Community discussions

 
ilnicchio
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun May 28, 2006 6:11 pm

after upgrade to 6.3 cannot generate certificate-request

Wed Sep 04, 2013 11:21 am

ther error is: failure: failed to write private key file
 
User avatar
maximan
Trainer
Trainer
Posts: 549
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: after upgrade to 6.3 cannot generate certificate-request

Thu Sep 05, 2013 8:42 pm

is true! i have the same issue:

on 6.3:
[admin@MikroTik] /certificate> create-certificate-request 
template: 
Script Error: action cancelled
on 6.1
 /certificate> create-certificate-request 
key-passphrase: 
on 6.3 request a template¿?

M
MKE Solutions > Professional Support IT (Spanish / English)
FastNetMon / FNM Manager: DDoS Detection Tools.
 
Joe1vm
just joined
Posts: 22
Joined: Sat Apr 06, 2013 4:07 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Sun Sep 08, 2013 12:49 am

+1

[admin@MikroTik] /certificate> create-certificate-request
template:
Script Error: action cancelled
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: after upgrade to 6.3 cannot generate certificate-request

Fri Sep 20, 2013 3:26 pm

I have following error on ROS 6.4:
/certificate> create-certificate-request challenge-passphrase=foobar key-passphrase=f00b4r template=foobar 
failure: failed to write private key file
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
pateutz
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Jan 11, 2012 5:55 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Sat Sep 21, 2013 12:02 pm

Hi all,

i have tried to create certificates :

[Mikrotik] /<cerrtificate> create-certificate-request
template:
Script Error: action cancelled


have you change the procedure ?

Best Regards,

Daniel
 
User avatar
Letni
Member
Member
Posts: 375
Joined: Tue Dec 05, 2006 5:16 am
Location: South Carolina

Re: after upgrade to 6.3 cannot generate certificate-request

Sun Sep 22, 2013 3:43 am

Same here.

Guess I need to find another way.

-Louis
 
User avatar
antispam
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Mon Apr 11, 2005 5:57 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Wed Sep 25, 2013 1:53 pm

I have same problem.
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: after upgrade to 6.3 cannot generate certificate-request

Thu Sep 26, 2013 10:37 am

Can someone frorm mikrotik confirm that this is a known bug?
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
allanscot
just joined
Posts: 1
Joined: Thu Sep 26, 2013 7:18 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Thu Sep 26, 2013 10:03 pm

I also get this problem on 6.4

[admin@MikroTik] > certificate create-certificate-request
template:
Script Error: action cancelled
 
artsmolkin
just joined
Posts: 19
Joined: Mon May 13, 2013 12:56 pm
Location: Russia

Re: after upgrade to 6.3 cannot generate certificate-request

Wed Oct 02, 2013 12:22 pm

hello everybody!
i have the same problem on 6.4:
[admin@router0500000] > certificate create-certificate-request
template: router0500000
key-passphrase: ******
challenge-passphrase: ******
failure: failed to write private key file
have somebody solve this problem?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: after upgrade to 6.3 cannot generate certificate-request

Wed Oct 02, 2013 1:03 pm

Will be fixed in v6.5
 
royolsen
just joined
Posts: 5
Joined: Tue Jul 09, 2013 8:45 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Thu Oct 17, 2013 3:30 am

How do I work around this on RouterOS 6.4?

Can I simply create a certificate request somewhere else, and import certificate, key and bundle to the RB?
 
