Community discussions

MikroTik App
 
tazdevil
newbie
Topic Author
Posts: 29
Joined: Tue Oct 29, 2013 7:12 pm

Webfig with HTTPS support?

Thu Mar 13, 2014 7:35 am

How do I configure Webfig to use https? I turned on the ssl-http in IP/Services and installed a certificate but I still get SSL error when I try to access webfig through https://192.168.88.1.

Thanks.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Webfig with HTTPS support?

Thu Mar 13, 2014 1:04 pm

RouterOS version?
RouterBoard used?
[Remember to specify that everytime]

Probably the certificates are not installed correctly
http://wiki.mikrotik.com/wiki/SSL_Certificate_setup

Check also if the firewall are blocking/redirect anything.

If you use ROS 6.10 there is a problem fixed on 6.11 (wait official version):
*) ssl - not finding CRL in local store for any certificate in trust chain will cause connection to fail;
 
tazdevil
newbie
Topic Author
Posts: 29
Joined: Tue Oct 29, 2013 7:12 pm

Re: Webfig with HTTPS support?

Fri Mar 14, 2014 3:50 am

Hi rextended,

RouterOS version = 6.10
RouterBoard used = RB951Ui
RouterBoard Firmware = 3.12

I generated the certificate from my ubuntu machine with openssl x509. I used the System/Certificates to import the file. Do I need to set up the firewall for local access, i.e., 192.168.88.1?

Thanks.
Vincent
 
tomazstrukelj
just joined
Posts: 1
Joined: Wed Dec 10, 2014 4:54 pm

Re: Webfig with HTTPS support?

Wed Dec 10, 2014 5:13 pm

I have the same issue ; have created self-signed certificate , copied together key, csr, cert , added the resulting file with "/certificate import file-name=mikrotik_rb450g_all.crt" (Have also tried with key and cert only - without csr ) , and set the resulting cert1 to service www-ssl .
But it doesn't work , Chrome returns Error code: ERR_CONNECTION_REFUSED . I can telnet to 443 , so the service is working , just not correctly .
Certificate is shown correctly in System > Certificates .

RouterOS version = 5.14
RouterBoard used = 450G
RouterBoard Firmware = 2.23
 
User avatar
Uqbar
Member Candidate
Member Candidate
Posts: 125
Joined: Tue May 05, 2015 11:56 am
Contact:

Re: Webfig with HTTPS support?

Tue Nov 03, 2015 5:54 pm

I fear the problem is in the choice of available SSL cyphers.

aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks
eNULL contains null-encryption ciphers (cleartext)
EXPORT are legacy weak ciphers that were marked as exportable by US law
RC4 contains ciphers that use the deprecated ARCFOUR algorithm
DES contains ciphers that use the deprecated Data Encryption Standard
SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated
MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm

If any of these are used by RouterOS, then the "modern" browsers will refuse to connect.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Webfig with HTTPS support?

Tue Nov 03, 2015 6:41 pm

i use the certificates autogenerated by capsman :lol:
 
User avatar
Uqbar
Member Candidate
Member Candidate
Posts: 125
Joined: Tue May 05, 2015 11:56 am
Contact:

Re: Webfig with HTTPS support?

Tue Nov 03, 2015 7:48 pm

It looks like this is a top secret.
:?
 
User avatar
HiltonT
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Feb 07, 2011 4:24 am
Location: 'Srayamate
Contact:

Re: Webfig with HTTPS support?

Sat Jan 09, 2016 2:02 am

This issue still persists with 6.33.3 and 6.34rc34:

This webpage is not available

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

A secure connection cannot be established because this site uses an unsupported protocol.
 
User avatar
Uqbar
Member Candidate
Member Candidate
Posts: 125
Joined: Tue May 05, 2015 11:56 am
Contact:

Re: Webfig with HTTPS support?

Sat Jan 09, 2016 1:02 pm

Is there anyone out there that knows anything about this?
The RouterOS HTTPS stuff needs an undate!!!
 
zespri
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Sat Mar 26, 2016 1:45 pm

Re: Webfig with HTTPS support?

Sun Mar 27, 2016 5:08 am

This is what worked for me:

https://blog.a2o.si/2015/08/11/mikrotik ... ble-https/


#1. Create CA certificate first:
/certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign

#2. Sign the CA certificate:
/certificate sign my-rtr-ca

#3. Now create a regular certificate for HTTPS access:
/certificate add name=my-rtr common-name=my-rtr

#4. Sign it with CA from steps 1&2:
/certificate sign ca=my-rtr-ca my-rtr

#5. And finally, assign the new certificate to HTTPS service:
/ip service set www-ssl certificate=my-rtr
 
User avatar
Uqbar
Member Candidate
Member Candidate
Posts: 125
Joined: Tue May 05, 2015 11:56 am
Contact:

Re: Webfig with HTTPS support?

Sun Mar 27, 2016 1:00 pm

Which RouterOS version?
Last edited by Uqbar on Sun Mar 27, 2016 8:14 pm, edited 1 time in total.
 
zespri
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Sat Mar 26, 2016 1:45 pm

Re: Webfig with HTTPS support?

Sun Mar 27, 2016 2:12 pm

Which RouterOS version?
6.34.3
 
User avatar
mitchellmnr
just joined
Posts: 6
Joined: Tue Mar 08, 2016 10:04 pm

Re: Webfig with HTTPS support?

