Webfig with HTTPS support?

tazdevil · March 13, 2014, 5:35am

How do I configure Webfig to use https? I turned on the ssl-http in IP/Services and installed a certificate but I still get SSL error when I try to access webfig through https://192.168.88.1.

Thanks.

rextended · March 13, 2014, 11:04am

RouterOS version?
RouterBoard used?
[Remember to specify that everytime]

Probably the certificates are not installed correctly
http://wiki.mikrotik.com/wiki/SSL_Certificate_setup

Check also if the firewall are blocking/redirect anything.

If you use ROS 6.10 there is a problem fixed on 6.11 (wait official version):

*) ssl - not finding CRL in local store for any certificate in trust chain will cause connection to fail;

tazdevil · March 14, 2014, 1:50am

Hi rextended,

RouterOS version = 6.10
RouterBoard used = RB951Ui
RouterBoard Firmware = 3.12

I generated the certificate from my ubuntu machine with openssl x509. I used the System/Certificates to import the file. Do I need to set up the firewall for local access, i.e., 192.168.88.1?

Thanks.
Vincent

tomazstrukelj · December 10, 2014, 3:13pm

I have the same issue ; have created self-signed certificate , copied together key, csr, cert , added the resulting file with “/certificate import file-name=mikrotik_rb450g_all.crt” (Have also tried with key and cert only - without csr ) , and set the resulting cert1 to service www-ssl .
But it doesn’t work , Chrome returns Error code: ERR_CONNECTION_REFUSED . I can telnet to 443 , so the service is working , just not correctly .
Certificate is shown correctly in System > Certificates .

RouterOS version = 5.14
RouterBoard used = 450G
RouterBoard Firmware = 2.23

Uqbar · November 3, 2015, 3:54pm

I fear the problem is in the choice of available SSL cyphers.

aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks
eNULL contains null-encryption ciphers (cleartext)
EXPORT are legacy weak ciphers that were marked as exportable by US law
RC4 contains ciphers that use the deprecated ARCFOUR algorithm
DES contains ciphers that use the deprecated Data Encryption Standard
SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated
MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm

If any of these are used by RouterOS, then the “modern” browsers will refuse to connect.

chechito · November 3, 2015, 4:41pm

i use the certificates autogenerated by capsman

Uqbar · November 3, 2015, 5:48pm

It looks like this is a top secret.

HiltonT · January 9, 2016, 12:02am

This issue still persists with 6.33.3 and 6.34rc34:

This webpage is not available

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

A secure connection cannot be established because this site uses an unsupported protocol.

Uqbar · January 9, 2016, 11:02am

Is there anyone out there that knows anything about this?
The RouterOS HTTPS stuff needs an undate!!!

zespri · March 27, 2016, 2:08am

This is what worked for me:

https://blog.a2o.si/2015/08/11/mikrotik-how-to-generate-ssl-certificate-and-enable-https/

#1. Create CA certificate first:
/certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign

#2. Sign the CA certificate:
/certificate sign my-rtr-ca

#3. Now create a regular certificate for HTTPS access:
/certificate add name=my-rtr common-name=my-rtr

#4. Sign it with CA from steps 1&2:
/certificate sign ca=my-rtr-ca my-rtr

#5. And finally, assign the new certificate to HTTPS service:
/ip service set www-ssl certificate=my-rtr

Uqbar · March 27, 2016, 10:00am

Which RouterOS version?

zespri · March 27, 2016, 11:12am

6.34.3

mitchellmnr · August 8, 2016, 7:42pm

6.36 is still showing this issue and 6.37 doesn’t seem to have any fixes for this yet.

micromaxi · August 20, 2016, 8:25pm

Yeah same issue here. Time to solve this mikrotik!

Rivera · August 21, 2016, 12:56am

I stumbled upon same problem and turns out you need to import certificate twice (i had both key and cert in same file)
First pass imports cert only, second import private keys. Again, only if you have cert & key in same file.
You should see “KT” status near certificate after that, where K means that certificate is matched with private key and “T” means that certificate is trusted. Just “K” should be fine too.
After that SSL connections to webfig started working for me.

maximan · August 22, 2016, 1:40pm

I use:

http://www.selfsignedcertificate.com/

just create the certs .key and .csr, then import it on rOS. After that enable https with this certs

M.

gipfelgoas · August 31, 2016, 10:13am

how have you done?

Mine is still not working…

dnadih · September 3, 2016, 7:12am

I can confirm that this issue is still unresolved.
.. still getting this error: “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”

boldsuck · September 5, 2016, 6:47pm

Mmmmh, no problems here since Jears with CaCert.org & ROS current.
Just switched to: 6.37rc27 → https webfig login is fine as ever

I’ve generated a .p12 file for import to my Tikl.

~$ openssl pkcs12 -export -inkey mikrotik_example_com.key -in mikrotik_example_com.crt -certfile CAcert.org.crt -out mikrotik_example_com.p12 -name mikrotik.example.com

After import the Cert has (Status: KLT Key Size: 4096)

Don’t forget CAcert Root & Class3 Cert in Your browser or system & android devices.

gipfelgoas · September 6, 2016, 6:16am

boldsuck:

Mmmmh, no problems here since Jears with CaCert.org & ROS current.
Just switched to: 6.37rc27 → https webfig login is fine as ever

I’ve generated a .p12 file for import to my Tikl.
~$ openssl pkcs12 -export -inkey mikrotik_example_com.key -in mikrotik_example_com.crt -certfile CAcert.org.crt -out mikrotik_example_com.p12 -name mikrotik.example.com
After import the Cert has (Status: KLT Key Size: 4096)

Don’t forget CAcert Root & Class3 Cert in Your browser or system & android devices.

I’m using https://www.startssl.com/ to make cert. CA is fine as same thing for my synology nas works without error. So it must be a config problem of mikrotik…