BofA
just joined
Posts: 4
Joined: Thu Oct 17, 2013 4:32 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Thu Oct 17, 2013 4:35 pm

I have the same issue with v6.5
 
cenutrio15
just joined
Posts: 8
Joined: Mon Sep 02, 2013 10:37 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Thu Oct 17, 2013 7:45 pm

Hello I just installed 6.5v . System keeps giving the same when I try to setup SSL certificate. Template:
Script Error
Image
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: after upgrade to 6.3 cannot generate certificate-request

Fri Oct 18, 2013 11:55 am

Because you need to make template and use it when generating request.
 
dennt
just joined
Posts: 1
Joined: Wed Aug 21, 2013 8:14 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Fri Oct 18, 2013 12:03 pm

How to make it? Any tutorial, please?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: after upgrade to 6.3 cannot generate certificate-request

Fri Oct 18, 2013 1:05 pm

/certificate template add ...
 
turnip
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Wed Sep 11, 2013 7:01 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Fri Oct 18, 2013 7:13 pm

How about some documentation?
/certificate template> add
name: test
failure: At least one field specifying certificate name must be set!
Not a particularly helpful response.
 
BofA
just joined
Posts: 4
Joined: Thu Oct 17, 2013 4:32 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Sat Oct 19, 2013 1:54 pm

[admin@MikroTik] /certificate template add
name: abc
failure: At least one field specifying certificate name must be set!
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Oct 21, 2013 9:10 am

with ROS 6.5 i'm now able to generate a certificate request and a key ... but importing a certificate is not possible. fix one but break another is not very helpful. this situation is worse as before when we had to generate a request somewhere else and import the key+cert. i'm wondering whether mikrotik developers are using unit-tests to ensure everything works as expected.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Oct 21, 2013 11:03 am

How about some documentation?
/certificate template> add
name: test
failure: At least one field specifying certificate name must be set!
Not a particularly helpful response.
Just do what the error say, it is not rocket science, you need at least one field.

/certificate template add name=myTempl common-name=lala

and you get template wit common name lala

/certificate template add name=myTempl common-name=lala key-size=1024

and you get template with common name and key size...
and so on.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 157
Joined: Sat Jul 28, 2012 5:21 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Oct 21, 2013 4:44 pm

I have problem to import certificate on 6.5 too.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Oct 21, 2013 5:46 pm

I have problem to import certificate on 6.5 too.
This is completely different problem, contact support to get fix.
 
macak
just joined
Posts: 4
Joined: Mon Nov 11, 2013 11:19 am

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Nov 11, 2013 11:31 am

Unfortunetley not documented change, and still doesn't work. ROS = 6.6 on RB2011.

and you get template wit common name lala

/certificate template add name=myTempl common-name=lala key-size=1024

and you get template with common name and key size...
and so on.
And I recieved:
[admin@MikroTik] > /certificate template add name=myTempl common-name=lala key-size=1024
syntax error (line 1 column 51)
[admin@LinkSys] > 
Maciej.

Edit

Works as mrz suggested. Just omit template word. I try to prepare correct lines, and put it on the forum.
 
gniers
just joined
Posts: 9
Joined: Fri Nov 15, 2013 3:37 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Wed Nov 27, 2013 12:53 pm

and you get template wit common name lala

/certificate template add name=myTempl common-name=lala key-size=1024

and you get template with common name and key size...
and so on.
unfortunaltly not working on v6.6 on both RB750UP and RB951-2n :-(
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Dec 02, 2013 1:33 pm

please see updated wiki.mikrotik.com page on how to work with SCEP
 
gniers
just joined
Posts: 9
Joined: Fri Nov 15, 2013 3:37 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Wed Dec 04, 2013 4:40 pm

Thanks for the update !

It's now working
 
brucemuir
just joined
Posts: 3
Joined: Tue Apr 24, 2012 1:56 am

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Dec 16, 2013 6:18 am

On 6.7 now and the template creation command no longer seems to work...

Very frustrating.
 
Moc
just joined
Posts: 10
Joined: Sun Jan 06, 2013 8:47 am

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Dec 16, 2013 7:19 pm

On 6.7 now and the template creation command no longer seems to work...

Very frustrating.
Note that the syntax changed again...

