Community discussions

 
zombie2048
just joined
Posts: 1
Joined: Fri Dec 09, 2016 12:49 am

Re: Support for ACME/Let's Encrypt certificate management

Fri Dec 09, 2016 12:51 am

+1, please!
 
kopimi
just joined
Posts: 2
Joined: Tue Dec 06, 2016 2:10 am

Re: Support for ACME/Let's Encrypt certificate management

Sun Dec 25, 2016 3:57 pm

+3 (at least!)
I think it would be super simple to implement and it would solve so many issues for us techies.
 
majestic
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Mon Dec 05, 2016 11:19 am

Re: Support for ACME/Let's Encrypt certificate management

Mon Dec 26, 2016 7:20 pm

+1 for support, it would make things much easier for a lot of us.
 
mbeauverd
just joined
Posts: 17
Joined: Mon Oct 03, 2016 10:46 am

Re: Support for ACME/Let's Encrypt certificate management

Wed Dec 28, 2016 12:06 am

Yes +1
 
macroc
just joined
Posts: 2
Joined: Mon Apr 25, 2016 12:41 am
Location: Ireland
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Sat Dec 31, 2016 5:08 pm

+ 1!
 
JasonPugh
just joined
Posts: 1
Joined: Sun Jan 01, 2017 2:15 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun Jan 01, 2017 2:17 pm

+1, please!
 
gfra
just joined
Posts: 3
Joined: Sat Dec 24, 2016 4:02 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Jan 06, 2017 11:38 pm

+1 :)
 
lomadurov
just joined
Posts: 1
Joined: Sat Jan 14, 2017 3:56 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat Jan 14, 2017 3:57 pm

+1, please!
 
callme
just joined
Posts: 14
Joined: Sat Aug 30, 2014 9:12 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Jan 21, 2017 9:42 am

+1 Please
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat Jan 21, 2017 5:05 pm

Plus ones all around, but did anyone give it some thought beyond that it would be nice feature? How exactly it should work to be usable for as many scenarios as possible? Because there are quite a few.

Let's Encrypt allows to verify hostnames using different challenges:

- http - code needs to be placed on http server on default port
- dns - code needs to be placed in dns
- tls-sni - code needs to be served by https server on default port for special hostname

There's no way that just one challenge type would be usable for everyone. Let's say I want to get certificate for SSTP server. If the router is dedicated SSTP server with public address using default https port, then it's easy, it can simply use tls-sni.

But what if IP address is shared with web server (with port 80 and 443 forwarded to LAN) and SSTP uses non-standard port (I think it will be very common setup)? Then the only right option is dns. The problem is, dns is very often hosted by registrar without any automated way to change records, so this option may not be available. The other way would be to have events for LE client, that would allow to write a script to temporarily disable port forwarding to internal web server, set it to local SSTP server and then back after successful verification. It would mean short service interruption for internal webserver, but better than nothing I guess.

It can be even worse, SSTP server might be an internal machine, which has only one non-standard port forwarded to it. That would leave dns as the only option.

Where automated updates of dns records is possible, it would be the best solution. But even that is not completely straightforward, because there may be different ways how to update records, either using standard dns updates, or some custom way, e.g. using http(s) calls to some api. Plus there might be a need to update completely different records (there are some interesting tricks you can do with LE and CNAMEs). So events and scripts is probably the only universal solution here too.

Comments, thoughts, suggestions?
 
ndbjorne
just joined
Posts: 21
Joined: Sat Dec 15, 2012 5:06 pm
Location: Italy

Re: Support for ACME/Let's Encrypt certificate management

Wed Jan 25, 2017 2:41 pm

+1+
Andrea
 
undecided
Member Candidate
Member Candidate
Posts: 106
Joined: Mon May 16, 2011 11:07 am

Re: Support for ACME/Let's Encrypt certificate management

Mon Feb 06, 2017 9:07 am

We need this! +1
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 223
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Support for ACME/Let's Encrypt certificate management

Mon Feb 06, 2017 4:31 pm

I apologize my grammatical errors, my english not so good, I am not a native speaker.
Wiki is maintained in English. I use Google translator. 8)
 
undecided
Member Candidate
Member Candidate
Posts: 106
Joined: Mon May 16, 2011 11:07 am

Re: Support for ACME/Let's Encrypt certificate management

Tue Feb 07, 2017 9:19 am

Awesome!
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 223
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Support for ACME/Let's Encrypt certificate management

Sat Feb 25, 2017 5:24 pm

If mikrotik sites use ssl certificates of let's encrypt (https://routerboard.com and https://forum.mikrotik.com) why they have not yet integrated the solution to the routeros?
I apologize my grammatical errors, my english not so good, I am not a native speaker.
Wiki is maintained in English. I use Google translator. 8)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8143
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Sun Feb 26, 2017 10:14 pm

because sites are hosted not by routeros?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23630
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Support for ACME/Let's Encrypt certificate management

Mon Feb 27, 2017 4:36 pm

Have you tried this tutorial? Simple enough:
No answer to your question? How to write posts
 
User avatar
maximan
Trainer
Trainer
Posts: 548
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Fri Mar 03, 2017 8:49 pm

Awesome!!!...Thank you!!


