Page 1 of 1

Webfig with HTTPS and a certificate, please.

Posted: Wed Dec 04, 2019 4:18 am
by LaKing
It appears that setting up proper https access is (still) a pain in the ass.

Creating a certificate with the following commands used to work - until now.
       certificate add name=root-cert common-name=root-certificate days-valid=3650 key-usage=key-cert-sign,crl-sign
       certificate sign root-cert
       certificate add name=https-cert common-name=https-certificate days-valid=3650
       certificate sign ca=root-cert https-cert
       ip service set www-ssl certificate=https-cert disabled=no
Certificate generated this way was not working in chrome: ERR_CERT_INVALID
... but at least it was working in firefox.
However, as of today even firefox complains, and gives a no-go:
Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The wiki here https://wiki.mikrotik.com/wiki/SSL_Certificate_setup seems to be outdated and the forum search gives ancient results.
Is anyone aware of a set of commands that actually create a self-signed certificate that works in firefox and chrome, preferably by IP and by a domain name eventually?

And could we please please put this to the MikroTik wiki, so people can actually find it, and don't waste time on outdated pages?

Re: Webfig with HTTPS and a certificate, please.

Posted: Wed Dec 04, 2019 1:22 pm
by Znevna
Just tested this with success and without the "pain in the ass".
I've used the same certificate I've generated for IKEv2 server-side.
Cert was generated using this:
/certificate add common-name=domain.name subject-alt-name=DNS:domain.name key-size=2048 days-valid=3650 key-usage=tls-server name=vpn.server
Where "domain.name" is the DDNS I'm using, and of course should be changed to yours. Nothing special.
/ip service print where name=www-ssl 
Flags: X - disabled, I - invalid 
 #   NAME                             PORT ADDRESS                                                              CERTIFICATE                         
 0   www-ssl                           443                                                                      vpn.server                          
And, of course, since it's a local CA, you should export your CA from mikrotik and import it in Windows in "Trusted Root Certification Authorities" or in whatever you are using.
Chrome gets it from there without any other settings as it seems.
Firefox needs this set in about:config to true "security.enterprise_roots.enabled" in order to search for the CA in Windows certificate store.
Attached info from firefox.