Unable to get a response using REST API with fetch tool

deadkat · August 31, 2021, 11:06pm

first, yes this has been sent to Mikrotik (SUP-58177). My ticket has been open for a week with no replies from Mikrotik support.

I have attempted using the REST API using the fetch tool from my home router, which runs ROS 6.47.10, out to a CHR which is currently running v7.1RC2. I have also tried the same with RC1 and beta5. The REST API doesn’t appear to be functioning in any of them

I run the following on my home router

/tool fetch http-method=get url=https://3.22.208.229/rest/system/resource check-certificate=no user=admin password=""

and get the following as a result

status: failed

failure: ssl connection error: handshake failed: error 14077410 (6)

I also attempt from ubuntu 20.04.3 running in WSL with the exact example command that is given in the docs at https://help.mikrotik.com/docs/display/ROS/REST+API

curl -k -u admin: https://3.22.208.229/rest/system/resource

and get the following response

curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

I’m attaching the export of my CHR, you can also try this with my CHR, default credentials are set to read only permissions. I don’t have anything on there I care about. I literally just made this CHR to try using the REST API and for my friend to try wireguard.

if I’m stupid and doing this wrong, that’s ok, I’ll take correction for being stupid/ignorant. I’ve never used a REST API before…but I really wish Mikrotik would at least give me a three word “you’re doing it wrong” response if that’s the case.

edit: layout and spelling
chr.rsc (1.53 KB)

zainarbani · September 1, 2021, 12:22pm

[u]https://www.medo64.com/2016/11/enabling-https-on-mikrotik/[/u]

/certificate
add name=root-cert common-name=MyRouter days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=MyRouter days-valid=3650
sign ca=root-cert https-cert

/ip service
set www-ssl certificate=https-cert disabled=no

deadkat · September 2, 2021, 4:06pm

Thanks! Using some self-signed certificates did it for me…The docs page really had me thinking that its possible to sign in via rest API without a certificate if default creds are used. Was hoping that I could use the rest API for config of new devices. Looks like I may try using netinstall plus branding package to add some certificates and go from there.

mrz · September 2, 2021, 6:00pm

The documentation clearly states that you need a certificate. It is even highlighted in a yellow frame with an exclamation mark, as an important note.

zainarbani · September 3, 2021, 6:02am

Hi mrz, need some advice..
From ip sniffer/accounting, API, & REST API. which one is more fast, efficient & resource friendly for real time monitoring calls/usecases? thx.

mrz · September 3, 2021, 6:21am

REST API is doing the same requests as API. In general, speed differences should be insignificant.