Using Let's Encrypt for SSTP

Hello,

For a while i’ve been using a self signed certificate and deploying the mikrotiks CA to client computers that need access.
I wanted to automate this and make it simpler by adding R3 certificates for SSTP connections.
But when i switch SSTP to the let’s encrypt certificate, Windows 10 clients cant connect with error:
“The client and server cannot communicate, because they do not possess a common algorithm”

I saw this post saying i need to use a RSA certificate but i already use it.
Post: http://forum.mikrotik.com/t/sstp-server-with-letsencrypt-certificate/152331/1

Certificate details:
4 T name=“_.domain.com.pfx_0” issuer=C=US,O=Let’s Encrypt,CN=R3 digest-algorithm=sha256 key-type=rsa
common-name=".domain.com" key-size=3072 subject-alt-name=DNS:.domain.com,DNS:domain.com
days-valid=89 trusted=yes key-usage=digital-signature,key-encipherment,tls-server,tls-client
serial-number=“04D83D3B8B9BB0E6A17F5CBBA05F30C843FE”
fingerprint=“425608abde33a9593bb5ff4d78ef9ddebd9d3454249616609afa169812f248eb”
akid=142eb317b75856cbae500940e61faf9d8b14c2c6 skid=2c816f1673a8caa012f75d5f60012b6dc1670a30
invalid-before=nov/23/2021 08:27:23 invalid-after=feb/21/2022 08:27:22 expires-after=12w2d22h22m14s

The error message could possibly be misleading and the cause something else. That certificate has no private key (flags are T rather than KT).

Looking at the certificate details you’ve provided I would say that you haven’t uploaded the private key yet. You should see they following when you look at the certificate details:

/certificate print detail

Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, 
E - expired, T - trusted
4 K  T name="_.domain.com.pfx_0" issuer=C=US,O=Let's Encrypt,CN=R3 digest-algorithm=sha256 key-type=rsa ....

what you are showing is

4 T name="_.domain.com.pfx_0" issuer=C=US,O=Let's Encrypt,CN=R3 digest-algorithm=sha256 key-type=rsa ....

Note the missing K flag on your certificate. Also, if you want to add the Let’s Encrypt R3 intermediate certificate, you can download it from here.

Can one use lets encrypt, assuming this is simply a certificate maker, for use between two MIkrotik routers ??

Yes, a certificate is a certificate. The only wrinkle for Let’s Encrypt is the verification process, typically you run Certbot or an ACME client elsewhere and transfer the generated certificates to the Mikrotik.

That should change in the future. There’s already LE client in ROSv7, but so far only for www service. I didn’t test it, but you can probably write a script to reuse the same certificate for SSTP. But you still need www service running and accessible from internet, which may not be what you want. But since most of the work is done, it shouldn’t be too hard to make it into something more universally usable. Add some hooks for custom scripts. Allow dns verification (which would still require external servers, but it would help with some scenarios). I’m almost sure that it will happen eventually, but since it’s not high priority feature, it may take a while.

I ask the question mainly because in the SSTP examples I find, verify (server/client) certificates is never checked off, so was wondering is that because the certificates were produced on the MT (self signed). and thus verification is not required?

What is the difference between a self-signed MT certificate and a Lets Encrypt Certificate, is maybe the question I should be asking.

Rather than the MT self-signed root CA certificate you require the Let’s Encrypt root and intermediate CA certificates to check authenticity.

If the [bad] examples do not verify the server certificate anyone can perform a man-in-the middle attack or pretend to be the server (and similarly for the client certificate anyone can perform a man-in-the middle attack or pretend to be the client).

Also for SSTP the only safe authentication mechanism is MSCHAPv2 due to the protocol design choices Microsoft made.

@anav: That’s a problem with certificates, they are very secure when everything is configured correctly, but to do that can be quite annoying and tricky. You always have to verify them, otherwise they are useless.

Self-signed certificates can be as secure as trusted ones, in a way even more secure (*). But only with correct verification, which means that every single client must be given either server’s certificate, or certificate of your custom CA used to issue server’s certificate. Then client can verify that there’s really no MITM. Trouble is, this is ok if you do it for just few of your devices, or you’re a big enterprise with established ways how to handle it, but anything between is very annoying. Imagine having severals users and instructing everyone to manually install certificates to their devices. That’s not good. Also very unwise for those users, because then you would be able to issue certificates for other servers and their devices would trust them.

That’s advantage of trusted certificates, all regular systems (Windows, …) already include many CA certificates (like Let’s Encrypt). So if you get LE certificate for your SSTP or other server, client is able to verify that’s not fake. And without any manual config on client side. Catch is, it only works with clients where manufacturers handle updates of CA certificates, because they too can change, but not too frequently.

But if you use a client where manufacturer doesn’t handle this, it’s up to you. For example, RouterOS doesn’t include any certificates by default. So a RouterOS client connecting to SSTP server with LE certificate needs LE’s root certificate, to be able to verify server’s. And it’s up to you to keep it updated. It needs to be done only once a few years, but even that’s problematic for regular non-technical user.

