Hi All,

I get the following error when trying TR069 + SSL:
[admin@MikroTik] > tr069-client print
enabled: yes
acs-url: https://MYURL:7547/CPEManager/CPEs/genericTR69
username:
password:
periodic-inform-enabled: yes
periodic-inform-interval: 1d
connection-request-username:
connection-request-password:
provisioning-code:
client-certificate: none
status: running
last-session-error: SSL: handshake failed: unable to get certificate CRL (6)
retry-count: 7

I used Godaddy and imported the root and sub certs:
[admin@MikroTik] > certificate print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted

NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT

0 L T godaddy.ca_0 Go Daddy Secure Certificat... 973a41276ffd01e027a2aad49e...
1 L T godaddy.ca_1 Go Daddy Root Certificate ... 3a2fbe92891e57fe05d57087f4...
2 T godaddy.ca_2

The connection works if I import the actual server certificate, but this does not seem useful as I will have the keep this certificate up to date.

Any idea why the Mikrotik is trying to check for CRL? Is this something I can enable on the TR069 sever?

Any advise appreciated.

Thanks.

Ok, The Godaddy CRL's get downloaded, but still get the same issue (unable to get certificate CRL (6)):

[admin@MikroTik] > /certificate crl print
Flags: E - expired, D - dynamic, I - invalid

CERT LAST-UPDATE NUM REVOKED URL

0 D godaddy.ca_0 feb/15/2019 19:33:35 0 http://crl.godaddy.com/gdroot-g2.crl
1 D godaddy.ca_1 feb/15/2019 19:33:36 0 http://crl.godaddy.com/gdroot.crl

Maybe the server certificate itself has a different CRL. Only fix I have is to upload the used SSL server certificate. Not a good fix

Seems I was correct. I had to manually install the CRL specified inside the server cert to get SSL working:
http://crl.godaggy.com/gdig2s1-920.crl

This seems to be a combination of both the root and sub CA CRL’s.

Now the question is how do I get this to work without manually uploading the CRL? Still seem like a bad fix.