M.
MKE Solutions> > The Base of knowledge in spanish.
Academia de Entrenamientos: Training Center
 
palhaland
just joined
Posts: 9
Joined: Mon Aug 15, 2016 9:05 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Mar 06, 2017 8:47 pm

I created a deploy script for acme.sh to deploy to a routeros server

If anyone would like to have a look at it.
https://github.com/Neilpang/acme.sh/pull/706
 
dattl
just joined
Posts: 10
Joined: Sun Sep 27, 2015 1:57 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Mar 10, 2017 8:20 pm

+1 acme for renewing cert on mynetname.net would be just YIIIHHHAA!
 
MetUys
just joined
Posts: 16
Joined: Mon Mar 17, 2014 1:19 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Sep 01, 2017 1:43 pm

+1

Just a thought and pardon if I fall out the window on this...

What if the created ROS package for this did an inspection of the TLS SNI Domain Hint but only during the setup of a cert if using TLS-SNI mode?
This way it could capture the validation requests and respond appropriately completing the setup for it .
I say during setup only as this would have obvious impacts to resources and services while it inspects.
If users are looking for this feature they might be willing to take that knock during the small setup window every 3months per cert.
(if you don't want to, then don't install the package or setup any certs on it)

How I envisage the package options:
- Global settings for ACME protocol requirements (notification email address, etc...) or maybe allow this to also be set per cert (if anyone has the need for this?)
- allow for more than one cert (you might want different certs for different things)
- allow for multiple SANs per cert, where the first SAN in the list will be the name of the cert (the SNI domain hint inspection would look for all of these during that cert's setup/re-validation)
- allow for auto adding of Cloud DNS to a SAN (makes it easier to not fat finger it)
- allow for service(s) to be specified for use with that cert (hotspot, SSTP, OpenVPN, API-SSL, WWW-SSL, etc) further improving its automation ability
- Allow for different strength keys (more robustness and control)

Notes: why only SAN names... Common Name field removal is well underway (see more on this here: https://groups.google.com/a/chromium.or ... GT2fLJrAeo)
however if users want the CN, so be it, I have no objections to it.

Thoughts?
 
nirv
just joined
Posts: 2
Joined: Sun Mar 22, 2015 1:40 pm

Re: Support for ACME/Let's Encrypt certificate management

Wed Sep 06, 2017 12:43 am

+1+
 
jonthorpe
just joined
Posts: 8
Joined: Mon Oct 27, 2014 3:25 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Oct 14, 2017 2:13 am

After trying the script at https://www.ollegustafsson.com/en/letsencrypt-routeros/ for updating an SSTP certificate, I decided to write one that only relies on a BASH script:
https://gist.github.com/JonathanThorpe/ ... 5162dafe43

You'll need the following:
1. Create a DSA SSH Key so that the host running the BASH script can login to MikroTik.
2. Install acme.sh as per the instructions in https://www.ollegustafsson.com/en/letsencrypt-routeros/
3. Update the following:
----
ACME=/root/.acme.sh/acme.sh
DOMAIN=remote.mydomain.tld
CERTPATH=/var/router-certs
CERT=$DOMAIN.cer
KEY=$DOMAIN.key
ROUTER=router_os_IP
ROUTER_USER=username_to_login_to_routeros
----

If the script is run on a cron, it should renew certificates and when they renew, the commands should be run on the Mikrotik to update the cert.
 
brad0x52
just joined
Posts: 7
Joined: Thu Oct 15, 2015 8:48 pm

Re: Support for ACME/Let's Encrypt certificate management

Tue Nov 14, 2017 12:08 am

I've got a couple routers that I use LetsEncrypt certificates for SSTP. Since it took me a bit to figure out why things weren't working at first, I've included my tweaked scripts below. Additionally, I created a dedicated user on my Linux server for managing certificates and set it up to log into my routers with certificate login. If the username is identical on both systems, it can be omitted in the command as well.

