certificate=yes-without-crl …

Cheers,
Best Regards,
Simone

8

Thanks for going this difficult road to reach that result.

I could not find that in the forum because Mikrotik omitted the “-” between check and certificate.

The WiKi has proven to be a problem because it is not up to date and closed for input by owners of Mikrotik equipment.

9

Still no luck here with certificate validation (6.42.3 here), i fails with:

status: failed
failure: ssl connection error: handshake failed: unable to get local issuer certificate (6)

Steps to reproduce:

  • import he EV CA Certificate of DigiCert (upload the file, import the cert)
  • run fetch against a valid letsencrypt site
[admin@Mikrotik] > /tool fetch check-certificate=yes-without-crl url="https://valid-isrgrootx1.letsencrypt.org/"