Let's encrypt and Mikrotik

manuzoli · Sat Apr 21, 2018 1:57 pm

Hi,

I wan't to encrypt all my traffic to the webfig.
has anyone found a solution to do that automated via Let's encrypt?

thx in advance

PS: yes I got subdomains for all my routers.

MikroTikFan · Sat Apr 21, 2018 11:28 pm

+1

Please add this feature.

Sob · Sat Apr 21, 2018 11:45 pm

Automated is not the hard part. I've seen some instructions how to do it. But what they have in common is an extra machine you need, where you create certificates and run the validation, and then you can upload resulting certificates to router. So it's usable for some scenarios, but if you'd need it to happen directly on router, not dependent on any other machine, so far you're out of luck.

manuzoli · Sun Apr 22, 2018 12:16 am

Automated is not the hard part. I've seen some instructions how to do it. But what they have in common is an extra machine you need, where you create certificates and run the validation, and then you can upload resulting certificates to router. So it's usable for some scenarios, but if you'd need it to happen directly on router, not dependent on any other machine, so far you're out of luck.

Agaik that would only be possible for wildcard certificate. Or you change ports and the forwarding in the process. It would be quite easy for MT to implement that feature I think

Sob · Sun Apr 22, 2018 1:07 am

If you meant DNS validation (which can be used not only for wildcards, but also for simple one-hostname certificates), then yes, it's probably the best way. But HTTP validation is possible too. You need port 443 for WebFig (if you keep default) and 80 (which is used for validation, and you don't want it for WebFig anyway) can be forwarded to the other machine.

If MikroTik would like add support in RouterOS, it would be perfect. But there needs to be a plan how exactly it should work and satisfy as many people as possible. There's already an older thread with some thoughts and solutions: Support for ACME/Let's Encrypt certificate management

noneblah · Tue Apr 24, 2018 9:52 am

Hey guys,

I have created a script, which automatically checks and update if necessary, the Let's encrypt Wildcard SSL certificate on Mikrotik devices.

http://me.sdnix.com/mikrotik-lets-encry ... rtificate/

In few words, it checks if there is a certificate and if the cert.pem and privkey.pem are up to date (certbot is changing them if there are less than 30 days from expiry of domain). If there is no certificate on the Mikrotik device, script automatically upload and configure it. If the cert.pem and privkey.pem are not up to date, it takes the new files, upload it to all the Mikrotik devices and configures new certificates on the devices.

Take a look and if someone has any questions/recommendations/comments - here to answer

.

manuzoli · Tue Apr 24, 2018 12:19 pm

I have created a script, which automatically checks and update if necessary, the Let's encrypt Wildcard SSL certificate on Mikrotik devices.

You Sir, are a true hero!

noneblah · Tue Apr 24, 2018 12:33 pm

Thanks man!

I saw that I have missed something, so i edited it a bit. Feel free to take another look

squeeze · Wed Apr 25, 2018 3:41 am

Unfortunately there is no http-to-https redirection in Mikrotik devices

Would this work for your purposes?

/ip firewall nat add chain=dstnat dst-port=80 action=redirect protocol=tcp to-port=443

Sob · Wed Apr 25, 2018 4:41 am

I don't think so, it makes http request go to https port and that generally doesn't work. It would be technically possible to write https server in a way that it would recognize unencrypted http request, and send redirect to https, and the fact is, normis did suggest this redirect few days ago in another thread. So I tried to test it, if they really implemented it like this, but no luck, doesn't work, I get connection reset.

cantanko · Tue Oct 30, 2018 7:48 pm

Sorry for reviving an old thread, but again +1 for ACME / LetsEncrypt support. There is at least one router that's already supporting this approach, namely A&A's firebrick:

https://www.firebrick.co.uk/fb2900/

sebus · Mon May 27, 2019 2:52 pm

While the script is nice, it only does the upload of already created certificate.
But the creation part (for wildcard at least) is a manual process.

Or on Windows one can use Powershell to do it like this on Cloudflare

Then we only need to parse the string from the terminal output for that required TXT record

sebus

graealex · Tue Sep 01, 2020 11:26 am

In the meantime, a number of manufacturers of appliances and routers have already integrated support for Let's Encrypt into their devices. It's certainly possible to fully automate certificate creation by either using DNS for domain validation, or by routing port 80 of the router to a device that does the domain validation, but seeing as it's really a hassle, and so much these days depends on proper and valid certificates to work, I wonder why Mikrotik doesn't implement native support. The ACME API is easy and straightforward, and numerous resources exist that use it.

So please Mikrotik, please implement support.

hazartilirot · Mon Sep 28, 2020 12:33 pm

In the meantime, a number of manufacturers of appliances and routers have already integrated support for Let's Encrypt into their devices.

Ha-ha! Most routers are set up in a number of clicks, but not MikroTik! ;D

Let's encrypt and Mikrotik

Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Re: Let's encrypt and Mikrotik

Who is online