And if it wasn’t bad enough, there’s not just CA certificate and server’s certificate, there are other intermediate certificates between them. And they too need to be verified, have own validity period, and everything. The right way is for server to send intermediate certificates to client, so that client needs only root and nothing else. The catch is, if you misconfigure this and server sends just its own certificate without intermediates, regular clients like Windows won’t probably notice, because they already got necessary intermediate certificates from elsewhere. But RouterOS client with just root certificate will have problem with that.

And it can be even worse, because in order to support some old clients, LE is currently by default providing wrong certificate chain with expired certificate. Some clients ignore that, but some don’t. And good luck getting it going if you don’t know much about it.

So again, certificates are great. But they work best when someone else does all the required work.

(*) With a public CA, there’s at least theoretical possibility to bribe someone inside to issue certificate for someone else’s server. It’s very unlikely and there are countermeasures against that. With your own CA, it’s not possible at all. And sure, they could simply beat you up and make you, but the point is that you’d definitely notice it.

Hi Sob,
You just verified a simple fact for me.
Wireguard rocks every other VPN needing client certificate management up the ying yang sucks

Hello!

Thank you to everyone for responding.

Thank you to @tdw and @MickeyT for the suggestion on adding the private key. I updated my script and now it also imports the private key.
The way i had it before was it downloaded a .pfx file for the certificate and imported it. Seems that the .pfx file does not contain a private key with it.

Does the private key need to be updated with every certificate renewal? I would think not but might as well ask.

For those interested, we have a domain on cloudflare where we add clients as a subdomain to allow easy VPN access. We already use Let’s Encrypt for a lot of things and wanted to include SSTP to that list. I host a FTP server with a wildcard certificate and with a script I upload it to the router and update all necessary settings.

:log info "Running Certificate update"
/file remove [find where name~"domain.com"]
/certificate remove [find where name~"domain.com"]
/tool fetch address=ftp.domain.com src-path=_.domain.com.pfx user=certs mode=ftp password=******** dst-path=_.domain.com.pfx port=21 keep-result=yes
:delay 3000ms;
/certificate import passphrase="" file-name=_.domain.com.pfx
:log info "Updated server certificate"
/tool fetch address=ftp.domain.com src-path=_.domain.com-key.pem user=certs mode=ftp password=******** dst-path=_.domain.com-key.pem port=21 keep-result=yes
:delay 3000ms;
/certificate import passphrase="" file-name=_.domain.com-key.pem
:log info "Updated certificate key"
/interface sstp-server server set certificate=_.domain.com.pfx_0
:log info "Certificate updated!"

As @Sob has kindly explained in detail, its nice to have a self-signed certificate and just upload the CA to every client and its starting to get tedious to explain how to import a certificate in the correct certificate store and such so I figured this would be much simpler.

If your original .pfx is indeed PKCS#12 format that can contain certificates and keys. Mikrotiks will only export an associated private key if a passphrase is specified, I don’t know if there are any such restrictions on import.

There is no documentation on how keys are associated with certificates on import, so you would have to test if only importing a certificate works on renewal.

Whether you need to upload private key depends on LE client, if it reuses the old one, or creates new one. New key for every certificate is probably default, at least judging by few LE clients I’ve seen. Even if it stays the same, I don’t know if RouterOS would take it from previous certificate. Also don’t forget about intermediates, RouterOS server should have them too.

It depends. Wireguard’s simplicity is great. If you need it for yourself or just few users, it’s perfect. But it’s also kind of dumb. Once you need something more dynamic, starting with addresses, adding and removing subnets, or generally some kind of centralized management, you need another layer to handle that. I’m a bit afraid that we can expect war between incompatible standards that will try to solve these things.

It seems to me, that the most capable is still the good old OpenVPN, which can do all kinds of things. Even its use of certificates is not that much annoying, you can have own CA with long validity, and also include everything in one config file, so it’s not too bad to manage. Also thanks to same one implementation everywhere, compatibility is very good. Well, except for MikroTik of course, they unfortunatelly had to do their own and not so much compatible thing.


I don’t know, all these “everything in cloud”, “outsource it to someone else” things, even though they can be convenient for some, and even have some extra added value, I don’t think it’s the right way. But I won’t say that I’m objective and my opinion is the only right one.

@mike6715b: Few things:

• I may be wrong, but I doubt that fetch supports encrypted ftp. And if you really don’t have encrypted private key, transferring it over plaintext connection wouldn’t be secure at all.
• The script itself is not very reliable, you should first get new certificate, import it, make sure it’s ok, and only then replace and delete the old one.

@Sob

On the mikrotik wiki here it says that secure FTP is added from version v6.45. Also for when its time for proper deployment, they all will be encrypted.
For now its another mikrotik in my network for testing purposes.

The FTP server has a ACME client running set to renew certificates ~30d before they expire and the script running will just get the latest one.
The script is VERY crude at the moment, im going to add checks for certificate validity and if the FTP server is available and so on.

I was already about to apologize to MikroTik for underestimating them, but when I look at your link, it says “SFTP (SSH File Transfer Protocol)”, that’s completely different thing.