Community discussions

MikroTik App
 
mtgate
just joined
Topic Author
Posts: 10
Joined: Sat May 23, 2020 11:33 am

LetsEncrypt cert creation failed routerOS 7.1.1

Wed Jan 19, 2022 1:18 pm

I tried to create a LetsEncrypt certificate.
/certificate enable-ssl-certificate dns-name=my.domain.com
and got this ERROR:
progress: [error] http challenge validation failed, please make sure www service is enabled and your device is accessible by letsencrypt.org servers

> /ip/service www and www-ssl are enabled
> A webserver is behind the router reachable under my.domain.com with browser.
> Port 80 and 443 are open from all IPs and route to webserver IP /ip/dns/static 192.x.y.z is OK.

What else is missing to get the cert onto the router?
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Wed Jan 19, 2022 1:28 pm

What do you want to do? cert for your router or the webserver behind the router NAT?
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
mtgate
just joined
Topic Author
Posts: 10
Joined: Sat May 23, 2020 11:33 am

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Wed Jan 19, 2022 1:34 pm

cert for the router.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Wed Jan 19, 2022 1:38 pm

So what's the
A web server is behind the router reachable under my.domain.com with browser.
Check if your ISP accepts port 80 to your router.
https://ping.eu/port-chk/

If you use custom DNS, not a router DDNS did you add A or AAAA record for it at your rigestrar?
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
mtgate
just joined
Topic Author
Posts: 10
Joined: Sat May 23, 2020 11:33 am

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Wed Jan 19, 2022 2:02 pm

ping 80 is ok and open for my IP.

my.domain.com at the webserver is reachable and has already a letsencrypt cert.
my ISP is managing the DDNS entries of the router and the webserver urls. i have a routerscript for this.
DNS service there is no A or AAAA entry neccesary for the webservers urls either.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Wed Jan 19, 2022 2:08 pm

Now I'm not sure what is going on it looks more complicated than simple SSL.
so from what I experienced with let's encrypt
if you want it in RouterOS then 1 - firewall allow 2- www enable cuz it uses it for verifying 3- public IP
And you have all of them so I can't tell where is the problem but the error you got I only saw it when the ISP won't allow traffic over 80.
I still can't figure out what the rule of your webserver is here.
my ISP is managing the DDNS entries of the router and the web server urls
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
mtgate
just joined
Topic Author
Posts: 10
Joined: Sat May 23, 2020 11:33 am

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Wed Jan 19, 2022 2:46 pm

maybe someone else can solve the problem
thanks for that
 
Sob
Forum Guru
Forum Guru
Posts: 8191
Joined: Mon Apr 20, 2009 9:11 pm

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Sun Jan 23, 2022 3:20 am

Do I understand it correctly that there's another webserver behind your router, and there's dstnat for port 80 going there? If so, how many IP addresses do you have? Because if it's just one, then the port can go either to webserver or to router, but not to both.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
mtgate
just joined
Topic Author
Posts: 10
Joined: Sat May 23, 2020 11:33 am

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Sun Jan 23, 2022 2:01 pm

Yes I have dstnat port 80 to webserver behind router. The private IP-range is 192.168.1.0/24 with 254 IPs. Lets say webserver has static IP 192.168.1.200.
The dstnat is OK, because the webserver can be reached from internet. I found this solution in some mikrotik support forums.

You ask if I have "another webserver". Does the router have its own webserver that can process the letsencrypt query via port 80?
So I could dnsnat the port only for the cert-check and renewal to the router webserver. (probably with scripting)
I have already tried to dstnat port 80 to the router IP. 192.168.1.1 with no success and the same letsencrypt Error.
 
mkx
Forum Guru
Forum Guru
Posts: 7679
Joined: Thu Mar 03, 2016 10:23 pm

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Sun Jan 23, 2022 2:22 pm

Does the router have its own webserver that can process the letsencrypt query via port 80?
Router runs its own web server, mostly it's used for WebFig. It's also used to process letsencrypt handshake.

So I could dnsnat the port only for the cert-check and renewal to the router webserver. (probably with scripting)
I have already tried to dstnat port 80 to the router IP. 192.168.1.1 with no success and the same letsencrypt Error.
You don't dst-nat port to router's own address, you disable dst-nat for a while and allow connections towards port 80 in firewall for chain=input (preferrably only for a few IP addresses from which letsencrypt performs that handshake).

Another possibility is to configure your internal web server to reverse-proxy that URL to your router. If you allow WebFig access from where web server resides, then no change is needed on router. Surely you have to reconfigure internal web server only during router's certificate renewal.

Yet another possibility is to use internal web server to perform certificate renewal and then script installation of new certificate to router ... no configuration change whatsoever is needed in this case.
BR,
Metod
 
mtgate
just joined
Topic Author
Posts: 10
Joined: Sat May 23, 2020 11:33 am

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Sun Jan 23, 2022 3:03 pm

OK
Disable dstnat 80.
Can you give me a hint how firewall rule looks like for port 80?
 
Sob
Forum Guru
Forum Guru
Posts: 8191
Joined: Mon Apr 20, 2009 9:11 pm

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Sun Jan 23, 2022 9:23 pm

/ip firewall filter
add chain=input protocol=tcp dst-port=80 action=accept
But personally I'd rather go with the reverse proxy idea. Or even with the other one, to let webserver do everything and then upload resulting certificate to router.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
herbrico
newbie
Posts: 25
Joined: Mon Dec 31, 2012 4:19 pm
Location: Croatia, Sisak

Re: LetsEncrypt cert creation failed routerOS 7.1.1

Wed Apr 27, 2022 5:37 pm

Hi im on ROS 7.2.1.I had the same problem. This firewall rule has helped me. After the certificate was generated, I disabled the rule.

ip firewall nat chain=dstnat action=dst-nat to-addresses=x.x.x.x to-ports=80 protocol=tcp dst-port=80 log=no log-prefix=""

Who is online

Users browsing this forum: Ahrefs [Bot] and 37 guests