Community discussions

MikroTik App
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Let's Encrypt automatic certificate renewal

Thu Sep 15, 2022 12:00 pm

Hi,
Is there any known reason why my certificate is not being renewed automatically?
WWW is enabled, and the firewall rule looks okay to me.
2022-09-15_13-28-01.jpg
2022-09-15_13-16-40.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Let's Encrypt automatic certificate renewal

Thu Sep 15, 2022 4:09 pm

WWW is enabled, and the firewall rule looks okay to me.

I hate to look at screenshots, please post full text export of configuration. Only then we'll be able to comment on the "firewall rule looks okay" part of quoted post.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt automatic certificate renewal

Thu Sep 15, 2022 4:46 pm

I hate to look at screenshots, please post full text export of configuration. Only then we'll be able to comment on the "firewall rule looks okay" part of quoted post.
Hi,
Thank you for your reply. Please, note that as I was exporting my config the "www" service was not in the export. However, In Winbox it shows it as an enabled service.
Maybe due to my mistake in disabling something at "/IP/firewall/service-port", IDK.
ip service print
Flags: X, I - INVALID
Columns: NAME, PORT, CERTIFICATE, VRF
# NAME PORT CERTIFICATE VRF
0 X telnet 23 main
1 X FTP 21
2 www 80 main
3 X ssh 22 main
4 www-ssl 443 letsencrypt-autogen_2022-09-14T15:11:35Z main
5 X API 8728 main
6 winbox redacted main
7 X api-ssl 8729 none main
Here is my config, Please, be gentle. :D
hap3.txt
You do not have the required permissions to view the files attached to this post.
 
kriszos
just joined
Posts: 23
Joined: Thu Dec 21, 2017 3:08 pm

Re: Let's Encrypt automatic certificate renewal

Fri Sep 16, 2022 1:40 pm

I am experiencing the same issue as OP, In Firewall filter dstTCP80 is accepted on input. www service on port 80 is enabled. After issueing
/certificate enable-ssl-certificate dns-name=domain.example.com
i get the following result:
progress: [success] ssl certificate updated
cert is renamed but not renewed. Now it is expiring in 3 days. :-(
my config bellow:
/ip service
set telnet address="" disabled=yes port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=le-cert.cer disabled=yes port=443 tls-version=any vrf=main
set api address="" disabled=yes port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=yes port=8729 tls-version=any vrf=main
/ip firewall filter 
add action=accept chain=input comment=ALLOW_HTTP_FOR_LETSENCRYPT_VALIDATION disabled=no place-before=0 protocol=tcp port=80
edit:
what is even weirder "expires-after" fields does not match in cli and winbox. CLI shows 1w4d while winbox shows 3d
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt automatic certificate renewal

Fri Sep 16, 2022 6:16 pm

This is what I came up with.
Interval 80d 00:00:00
:log info "Script - Certificate renewal"
:local ipWWW [/ip/service find name=www];
/ip/service set $ipWWW disabled=no
/ip firewall filter set disabled=no [find comment="IP Services HTTP"]
certificate remove [find common-name="CERT-CN"];
certificate enable-ssl-certificate dns="CERT-DNS-RECORD";
:delay 30s
:log info "Script - Certificate renewal | UM certificate update"
:local certCN [/certificate find common-name=CERT-CN];
:local certN [/certificate get $certCN value=name];
/user-manager set certificate=$certN
:delay 5s
:log info "Script - Certificate renewal | UM CERT- done!"
:log info "Script - Certificate renewal | WIFI EAP certificate update"
:local wifiEAP [/interface/wireless/security-profiles find name=EAP];
/interface/wireless/security-profiles/ set $wifiEAP tls-certificate=$certN
:delay 5s
:log info "Script - Certificate renewal | WIFI EAP CERT- done!"
:log info "Script - Certificate renewal | IP Services certificate update"
:local certWWW [/ip/service find name=www-ssl];
/ip/service set $certWWW certificate=$certN
:delay 5s
:log info "Script - Certificate renewal | IP Services CERT- done!"
:delay 5s
:local ipWWW [/ip/service find name=www];
/ip/service set $ipWWW disabled=yes
/ip firewall filter set disabled=yes [find comment="IP Services HTTP"]
:delay 5s
:log info "Script - Certificate renewal | www service & firewall rule are disabled."

