Community discussions

MikroTik App
  4. RouterOS
  5. General

Webfig with HTTPS and a certificate, please.

Post Reply
 
LaKing
newbie
Topic Author
Posts: 30
Joined: Fri Oct 05, 2018 5:56 am

Webfig with HTTPS and a certificate, please.

Wed Dec 04, 2019 4:18 am

It appears that setting up proper https access is (still) a pain in the ass.

Creating a certificate with the following commands used to work - until now.
Code: Select all
       certificate add name=root-cert common-name=root-certificate days-valid=3650 key-usage=key-cert-sign,crl-sign
       certificate sign root-cert
       certificate add name=https-cert common-name=https-certificate days-valid=3650
       certificate sign ca=root-cert https-cert
       ip service set www-ssl certificate=https-cert disabled=no
Certificate generated this way was not working in chrome: ERR_CERT_INVALID
... but at least it was working in firefox.
However, as of today even firefox complains, and gives a no-go:
Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The wiki here https://wiki.mikrotik.com/wiki/SSL_Certificate_setup seems to be outdated and the forum search gives ancient results.
Is anyone aware of a set of commands that actually create a self-signed certificate that works in firefox and chrome, preferably by IP and by a domain name eventually?

And could we please please put this to the MikroTik wiki, so people can actually find it, and don't waste time on outdated pages?
Top
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1348
Joined: Mon Sep 23, 2019 1:04 pm

Re: Webfig with HTTPS and a certificate, please.

Wed Dec 04, 2019 1:22 pm

Just tested this with success and without the "pain in the ass".
I've used the same certificate I've generated for IKEv2 server-side.
Cert was generated using this:
Code: Select all
/certificate add common-name=domain.name subject-alt-name=DNS:domain.name key-size=2048 days-valid=3650 key-usage=tls-server name=vpn.server
Where "domain.name" is the DDNS I'm using, and of course should be changed to yours. Nothing special.
Code: Select all
/ip service print where name=www-ssl 
Flags: X - disabled, I - invalid 
 #   NAME                             PORT ADDRESS                                                              CERTIFICATE                         
 0   www-ssl                           443                                                                      vpn.server
And, of course, since it's a local CA, you should export your CA from mikrotik and import it in Windows in "Trusted Root Certification Authorities" or in whatever you are using.
Chrome gets it from there without any other settings as it seems.
Firefox needs this set in about:config to true "security.enterprise_roots.enabled" in order to search for the CA in Windows certificate store.
Attached info from firefox.
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], GoogleOther [Bot], rspott, snowflake and 220 guests
  4. RouterOS
  5. General