This script runs shortly after acme.sh in cron to upload the certificates to the routers. Yes, I know this would have been more graceful as a foreach loop, but I've only got 2 routers and I was in a hurry.
#!/usr/bin/env bash
set -e
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
DOMAIN=vpn1.example.net
CERT=vpn1.example.net.cer
KEY=vpn1.example.ne.key
ROUTER=<Router 1 IP Address>

cd $DIR/$DOMAIN

if [ -f $CERT ]; then
        echo -n "Uploading $DOMAIN certificate $ROUTER router..."
        scp -q $CERT $ROUTER:$CERT
        scp -q $KEY $ROUTER:$KEY
        echo "done!"
        exit 0
fi

DOMAIN=vpn2.example.net
CERT=vpn2.example.net.cer
KEY=vpn2.example.ne.key
ROUTER=<Router 2 IP Address>

cd $DIR/$DOMAIN

if [ -f $CERT ]; then
        echo -n "Uploading $DOMAIN certificate $ROUTER router..."
        scp -q $CERT $ROUTER:$CERT
        scp -q $KEY $ROUTER:$KEY
        rm $CERT $KEY
        echo "done!"
        exit 0
fi
On my routers, I have this script scheduled to run 30 minutes after the files are scheduled to be uploaded:

:if ([:len [/file find name=vpn1.example.net]] > 0) do={ 
    
    :put "Deleting Old Certificate"
        /certificate remove vpn1.example.net.cer_0
        :delay 1
    :put "Importing new Certificate"
        /certificate import file-name=vpn1.example.net.cer passphrase=""
        /certificate import file-name=vpn1.example.net.key passphrase=""
        :delay 1
    :put "Assigning certificate to SSTP Server"
        /interface sstp-server server set certificate=vpn1.example.net.cer_0
        :delay 1
    :put "Cleaning up files"
        /file remove vpn1.example.net.cer
        /file remove vpn1.example.net.key
    :put "Certificate installation complete"
}
 
colinardo
just joined
Posts: 8
Joined: Sun Jan 08, 2017 9:02 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Nov 24, 2017 1:11 pm

Hi there,
developed my own solution with a MetaROUTER Instance to renew Let's Encrypt certificates on the router itself.
Have a look at https://www.administrator.de/contentid/355746 for a tutorial (german).

Best regards
@colinardo
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 827
Joined: Tue Oct 11, 2005 4:53 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Nov 24, 2017 3:24 pm

Unfortunately metarouter is pretty much a forgotten feature by MikroTIk.
Currently MetaRouter can be used on

RB400, RB700 series except models with SPI flash, RB900 series except models with SPI flash, RB2011 boards
Listed PPC boards: RB1000, RB1100, RB1100AH and RB800.
In other words, CCR, RB3011, RB850Gx2, RB1100AHx4, etc which have enough cpu/storage/memory resources are not supported.
 
gimpeltik
just joined
Posts: 3
Joined: Tue Nov 28, 2017 4:13 pm

Re: Support for ACME/Let's Encrypt certificate management  [SOLVED]

Tue Nov 28, 2017 4:20 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:
  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage

https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh
 
nka
newbie
Posts: 30
Joined: Tue Mar 22, 2011 7:48 pm
Location: Quebec, Canada

Re: Support for ACME/Let's Encrypt certificate management

Thu Nov 30, 2017 5:44 pm

Dedicated Linux renew and push certificates to RouterOS / Mikrotik
this is the only sad part. My CCR should be able to do it by itself! :(
- Sebastien Plante (nka)

Mikrotik CCR1009-8G-1S-1S+ v6.xx (latest release)
 
dattl
just joined
Posts: 10
Joined: Sun Sep 27, 2015 1:57 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Feb 02, 2018 5:14 pm

+1
Maybe the acme.sh code helps you to find an easy solution: https://github.com/Neilpang/acme.sh
Thats the easiest way for letsencrypt that i know.
 
hanfelt
just joined
Posts: 1
Joined: Fri Jun 01, 2012 3:38 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Feb 12, 2018 4:21 pm

+1 would be really handy
 
User avatar
omidkosari
Trainer
Trainer
Posts: 612
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Fri Mar 16, 2018 7:01 pm

+1 for RouterOS self Lets Encrypt management .
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
Largelos
just joined
Posts: 9
Joined: Thu Jan 31, 2013 1:24 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Apr 23, 2018 8:58 pm

+1 for support by routeros directly
 
WarMaster
just joined
Posts: 6
Joined: Wed Oct 25, 2017 10:36 am
Location: The Netherlands

Re: Support for ACME/Let's Encrypt certificate management

Sun May 27, 2018 10:26 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:
  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage
https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh
I am wondering; because the "first" validation method is manual (by creating a TXT record at your DNS provider) it seems the renewal process also needs a TXT DNS record validation.
After I successfully installed the certificates on my Mikrotik with the provided script I did a "certbot renew --dry-run" as to simulate a certifcate renewal. Certbot quickly prompts an error stating:
"The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping."

