Community discussions

 
User avatar
manuzoli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Mon Oct 03, 2016 6:47 pm

Let's encrypt and Mikrotik

Sat Apr 21, 2018 1:57 pm

Hi,

I wan't to encrypt all my traffic to the webfig.
has anyone found a solution to do that automated via Let's encrypt?

thx in advance

PS: yes I got subdomains for all my routers.
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Let's encrypt and Mikrotik

Sat Apr 21, 2018 11:28 pm

+1

Please add this feature.
 
Sob
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Apr 20, 2009 9:11 pm

Re: Let's encrypt and Mikrotik

Sat Apr 21, 2018 11:45 pm

Automated is not the hard part. I've seen some instructions how to do it. But what they have in common is an extra machine you need, where you create certificates and run the validation, and then you can upload resulting certificates to router. So it's usable for some scenarios, but if you'd need it to happen directly on router, not dependent on any other machine, so far you're out of luck.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
manuzoli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Mon Oct 03, 2016 6:47 pm

Re: Let's encrypt and Mikrotik

Sun Apr 22, 2018 12:16 am

Automated is not the hard part. I've seen some instructions how to do it. But what they have in common is an extra machine you need, where you create certificates and run the validation, and then you can upload resulting certificates to router. So it's usable for some scenarios, but if you'd need it to happen directly on router, not dependent on any other machine, so far you're out of luck.
Agaik that would only be possible for wildcard certificate. Or you change ports and the forwarding in the process. It would be quite easy for MT to implement that feature I think
 
Sob
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Apr 20, 2009 9:11 pm

Re: Let's encrypt and Mikrotik

Sun Apr 22, 2018 1:07 am

If you meant DNS validation (which can be used not only for wildcards, but also for simple one-hostname certificates), then yes, it's probably the best way. But HTTP validation is possible too. You need port 443 for WebFig (if you keep default) and 80 (which is used for validation, and you don't want it for WebFig anyway) can be forwarded to the other machine.

If MikroTik would like add support in RouterOS, it would be perfect. But there needs to be a plan how exactly it should work and satisfy as many people as possible. There's already an older thread with some thoughts and solutions: Support for ACME/Let's Encrypt certificate management
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
noneblah
just joined
Posts: 12
Joined: Wed Jan 17, 2018 3:23 pm
Location: Sofia
Contact:

Re: Let's encrypt and Mikrotik

Tue Apr 24, 2018 9:52 am

Hey guys, :)

I have created a script, which automatically checks and update if necessary, the Let's encrypt Wildcard SSL certificate on Mikrotik devices.

http://me.sdnix.com/mikrotik-lets-encry ... rtificate/

In few words, it checks if there is a certificate and if the cert.pem and privkey.pem are up to date (certbot is changing them if there are less than 30 days from expiry of domain). If there is no certificate on the Mikrotik device, script automatically upload and configure it. If the cert.pem and privkey.pem are not up to date, it takes the new files, upload it to all the Mikrotik devices and configures new certificates on the devices.

Take a look and if someone has any questions/recommendations/comments - here to answer :) .
 
User avatar
manuzoli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Mon Oct 03, 2016 6:47 pm

Re: Let's encrypt and Mikrotik

Tue Apr 24, 2018 12:19 pm

I have created a script, which automatically checks and update if necessary, the Let's encrypt Wildcard SSL certificate on Mikrotik devices.
You Sir, are a true hero!
 
User avatar
noneblah
just joined
Posts: 12
Joined: Wed Jan 17, 2018 3:23 pm
Location: Sofia
Contact:

Re: Let's encrypt and Mikrotik

Tue Apr 24, 2018 12:33 pm

:D Thanks man!

I saw that I have missed something, so i edited it a bit. Feel free to take another look :)
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: Let's encrypt and Mikrotik

Wed Apr 25, 2018 3:41 am

Unfortunately there is no http-to-https redirection in Mikrotik devices

Would this work for your purposes?
/ip firewall nat add chain=dstnat dst-port=80 action=redirect protocol=tcp to-port=443
 
Sob
Forum Guru
Forum Guru
Posts: 4798
Joined: Mon Apr 20, 2009 9:11 pm

Re: Let's encrypt and Mikrotik

Wed Apr 25, 2018 4:41 am

I don't think so, it makes http request go to https port and that generally doesn't work. It would be technically possible to write https server in a way that it would recognize unencrypted http request, and send redirect to https, and the fact is, normis did suggest this redirect few days ago in another thread. So I tried to test it, if they really implemented it like this, but no luck, doesn't work, I get connection reset.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
cantanko
newbie
Posts: 28
Joined: Mon Apr 05, 2010 12:53 am

Re: Let's encrypt and Mikrotik

Tue Oct 30, 2018 7:48 pm

Sorry for reviving an old thread, but again +1 for ACME / LetsEncrypt support. There is at least one router that's already supporting this approach, namely A&A's firebrick:

https://www.firebrick.co.uk/fb2900/
 
sebus
newbie
Posts: 38
Joined: Sun Mar 12, 2017 6:29 pm

Re: Let's encrypt and Mikrotik

Mon May 27, 2019 2:52 pm

While the script is nice, it only does the upload of already created certificate.
But the creation part (for wildcard at least) is a manual process.

Or on Windows one can use Powershell to do it like this on Cloudflare

Then we only need to parse the string from the terminal output for that required TXT record

sebus

Who is online

Users browsing this forum: No registered users and 136 guests