Hello guys,
I am becoming completely crazy to make this check work. No matter what I do, I always get a failed error. This function is undocumented and no sample is provided. I want the script to connect to my website https://www.learn-digital.com, which has a valid certificate. What do I have to do in the /certificate store to make this chain work ? I have uploaded the CA certificate of DigiCert, even exported the chain from Chrome and imported in Mikrotik, nothing works.
Any suggestion anyone ?
Thank you,
Cheers,
Simone
Re: /tool fetch https check-certificate=yes undocumented, not working...
Guys, really, no one ? This feature is pretty much essential for completely secure communication between the router and the server.... A bit of hint in the right direction ?
I cannot find any post or any documentation about a working example of chain certificate validation.
Thank you,
Cheers,
Simone
I cannot find any post or any documentation about a working example of chain certificate validation.
Thank you,
Cheers,
Simone
Re: /tool fetch https check-certificate=yes undocumented, not working...
Try the same, but validate without CRL check (there is a different option for that). If that has a different result, it could mean you don't have all the needed CRL.
It is possible that the server gives out a different chain because RouterOS as a client is different than your browser. You should try to packet sniff and see the full chain that server sends to RouterOS.
It is very likely that server responds with a different certificate chain because RouterOS is not the same kind of client as a web browser.
It is possible that the server gives out a different chain because RouterOS as a client is different than your browser. You should try to packet sniff and see the full chain that server sends to RouterOS.
It is very likely that server responds with a different certificate chain because RouterOS is not the same kind of client as a web browser.
-
-
JimmyNyholm
Member Candidate
- Posts: 248
- Joined:
- Location: Sweden
Re: /tool fetch https check-certificate=yes undocumented, not working...
Can you please update wiki to reflect the new options.
If I don't read the forum wrong it is possible to set HttpHeaders!? how? Examples please and in wiki to.....
http-data cli tells me:
http-data -- POST or PUT request body data
So this tells me no headers can go into this field..... How do I change Content-type for example?
If I don't read the forum wrong it is possible to set HttpHeaders!? how? Examples please and in wiki to.....
http-data cli tells me:
http-data -- POST or PUT request body data
So this tells me no headers can go into this field..... How do I change Content-type for example?
Re: /tool fetch https check-certificate=yes undocumented, not working...
Hi guys,
Thank you for your reply, but I don't see where the option to validate withour crl is?
https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch
When I upload the CA I need, Mikrotik dynamically add a CRL in the list as follows:
URL http://crl4.digicert.com/DigiCertHighAs ... RootCA.crl
Certificate DigiCertCA.crt_0
Num 0
Revoked
Signature
Next Update Jan/01/1970 00:00:00
Last Update Jan/01/1970 00:00:00
I checked the URL and is valid.
I'll wait for your reply,
Thank you,
Best Regards,
Simone
Thank you for your reply, but I don't see where the option to validate withour crl is?
https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch
When I upload the CA I need, Mikrotik dynamically add a CRL in the list as follows:
URL http://crl4.digicert.com/DigiCertHighAs ... RootCA.crl
Certificate DigiCertCA.crt_0
Num 0
Revoked
Signature
Next Update Jan/01/1970 00:00:00
Last Update Jan/01/1970 00:00:00
I checked the URL and is valid.
I'll wait for your reply,
Thank you,
Best Regards,
Simone
Re: /tool fetch https check-certificate=yes undocumented, not working...
Oh my God... I just found it, in version 6.41
CheckCertificate ::= no | yes | yes-without-crl
[admin@1009] > /tool fetch check-certificate=
Yeah guys the Wiki should be updated, possibly with (as of version 6.41, additional option available).
Cheers,
Best Regards,
Simone
CheckCertificate ::= no | yes | yes-without-crl
[admin@1009] > /tool fetch check-certificate=
Yeah guys the Wiki should be updated, possibly with (as of version 6.41, additional option available).
Cheers,
Best Regards,
Simone
Re: /tool fetch https check-certificate=yes undocumented, not working...
Yes, it finally works !!!!!!!!!!!!!!! You should update the guide with two working example, one with "yes" and one with "yes-without-crl".Try the same, but validate without CRL check (there is a different option for that). If that has a different result, it could mean you don't have all the needed CRL.
It is possible that the server gives out a different chain because RouterOS as a client is different than your browser. You should try to packet sniff and see the full chain that server sends to RouterOS.
It is very likely that server responds with a different certificate chain because RouterOS is not the same kind of client as a web browser.
For the sake of the community, here's how I made it work with DigiCert EV Certificate:
- Of course, make sure your website is configured properly and green bar appears in Chrome/Firefox
- From Chrome, export the EV CA Certificate of DigiCert
- Upload the certificate in Router OS
- Make sure you using v6.41..
- Import the certificate under /system certificate (no passphrase)
- /tool fetch mode=https address=www.yourdomain.com host=www.yourdomain.com check-certificate=yes-without-crl ........
Best Regards,
Simone
Re: /tool fetch https check-certificate=yes undocumented, not working...
Thanks for going this difficult road to reach that result.
I could not find that in the forum because Mikrotik omitted the "-" between check and certificate.
The WiKi has proven to be a problem because it is not up to date and closed for input by owners of Mikrotik equipment.
I could not find that in the forum because Mikrotik omitted the "-" between check and certificate.
The WiKi has proven to be a problem because it is not up to date and closed for input by owners of Mikrotik equipment.
Re: /tool fetch https check-certificate=yes undocumented, not working...
Still no luck here with certificate validation (6.42.3 here), i fails with:
- import he EV CA Certificate of DigiCert (upload the file, import the cert)
- run fetch against a valid letsencrypt site
Steps to reproduce:status: failed
failure: ssl connection error: handshake failed: unable to get local issuer certificate (6)
- import he EV CA Certificate of DigiCert (upload the file, import the cert)
- run fetch against a valid letsencrypt site
Code: Select all
[admin@Mikrotik] > /tool fetch check-certificate=yes-without-crl url="https://valid-isrgrootx1.letsencrypt.org/"Who is online
Users browsing this forum: Bing [Bot] and 35 guests