I have a Mikrotik router running version 6.41.3 and trying to manage the router through SSL.

I can manage the router by SSH and Winbox but I cannot get SSL to work.

I have setup the certificates
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 K A T root-cert Mikrotik 331bd06bb034be251ed3db6be4eac...
1 K I T https-cert MikrotikHTTPS 0e8e3e3c191f2a9e2b6aaa1b242df...
[admin@MikroTIK] /certificate>


SSL in enabled in the IP Services

Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 XI telnet 23
1 ftp 21
2 XI www 80 127.0.0.1/32
3 ssh 22
4 www-ssl 443 10.0.0.0/8 https-cert
5 XI api 8728
6 winbox 8291 10.0.0.0/8
7 XI api-ssl 8729 none
[admin@MikroTIK] /ip service>

Is there anything else I have to do to manage the router? As mentioned I can SSH and use Winbox to manage the box currently

Firewall rules?

I am assuming the firewall rules are the default firewall rules. I am familiar with Cisco and Aruba devices and Mikrotik is brand new to me.

I tried looking at the firewall rules but it didn't seem to straight forward as other systems I have used.

Am I correct in saying that the SSH and Winbox firewall rules are out of the box.

Is there some simple firewall rule to allow all traffic to initiate a SSL connection?


Thanks

check IP - > Services and make sure service on port 443 is enabled.
not sure that the default rule is but if you have a drop all on input chain, you will need accept 443 on a rule above it. use Input Chain as this is the traffic heading to the router itself.

Do you perhaps have anything else in your network for port 443, i.e. web server, SSTP VPN, etc?

Paste the output of export hide-sensitive from terminal window in Winbox here, that will give us the config and able to see all, i.e. firewall, port forwarding, etc and might be able to assist better with this info

I found the firewall rule

56 ;;; ENCAPTO
chain=input action=jump jump-target=BruteForce protocol=tcp dst-port=22,23,80,8291,443 log=no log-prefix=""


I can now login but after a couple of minutes the box quits responding to SSH, HTTPS and I cannot use Winbox to manage the device. After rebooting the box I can manage the box but it seems to drop the management console after a few minutes.

I will try to update the code on the router to see if that fixes the problem

I wont just disable that rule, that rule just forwards the conditions to another chain where the actual work is being done and if you not sure what you are doing, by disabling that rule you might open yourself for security holes recently closed by latest ROS version.

Rather provide the full export of your config here and we will be able to assist, use export hide-sensitive which will hide passwords, etc