Hi ,
I need to know if anybody has already bought an SSL Certificat for Mikrotik to work with hotspot and does it known for all browser and devices?
I tried let's encrypt but it's doesn't work as expected ,

not yet , I need to know first if anyone has already did it ,if it is works and known buy all the browsers.
I tried open ssl certificat "let's encrypt" , they give you 90 days then you need to regenerate a new one.but it's doesn't work as expected , still get the warning message " ssl certificat is not valid" a specially with ios devices.

For the hotspot login page itself, this is possible. For redirecting clients to the hotspot, this is not possible.

The "Let's encrypt" certificates should work just fine. Possibly you have it import the CA chain (root and intermediate certificate) into your Mikrotik device to make things work.

Hi,
Thank you all for your response.
@R1CH : what do you mean by redirecting clients to the hostspot is not possible? . when I connect to the hotspot the browser automatically redirect me to the authentication page or I need to open an http website (example :www.msn.com) and then I automatically be redirected to the authentication page . however what I noticed is that when I type a secure site like https://facebook.com no redirection to the hotspot is done, this is the issue that I need to resolve because not every clients is redirected automatically to the authentication page , and I need what ever page he open (http or https) he need to be redirected to the authentication page .

The device should detect that a hotspot login page is present, and open the hotspot login page in a popup.
Make sure you have no walled-garden entries, if this doesn't happen, or that you have not added some strange DNS names in your router DNS config.

Hi normis ,
Thank you for your replay .
I have no strange DNS configured and no walled garden.
and still don't get authentication page when I open https website and it's works fine when I use just http.
I'm using open ssl certifcat (let's encrypt) , can it be the issue?
do you have any idea if I buy comodo ssl ; it will work or not?

You don't have to get it when you open any webpage. The device (laptop or phone) must open the system popup automatically, even if your device has no browser open.
SSL will not get redirected, this is to be expected.

yes that right but during the test we find that sometimes device will not popup the page.and we need to try to navigate normally and then by trying to open any website(http) the hotspot page popup automatically , the issue is when the client chose to open for the first time an https website , he got an error instead of hotspot page

Yes. This is how SSL works, there is no way around it.

1) normal device opens popup itself, and they can log in
2) if no automatic popup, user must open non-ssl webpage, like http://neverssl.com but this is client device problem, not hotspot

even if we buy and install an ssl certificat on mikrotik and enable https will not work , we still need to open a no https website ?

If your device / browser won't detect the portal automatically, then yes, you need to open a non-HTTPS site to get the portal redirect. Most modern browsers and devices do this automatically in the background though when you connect to a new network. There is NO WAY to redirect a HTTPS site!

Hi Rich ,
I'm using firfox on Linux desktop machine , I tried many sites on https like https://duckduckgo.com , https://www.wikipedia.org , ... I get another page open "Login to Network" so even I on https I get authentication page .but this is not working for all https sites for example https://www.facebook.com or https://www.google.com, ... does not work I get "Secure Connection Failed" .
So why and what is the difference as I see that it's the opposite of your answer "NO WAY to redirect https"?
NB: your answer "No way to redirect https" is right for apple devices. I tried to open the same https page that worked for me on linux but I get nothing on iphone.

Nothing is being redirected, it's entirely up to the browser or OS. The browser sees a HTTPS loading error, tries to load a HTTP URL and notices if there was a redirect. If so, it assumes there is a portal and offers the sign in option. Since the "HTTPS error" is technically an attack, some bigger sites like Facebook use Strict Transport Security, which instructs browsers to never allow bypassing of a HTTPS error, which may include portal redirection.