Community discussions

MikroTik App
 
DuncanCT
just joined
Topic Author
Posts: 21
Joined: Thu May 24, 2018 1:28 pm

REST API basic help

Sun Feb 21, 2021 10:50 am

Trying to get a response from a hEX S (7.1beta4) installed from a Raspberry Pi.

Using:
$ curl -k -u admin: https://10.0.0.210/rest/system/resource
(https://help.mikrotik.com/docs/display/ROS/REST+API)

www-ssl enabled / all firewalls off / login tcp traffic to 443 / user: admin / password: none

This is the response I'm getting from the Pi:
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Logs:
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (SYN), 10.0.0.81:52228->10.0.0.210:443, len 60 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK), 10.0.0.81:52228->10.0.0.210:443, len 52 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK,PSH), 10.0.0.81:52228->10.0.0.210:443, len 569 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK), 10.0.0.81:52228->10.0.0.210:443, len 52 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK,FIN), 10.0.0.81:52228->10.0.0.210:443, len 52 
10:22:27 firewall,info input: in:bridge out:(unknown 0), src-mac b8:27:eb:0e:03:f4, proto TCP (ACK), 10.0.0.81:52228->10.0.0.210:443, len 52
Any assistance would be appreciated. TIA.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6195
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: REST API basic help

Sun Feb 21, 2021 1:23 pm

Handshake can fail if there is a problem with certificate chain. Have you set certificate for www-ssl service on the router and have you imported CA certificate (used to sing the www-ssl service certificate) on the client device?
 
User avatar
che
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Oct 07, 2005 1:04 pm

Re: REST API basic help  [SOLVED]

Sun Feb 21, 2021 3:05 pm

Hi, I just tested this and it works as intended. You just need to generate and sign server certificate. This is how I do it (replace "your.server.url" if you like, it works anyway and is good enough for testing purposes):
/certificate
add name=ca-template days-valid=3650 common-name=your.server.url key-usage=key-cert-sign,crl-sign
add name=server-template days-valid=3650 common-name=your.server.url

/certificate
sign ca-template name=root-ca
:delay 3s
sign ca=root-ca server-template name=server
:delay 3s

/certificate
set root-ca trusted=yes
set server trusted=yes

/ip service
set www-ssl certificate=server disabled=no
 
DuncanCT
just joined
Topic Author
Posts: 21
Joined: Thu May 24, 2018 1:28 pm

Re: REST API basic help

Sun Feb 21, 2021 8:49 pm

Thanks, see my error now.

Is there way to do it using HTTP Basic Auth?
 
DuncanCT
just joined
Topic Author
Posts: 21
Joined: Thu May 24, 2018 1:28 pm

Re: REST API basic help

Mon Feb 22, 2021 2:45 pm

Hi, I just tested this and it works as intended. You just need to generate and sign server certificate. This is how I do it (replace "your.server.url" if you like, it works anyway and is good enough for testing purposes):
/certificate
add name=ca-template days-valid=3650 common-name=your.server.url key-usage=key-cert-sign,crl-sign
add name=server-template days-valid=3650 common-name=your.server.url

/certificate
sign ca-template name=root-ca
:delay 3s
sign ca=root-ca server-template name=server
:delay 3s

/certificate
set root-ca trusted=yes
set server trusted=yes

/ip service
set www-ssl certificate=server disabled=no
Thank you che!

Who is online

Users browsing this forum: ech1965 and 7 guests