if i create a certificate with let's encrypt with the command does the renewal happen automatically? I found myself with an expired certificate and the renewal did not happen, do I have to force the renewal with a script?

It does not renew itself automatically, so you will have to script your way out of it. Also please remember to open and close port 80 in the firewall programmatically, as leaving it open is a recipe for disaster

is it worth making a script that checks every day and when there is one day left to expire removes the certificate and replaces it by rebinding it to the hotspot and in ip service?

No need to script, the renewal is built in as described here:
https://help.mikrotik.com/docs/spaces/R ... rtificates

The last time I created a LE certificate by
it worked. This was somewhen in dec/24. Certifcate expired beginning of march/25 IIRC and was never renewed automatically. I found out by visiting webfig and saw the SSL warning and cert-info said it was expired. But no matter what I tried, I was not able to renew the certificate. Then I removed the certificate so I thought it would work by starting from scratch. But not working either. I reported to MT support but got in response: you must open port 80. Well, the selling point about cloud dns challenge is: no need to open port 80.

No need to script, the renewal is built in as described here:
https://help.mikrotik.com/docs/spaces/R ... rtificates

to make it renew automatically, do I have to configure the scep server part? The help in question regarding renewal is not very detailed

I have the same experience as @infabo, but it might be because I am not willing to leave port 80 open. As MT support suggested @infabo.

Disable WWW service and then you can safely leave TCP 80 open in the input, it will not pose any risks. Your Webfig anyway will work on WWW-SSL, so it will not be affected.

But there will be a new method soon, that will not require you to even do that.

I thought the whole idea of the Let's Encrypt DNS-01 challenge was that it doesn't require port 80 at all. Have I missed something?

It is. And actually worked without port 80 open when I first issued the certificate with type=cloud-dns. This was introduced in 7.16. But maybe is broken now. I dont know.

Disable WWW service and then you can safely leave TCP 80 open in the input, it will not pose any risks. Your Webfig anyway will work on WWW-SSL, so it will not be affected.

But there will be a new method soon, that will not require you to even do that.

do you have a list of domains or ip used for renewal? it doesn't seem very professional to expose the port to everyone unless there is a service exposed on it.

It is. And actually worked without port 80 open when I first issued the certificate with type=cloud-dns. This was introduced in 7.16. But maybe is broken now. I dont know.

Yeah, sounds like a bug to me. Maybe someone should open a ticket or mail "support@mikrotik.com" about it.

Mikrotik support acknowledged the issue today.

The issue has been reproduced, we look forward to fixing it in upcoming RouterOS versions.

Currently, the provided type is ignored and http-01 challenge is used.

Thanks for the feedback!

Anyone know if it's only web-wwl that works with automatic renewal of LE certificates using the DNS-01 challenge, or if it will also work for IPsec and cloud domains (ie, "type=cloud-dns")?

do you have a list of domains or ip used for renewal? it doesn't seem very professional to expose the port to everyone unless there is a service exposed on it.

There is no published list of IP addresses used for renewal. There is some document that says they don't publish it to reduce the risk of man-in-the-middle attacks.

I tried to put them in a list but they are changing all the time.

do you have a list of domains or ip used for renewal? it doesn't seem very professional to expose the port to everyone unless there is a service exposed on it.

Il servizio non è fornito dalla MikroTik, quindi rivolgiti a Let's Encrypt per la lista... se te la danno.
[The service is not provided by MikroTik, so contact Let's Encrypt for the list... if they give it to you.]

https://letsencrypt.org/docs/faq/#what- ... web-server