Page 1 of 1

Webfig with HTTPS support?

Posted: Thu Mar 13, 2014 7:35 am
by tazdevil
How do I configure Webfig to use https? I turned on the ssl-http in IP/Services and installed a certificate but I still get SSL error when I try to access webfig through https://192.168.88.1.

Thanks.

Re: Webfig with HTTPS support?

Posted: Thu Mar 13, 2014 1:04 pm
by rextended
RouterOS version?
RouterBoard used?
[Remember to specify that everytime]

Probably the certificates are not installed correctly
http://wiki.mikrotik.com/wiki/SSL_Certificate_setup

Check also if the firewall are blocking/redirect anything.

If you use ROS 6.10 there is a problem fixed on 6.11 (wait official version):
*) ssl - not finding CRL in local store for any certificate in trust chain will cause connection to fail;

Re: Webfig with HTTPS support?

Posted: Fri Mar 14, 2014 3:50 am
by tazdevil
Hi rextended,

RouterOS version = 6.10
RouterBoard used = RB951Ui
RouterBoard Firmware = 3.12

I generated the certificate from my ubuntu machine with openssl x509. I used the System/Certificates to import the file. Do I need to set up the firewall for local access, i.e., 192.168.88.1?

Thanks.
Vincent

Re: Webfig with HTTPS support?

Posted: Wed Dec 10, 2014 5:13 pm
by tomazstrukelj
I have the same issue ; have created self-signed certificate , copied together key, csr, cert , added the resulting file with "/certificate import file-name=mikrotik_rb450g_all.crt" (Have also tried with key and cert only - without csr ) , and set the resulting cert1 to service www-ssl .
But it doesn't work , Chrome returns Error code: ERR_CONNECTION_REFUSED . I can telnet to 443 , so the service is working , just not correctly .
Certificate is shown correctly in System > Certificates .

RouterOS version = 5.14
RouterBoard used = 450G
RouterBoard Firmware = 2.23

Re: Webfig with HTTPS support?

Posted: Tue Nov 03, 2015 5:54 pm
by Uqbar
I fear the problem is in the choice of available SSL cyphers.

aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks
eNULL contains null-encryption ciphers (cleartext)
EXPORT are legacy weak ciphers that were marked as exportable by US law
RC4 contains ciphers that use the deprecated ARCFOUR algorithm
DES contains ciphers that use the deprecated Data Encryption Standard
SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated
MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm

If any of these are used by RouterOS, then the "modern" browsers will refuse to connect.

Re: Webfig with HTTPS support?

Posted: Tue Nov 03, 2015 6:41 pm
by chechito
i use the certificates autogenerated by capsman :lol:

Re: Webfig with HTTPS support?

Posted: Tue Nov 03, 2015 7:48 pm
by Uqbar
It looks like this is a top secret.
:?

Re: Webfig with HTTPS support?

Posted: Sat Jan 09, 2016 2:02 am
by HiltonT
This issue still persists with 6.33.3 and 6.34rc34:

This webpage is not available

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

A secure connection cannot be established because this site uses an unsupported protocol.

Re: Webfig with HTTPS support?

Posted: Sat Jan 09, 2016 1:02 pm
by Uqbar
Is there anyone out there that knows anything about this?
The RouterOS HTTPS stuff needs an undate!!!

Re: Webfig with HTTPS support?

Posted: Sun Mar 27, 2016 5:08 am
by zespri
This is what worked for me:

https://blog.a2o.si/2015/08/11/mikrotik ... ble-https/


#1. Create CA certificate first:
/certificate add name=my-rtr-ca common-name=my-rtr-ca key-usage=key-cert-sign,crl-sign

#2. Sign the CA certificate:
/certificate sign my-rtr-ca

#3. Now create a regular certificate for HTTPS access:
/certificate add name=my-rtr common-name=my-rtr

#4. Sign it with CA from steps 1&2:
/certificate sign ca=my-rtr-ca my-rtr

#5. And finally, assign the new certificate to HTTPS service:
/ip service set www-ssl certificate=my-rtr

Re: Webfig with HTTPS support?

Posted: Sun Mar 27, 2016 1:00 pm
by Uqbar
Which RouterOS version?

Re: Webfig with HTTPS support?