I do believe there has to be one of the 3 ways to authenticate the domain(s) for which the certificates are to be renewed (http-01, tls-sni-01 or dns-01). There are currently to my knowledge no plugins/addons/scripts in routerOS which provide these methods of authentication. Which basically means you have to re-do the TXT thing with your DNS provider and thus manually updating your certificates every 3 months.
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun May 27, 2018 10:55 pm

It depends. Some DNS providers have API access for editing records, so if you use one of them, everything can be scripted and made fully automatic.
 
WarMaster
just joined
Posts: 6
Joined: Wed Oct 25, 2017 10:36 am
Location: The Netherlands

Re: Support for ACME/Let's Encrypt certificate management

Mon May 28, 2018 2:49 pm

It depends. Some DNS providers have API access for editing records, so if you use one of them, everything can be scripted and made fully automatic.
A few do, most don't have a plugin available. However, the registration via the script is based on the manual TXT verification which in turn determines the way certbot stores the information regarding the particular certificate. So you'd have to fidget around with the certbot config to get this working properly. Furthermore; in the readme it is suggested the TXT verification is only once. I think this is false.

The topic is a request for ACME support which either suggests a request for http and/or tls-sni support. This script just isn't a solution for the proposed request.
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon May 28, 2018 5:27 pm

As far as I know, domain verification lasts for a while, I think it was longer than 90 days for certificate, but eventually it has to be repeated, it's not valid forever.

DNS hosters without API access may be a problem for now, but it will get better, when people start to request this functionality (and Let's Encrypt is a good reason why they would do that). If yours doesn't want to do it, there are others to choose from. I wouldn't view this as THE problem. For now it's zero support for this in RouterOS. It's of course nice that I can do it with external Linux server, but if I don't have one already, it's highly impractical to get it just for this.

And when you think about it, it shouldn't be hard at all. Take the DNS method. RouterOS can already work with certificates, so it needs to extend it, so that you can request a certificate to be signed by LE. If you check some of the simpler clients (e.g. https://dehydrated.io/), there isn't too much to do. When it would be about to happen, there would be an event (hook), where you could put your own script to update DNS records. If the hoster's API would be based on http(s), then fetch tool in RouterOS should be all what's needed. It it would use standard DNS updates, RouterOS already has a tool for it, only so far it's limited to A records only. But that's the most of it already implemented, extending it to also support TXT records can't be hard. And that's it, happy end.

And actually, RouterOS could not only update records on remote server, it could BE the server. Not the full authoritative one with all bells and whistles, but only with basic functionality to serve TXT records, when you'd point _acme-challenge subdomain to it from main server using CNAME. Again, most of what's required for this is already in RouterOS.

Ok, I got a litle carried away with the last one, so forget it. But the rest is not hard. It's not 100% perfect solution for everyone, but it's important to get started.
 
muetzekoeln
newbie
Posts: 25
Joined: Fri Jun 29, 2018 2:34 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Jun 29, 2018 2:37 pm

+1 for native RouterOS package

with no virtual OpenWRT instance or Linux-System requirement, please!
 
benoga
just joined
Posts: 13
Joined: Wed Mar 09, 2016 7:50 am

Re: Support for ACME/Let's Encrypt certificate management

Fri Jul 06, 2018 10:38 am

+1 for native RouterOS letsencrypt-package
 
Jaggl
just joined
Posts: 17
Joined: Mon Aug 27, 2012 3:00 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu Aug 23, 2018 2:46 pm

+1 would be nice to have it
Mit freundlichen Grüßen / Yours sincerely

Roland Steger
+43 (0) 664 333 7393
Kontakt [AT] Hosters.at
www.Hosters.at

EA Ranked Server Partner
Pragmatic Preferred Provider
Teamspeak Authorized Hoster
 
BostjanC
just joined
Posts: 8
Joined: Tue Nov 13, 2018 9:28 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Nov 19, 2018 11:41 am

Request from 2015. Still not resolved?
Well, I also give it +1.
It would be nice to have. And also the latest version.
 
User avatar
armandfumal
Member Candidate
Member Candidate
Posts: 124
Joined: Wed Apr 25, 2012 5:50 pm
Location: Huldange,LUX
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Mon Nov 19, 2018 4:57 pm

I vote +1
Armand Fumal
________________________________________________________________
CCR1072-1G-8S+ - CCR1036-8G-2S+EM - CCR1036-12G-4S-EM - RB1100AHx2 - RB2011UAS-RM - OmniTIK Ac- SXT Ac -
 
netwpl
just joined
Posts: 22
Joined: Fri Jun 22, 2012 8:09 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Dec 10, 2018 1:33 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:
  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage
https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh
ok, so your script works for me, but how to script it to renew my certificate after 2-3 months, even when my DNS has no APIs to (automatically) change the DNS TXT file...

should i schedule a cronjob once a month to execute: certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh ???

Who is online

Users browsing this forum: No registered users and 12 guests