Mon Aug 08, 2016 10:42 pm

6.36 is still showing this issue and 6.37 doesn't seem to have any fixes for this yet.
 
micromaxi
newbie
Posts: 43
Joined: Fri Feb 06, 2015 10:32 am

Re: Webfig with HTTPS support?

Sat Aug 20, 2016 11:25 pm

Yeah same issue here. Time to solve this mikrotik!
 
Rivera
Member Candidate
Member Candidate
Posts: 105
Joined: Thu Jul 21, 2011 7:42 pm

Re: Webfig with HTTPS support?

Sun Aug 21, 2016 3:56 am

I stumbled upon same problem and turns out you need to import certificate twice (i had both key and cert in same file)
First pass imports cert only, second import private keys. Again, only if you have cert & key in same file.
You should see "KT" status near certificate after that, where K means that certificate is matched with private key and "T" means that certificate is trusted. Just "K" should be fine too.
After that SSL connections to webfig started working for me.
 
User avatar
maximan
Trainer
Trainer
Posts: 543
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Webfig with HTTPS support?

Mon Aug 22, 2016 4:40 pm

I use:

http://www.selfsignedcertificate.com/

just create the certs .key and .csr, then import it on rOS. After that enable https with this certs

M.
 
gipfelgoas
just joined
Posts: 12
Joined: Wed Aug 31, 2016 1:10 pm

Re: Webfig with HTTPS support?

Wed Aug 31, 2016 1:13 pm

I use:

http://www.selfsignedcertificate.com/

just create the certs .key and .csr, then import it on rOS. After that enable https with this certs

M.
how have you done?

Mine is still not working...
 
dnadih
just joined
Posts: 2
Joined: Wed Jun 08, 2016 6:58 am

Re: Webfig with HTTPS support?

Sat Sep 03, 2016 10:12 am

I can confirm that this issue is still unresolved.
.. still getting this error: "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
 
User avatar
boldsuck
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 01, 2013 1:07 am
Location: Germany

Re: Webfig with HTTPS support?

Mon Sep 05, 2016 9:47 pm

Mmmmh, no problems here since Jears with CaCert.org & ROS current.
Just switched to: 6.37rc27 -> https webfig login is fine as ever :D

I've generated a .p12 file for import to my Tikl.
~$ openssl pkcs12 -export -inkey mikrotik_example_com.key -in mikrotik_example_com.crt -certfile CAcert.org.crt -out mikrotik_example_com.p12 -name mikrotik.example.com
After import the Cert has (Status: KLT Key Size: 4096)

Don't forget CAcert Root & Class3 Cert in Your browser or system & android devices.
 
gipfelgoas
just joined
Posts: 12
Joined: Wed Aug 31, 2016 1:10 pm

Re: Webfig with HTTPS support?

Tue Sep 06, 2016 9:16 am

Mmmmh, no problems here since Jears with CaCert.org & ROS current.
Just switched to: 6.37rc27 -> https webfig login is fine as ever :D

I've generated a .p12 file for import to my Tikl.
~$ openssl pkcs12 -export -inkey mikrotik_example_com.key -in mikrotik_example_com.crt -certfile CAcert.org.crt -out mikrotik_example_com.p12 -name mikrotik.example.com
After import the Cert has (Status: KLT Key Size: 4096)

Don't forget CAcert Root & Class3 Cert in Your browser or system & android devices.
I'm using https://www.startssl.com/ to make cert. CA is fine as same thing for my synology nas works without error. So it must be a config problem of mikrotik...
 
colanderman
newbie
Posts: 44
Joined: Wed Oct 28, 2015 5:21 am

Re: Webfig with HTTPS support?

Thu Dec 08, 2016 7:06 am

Yes, for me too (on 6.37.3) although I had to set key-usage=tls-server when creating the TLS certificate.
 
jakube
just joined
Posts: 1
Joined: Fri Jun 10, 2016 9:12 pm

Re: Webfig with HTTPS support?

Tue Jun 20, 2017 10:24 pm

i was facing the same issue when i was trying to install a certificate by my domain CA to use with RouterOS. then i realized that the winbox function didn't import the private key for my new certificate. the workaround was to use /certificate import command in the terminal. since then i don't get the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error anymore. seems like a bug in winbox. another solution is to use a self-signed certificate as mentioned here before.
 
mrslk
just joined
Posts: 1
Joined: Wed Nov 14, 2018 2:12 pm

Re: Webfig with HTTPS support?

Wed Nov 14, 2018 2:17 pm

Dear all,

I suggest you follow this instruction here: https://www.medo64.com/2016/11/enabling ... -mikrotik/
the thing that solves it for me was to set the: IP -> Services -> www-ssl -> select the certificate that you want to use.

after that it will work, for me i setup DNS to point to mikrotik gateway IP
 
wreidlinger
just joined
Posts: 2
Joined: Mon Jun 29, 2020 5:21 pm

disable TLS 1.0 / TLS 1.1 / weak ciphers

Mon Jun 29, 2020 5:28 pm

I just set up SSL for webfig with a letsencrypt certificate and it's working just fine.
But I also want to harden the SSL / HTTPS service, so I did a vulnerablitiy scan and the results telling me there are some vulnerable / old protocols and ciphers still active.
Is it possible to disable TLS 1.0 / TLS 1.1 or disable specific SSL / HTTPS ciphers?
'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Thankfull for every help,

Who is online

Users browsing this forum: GoogleOther [Bot] and 22 guests