Posted: Sun Mar 27, 2016 2:12 pm
by zespri
Which RouterOS version?
6.34.3

Re: Webfig with HTTPS support?

Posted: Mon Aug 08, 2016 10:42 pm
by mitchellmnr
6.36 is still showing this issue and 6.37 doesn't seem to have any fixes for this yet.

Re: Webfig with HTTPS support?

Posted: Sat Aug 20, 2016 11:25 pm
by micromaxi
Yeah same issue here. Time to solve this mikrotik!

Re: Webfig with HTTPS support?

Posted: Sun Aug 21, 2016 3:56 am
by Rivera
I stumbled upon same problem and turns out you need to import certificate twice (i had both key and cert in same file)
First pass imports cert only, second import private keys. Again, only if you have cert & key in same file.
You should see "KT" status near certificate after that, where K means that certificate is matched with private key and "T" means that certificate is trusted. Just "K" should be fine too.
After that SSL connections to webfig started working for me.

Re: Webfig with HTTPS support?

Posted: Mon Aug 22, 2016 4:40 pm
by maximan
I use:

http://www.selfsignedcertificate.com/

just create the certs .key and .csr, then import it on rOS. After that enable https with this certs

M.

Re: Webfig with HTTPS support?

Posted: Wed Aug 31, 2016 1:13 pm
by gipfelgoas
I use:

http://www.selfsignedcertificate.com/

just create the certs .key and .csr, then import it on rOS. After that enable https with this certs

M.
how have you done?

Mine is still not working...

Re: Webfig with HTTPS support?

Posted: Sat Sep 03, 2016 10:12 am
by dnadih
I can confirm that this issue is still unresolved.
.. still getting this error: "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"

Re: Webfig with HTTPS support?

Posted: Mon Sep 05, 2016 9:47 pm
by boldsuck
Mmmmh, no problems here since Jears with CaCert.org & ROS current.
Just switched to: 6.37rc27 -> https webfig login is fine as ever :D

I've generated a .p12 file for import to my Tikl.
~$ openssl pkcs12 -export -inkey mikrotik_example_com.key -in mikrotik_example_com.crt -certfile CAcert.org.crt -out mikrotik_example_com.p12 -name mikrotik.example.com
After import the Cert has (Status: KLT Key Size: 4096)

Don't forget CAcert Root & Class3 Cert in Your browser or system & android devices.

Re: Webfig with HTTPS support?

Posted: Tue Sep 06, 2016 9:16 am
by gipfelgoas
Mmmmh, no problems here since Jears with CaCert.org & ROS current.
Just switched to: 6.37rc27 -> https webfig login is fine as ever :D

I've generated a .p12 file for import to my Tikl.
~$ openssl pkcs12 -export -inkey mikrotik_example_com.key -in mikrotik_example_com.crt -certfile CAcert.org.crt -out mikrotik_example_com.p12 -name mikrotik.example.com
After import the Cert has (Status: KLT Key Size: 4096)

Don't forget CAcert Root & Class3 Cert in Your browser or system & android devices.
I'm using https://www.startssl.com/ to make cert. CA is fine as same thing for my synology nas works without error. So it must be a config problem of mikrotik...

Re: Webfig with HTTPS support?

Posted: Thu Dec 08, 2016 7:06 am
by colanderman
Yes, for me too (on 6.37.3) although I had to set key-usage=tls-server when creating the TLS certificate.

Re: Webfig with HTTPS support?

Posted: Tue Jun 20, 2017 10:24 pm
by jakube
i was facing the same issue when i was trying to install a certificate by my domain CA to use with RouterOS. then i realized that the winbox function didn't import the private key for my new certificate. the workaround was to use /certificate import command in the terminal. since then i don't get the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error anymore. seems like a bug in winbox. another solution is to use a self-signed certificate as mentioned here before.

Re: Webfig with HTTPS support?

Posted: Wed Nov 14, 2018 2:17 pm
by mrslk
Dear all,

I suggest you follow this instruction here: https://www.medo64.com/2016/11/enabling ... -mikrotik/
the thing that solves it for me was to set the: IP -> Services -> www-ssl -> select the certificate that you want to use.

after that it will work, for me i setup DNS to point to mikrotik gateway IP