TR69 with HTTPS

nicktc · July 31, 2017, 12:20pm

Hi All,

Running 6.41rc4 and can’t get TR69 to work over https. Certificates imported and all. Anyone have the same problem (ie: bug?)

[nick@Mikrotik-673706B8FBE4] > /certificate print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME                                        COMMON-NAME                                      SUBJECT-ALT-NAME                                                                   FINGERPRINT
 0   L A  T tmp_acs_ca_cert.txt_0                       ACS-ROOT                                                                                                                            a569abb2ac0751e0f06fa60762adbce02ede66f48810d...

[nick@Mikrotik-673706B8FBE4] > /tr069-client prin
                      enabled: yes
                      acs-url: https://acs.xxx.nl/api/acs/ros/
                     username: test
                     password: test
      periodic-inform-enabled: yes
     periodic-inform-interval: 1d
  connection-request-username:
  connection-request-password:
           client-certificate: none
                       status: running
           last-session-error: SSL: handshake failed: unable to get local issuer certificate (6)
                  retry-count: 5

[nick@Mikrotik-673706B8FBE4] > /tool fetch keep-result=no mode=https check-certificate=yes-without-crl   host="acs.xxx.nl" http-method=post  http-data=$pdataEncoded url="https://acs.xxx.nl/api/"
      status: finished
  downloaded: 0KiBC-z pause]
    duration: 0s

normis · July 31, 2017, 12:39pm

The error hints that not all of the certificate chain is imported.
Only CA is not enough, you also need sub-ca and if you have CRL then also you need CA and sub CA with which the CRLs are signed

nicktc · July 31, 2017, 1:04pm

Hi Normis,

Thanks for the quick reply -

It’s a self signed CA; with only 1 step (no intermediate certs).

fetch tool also accept the cert this way (as shown) and curl(openssl) on another machine as well.

curl --cacert acs.xxx.nl_rootCA.pem  https://acs.xxx.nl/api/acs/ros/ -vvv

nicktc · July 31, 2017, 1:16pm

Ha; CRL seems to be the issue; thanks!

steger · April 24, 2018, 10:26am

hi there,
is it also possible to disable the cert-checking means not importing the ca cert?

thank you