/certificate add name=certtemplate common-name=testcertificatetemplate
This will create a dummy template called "certtemplate"
 
rockpenguin
just joined
Posts: 1
Joined: Mon Jan 27, 2014 12:41 am

Re: after upgrade to 6.3 cannot generate certificate-request

Mon Jan 27, 2014 1:28 am

Hi All,

Just wanted to add my $0.02. After experiencing some other oddities in 6.7 with screens not responding when clicking OK/Apply buttons, etc, I decided 6.7 wasn't ready for prime-time and downgraded to 6.4. Now everything seems to be back to normal. Also, in the changelog it looks like they are making significant changes in the way certs are handled:
What's new in 6.7 (2013-Nov-29 13:37):
*) support Android usb tethering interface;
*) ipsec - added aes-gcm icv16 encryption mode;
*) wireless - improve rate selection for nstreme protocol
*) poe - new poe controller firmware for RB750UP and OmniTIK UPA;
*) ipsec - added aes-ctr encryption mode;
*) leds - inverted modem signal trigger, now it will trigger when the signal level rises above the treshold;
*) ipsec - added sha256 and sha512 support;
*) ipsec - proposal defaults changed to aes-128 and sha1 for both phase1 and phase2;
*) certificate - support ip, dns and email subject alternative names;
*) dhcpv4 server - added REMOTE_ID option variable for relayed packets;
*) ipsec - fix policy bypass on IPv6 gre, ipip, eoip tunnels when policy uses protocol filter;
*) userman - fix crash on tilera;
*) fixed hairpin nat on bridge with use-ip-firewall=yes;
*) fixed vlan on bridge after reboot having 00:00:00:00:00:00 mac address;
*) address-list - allow manually adding timeoutable entries;
*) address-list - show dynamic entry timeout;
*) fixed l2mtu changing on CCRs - could cause port flapping;
*) disabling/enabling ethernet ports did not work properly on CCRs - could cause port flapping;
*) fixed port flapping on CCR - could happen when having other than only-hardware-queue interface queue.
Note that having other interface queue than only-hardware-queue dramatically reduces performace, so should be avoided if possible;

What's new in 6.6 (2013-Nov-07 13:04):
*) winbox - fixed problem where all previous session opened windows were read only;
*) certificate - no more 'reset-certificate-cache' and 'decrypt' commands,
private keys can be decrypted only on 'import', use 'decrypt' before upgrade if needed;

*) fixed arp-reply only with more than one ip address on interface;
*) fixed RB400 not to reboot by watchdog during micro-sd format;
*) web proxy - fix SPDY server push handling;
*) certificate - merged '/certificate ca issued', '/certificate scep client' and
'/certificate templates' into '/certificate';
*) console - :foreach command can iterate over keys and values in an array,
by specifying two counter variables, e.g.:
:foreach k,v in=[/system clock get] do={:put "$k is $v"};
*) added support for new Intel 10Gb ethernet cards (82599);
*) certificates - fixed certificate import;
*) wireless - fixed crash when dfs was enabled on pre-n wireless cards;
*) fixed port flapping on CCR;

What's new in 6.5 (2013-Oct-16 15:32):
*) tftp - added data packet pipelining for read requests;
*) console - exported physical interface configuration uses 'default-name'
instead of item number to match relevant interface;
*) console - report all constituent errors for parameters with multiple
alternative value types;
*) certificates - merge '/certificate ca' into '/certificate', use set-ca-passphrase to maintain CA functionality;
*) lcd - backlight option is replaced with "/lcd backlight" command
*) dhcp server - added option to disable conflict-detection;
*) console - ':return' does not trigger 'on-error=' action of ':do' command;
*) route - fixed crash that could be triggered by change in nexthop
address resolution;
*) route - some imported VPNv4 routes were not using MPLS labels;
*) route - imported VPNv4 routes were not always updated or removed when
the original route changed;
*) winbox - fixed problem where all settings were read only on first open;
*) ovpn server - use only ciphers that are allowed not that client requested;
*) ssh client - fixed public key authentication;
*) ipsec - fix peer mathing with non byte aligned masks;
*) fix routerboot upgrading if RouterOS is partitioned;
*) add support for second serial port on CCR boards;
*) fix serial port baudrate selection on CCR boards;
*) ethernet interface stats that are behind switch chip
show real hw stats instead of just the traffic that goes through cpu;
Maybe I'll wait another release or two :-)

== UPDATE 2014-02-16 ==

I have two RB2011s so upgraded one to 6.10 and now the certs seem to work as expected with no tricks needed. Fingers crossed and YMMV :-)
Last edited by rockpenguin on Sun Feb 16, 2014 9:52 pm, edited 1 time in total.
 
rpr
just joined
Posts: 12
Joined: Mon Oct 24, 2011 4:47 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Fri Feb 07, 2014 1:58 pm

This is how I solved this issue on RouterOS 6.9.

First, create a new certificate template (for the router with address host.foo.bar):
/certificate add name=cert1 common-name=host.foo.bar key-size=2048 country=XX state=MyState locality=MyCity organization=foo.bar subject-alt-name=email:user@foo.bar
Create a certificate request based on the template:
/certificate create-certificate-request
template: cert1
key-passphrase: ********
This creates certificate-request.pem file in the root directory, which you can submit to a CA.
Upload the *.cer file with the issued certificate to the root directory and run the following:
/certificate import
passphrase: ********
     certificates-imported: 1
     private-keys-imported: 1
            files-imported: 2
       decryption-failures: 0
  keys-with-no-certificate: 0
Run the following command and note the name of the imported certificate (e.g. cert_5):
/certificate print detail
Through web interface select the certificate:
IP → Services → www-ssl → Certificate: cert_5

-- rpr.
 
petterg
Member Candidate
Member Candidate
Posts: 198
Joined: Wed Sep 16, 2009 2:55 pm

Re: after upgrade to 6.3 cannot generate certificate-request

Sat Mar 08, 2014 2:50 pm

Thanks to this thread and rpr's posting above I managed to get a new certificate into my router.

However I struggled to figure out why the cert was not accepted when enabling sstp.
RouterOS WinBox Error
Couldn't change SSTP Server - no certificate found (6)
[OK]
Even thou the certificate appeared in the dropdown and was selected.

The solution turned out to be that the key file has to be imported in the same way as the certificate it self. This makes the letters in front of the cert go from LT to KLT.
(On ros5 there was some button to bind cert to keyfile / decrypt to do this.)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: after upgrade to 6.3 cannot generate certificate-request

Tue Mar 11, 2014 2:40 pm

In version 5 you also had to import cert and key to make it usable for sstp.
 
chemp86
just joined
Posts: 8
Joined: Wed Nov 19, 2014 9:10 am

Re: after upgrade to 6.3 cannot generate certificate-request

Tue Dec 30, 2014 8:48 am

This is how I solved this issue on RouterOS 6.9.

First, create a new certificate template (for the router with address host.foo.bar):
/certificate add name=cert1 common-name=host.foo.bar key-size=2048 country=XX state=MyState locality=MyCity organization=foo.bar subject-alt-name=email:user@foo.bar
Create a certificate request based on the template:
/certificate create-certificate-request
template: cert1
key-passphrase: ********
This creates certificate-request.pem file in the root directory, which you can submit to a CA.
Upload the *.cer file with the issued certificate to the root directory and run the following:
/certificate import
passphrase: ********
     certificates-imported: 1
     private-keys-imported: 1
            files-imported: 2
       decryption-failures: 0
  keys-with-no-certificate: 0
Run the following command and note the name of the imported certificate (e.g. cert_5):
/certificate print detail
Through web interface select the certificate:
IP → Services → www-ssl → Certificate: cert_5

-- rpr.
Thanks man, it is really works.
MikroTik Team - pls renew this node http://wiki.mikrotik.com/wiki/OpenVPN , it is almost one year passed...

Who is online

Users browsing this forum: No registered users and 122 guests