 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let's Encrypt automatic certificate renewal

Thu Sep 22, 2022 10:40 pm

I do NOT fix your script, or test it, I'm rewriting it correctly as example for you to do script on correct way:
:log info "Script - Certificate renewal start"

:local commName "CERT-CN"
:local dnsName  "CERT-DNS-RECORD"

/ip service
set www disabled=no

/ip firewall filter
enable [find where comment="IP Services HTTP"]

/certificate
remove [find where common-name=$commName]
enable-ssl-certificate dns=$dnsName

# better insert here a loop that check when cert is ready, or timeout after x seconds
:delay 30s

/certificate
:local certName [get [find where common-name=$commName] name]

:log info "Script - Certificate renewal | UM certificate update"
/user-manager
set certificate=$certName
:log info "Script - Certificate renewal | UM certificate update done!"

:log info "Script - Certificate renewal | WIFI EAP certificate update"
/interface wireless security-profiles
set [find where name="EAP"] tls-certificate=$certName
:log info "Script - Certificate renewal | WIFI EAP certificate update done!"

:log info "Script - Certificate renewal | IP Services certificate update"
/ip service
set www-ssl certificate=$certName
:log info "Script - Certificate renewal | IP Services certificate update done!"

/ip service
set www disabled=yes

/ip firewall filter
disable [find where comment="IP Services HTTP"]

:log info "Script - Certificate renewal end"

version without all logging frills:
:log info "Script - Certificate renewal start"

:local commName "CERT-CN"
:local dnsName  "CERT-DNS-RECORD"

/ip service set www disabled=no
/ip firewall filter enable [find where comment="IP Services HTTP"]

/certificate
remove [find where common-name=$commName]
enable-ssl-certificate dns=$dnsName
:delay 30s
:local certName [get [find where common-name=$commName] name]

/user-manager set certificate=$certName

/interface wireless security-profiles set [find where name="EAP"] tls-certificate=$certName

/ip service set www-ssl certificate=$certName

/ip service set www disabled=yes
/ip firewall filter disable [find where comment="IP Services HTTP"]

:log info "Script - Certificate renewal end"

Both version suppose that the rule on firewall filter commented with "IP Services HTTP" exist.
When you share a script, share also instructions, and check if it work only on your device because are present other items not writed on post.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt automatic certificate renewal

Thu Sep 22, 2022 11:21 pm

As I said in the other post, it certainly could use your touch/magic. I appreciate your time and effort. I will do better next time now that I have an example to follow. Although, at this point, what you have suggested "better insert a loop that checks when cert is ready or timeout after x " is beyond my knowledge.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let's Encrypt automatic certificate renewal

Thu Sep 22, 2022 11:27 pm

My goal in these cases is to teach, not to solve... (usually I not solve if on that moment I can not test what I write)

Sorry if I don't explain well or I seem rude, but not being English I have difficulty expressing myself,
often using automatic translators the sentences are worse than if I write them directly, so I often explain little, I let the scripts speak.

(●'◡'●)
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt automatic certificate renewal

Thu Sep 22, 2022 11:35 pm

It's okay, I understand as I suffer the same way.
Personally, I check everything I write in English on Grammarly and after that in google translate it to my first language, and still, it confuses people.
 
securenss
just joined
Posts: 1
Joined: Tue Nov 08, 2022 8:31 am

Re: Let's Encrypt automatic certificate renewal

Tue Nov 08, 2022 11:32 am

thanks "rextended" very clear script. I test this script and added SSTP function. worked fine to me. :D
log info "Script - Certificate renewal start"

:local commName "you're Domain Common Name"
:local dnsName  "you're Domain Name"

/ip service
set www disabled=no

/ip firewall filter
enable [find where comment="IP Services HTTP"]

/certificate
remove [find where common-name=$commName]
enable-ssl-certificate dns=$dnsName

# better insert here a loop that check when cert is ready, or timeout after x seconds
:delay 30s

/certificate
:local certName [get [find where common-name=$commName] name]

:log info "Script - Certificate renewal | UM certificate update"
/user-manager
set certificate=$certName
:log info "Script - Certificate renewal | UM certificate update done!"

:log info "Script - Certificate renewal | WIFI EAP certificate update"
/interface wireless security-profiles
set [find where name="EAP"] tls-certificate=$certName
:log info "Script - Certificate renewal | WIFI EAP certificate update done!"

:log info "Script - Certificate renewal | IP Services certificate update"
/ip service
set www-ssl certificate=$certName
:log info "Script - Certificate renewal | IP Services certificate update done!"

:log info "Script - Certificate renewal | SSTP Server  certificate update"
/interface sstp-server server
set certificate=$certName
:log info "Script - Certificate renewal | SSTP Server  certificate update done!"

/ip service
set www disabled=yes

/ip firewall filter
disable [find where comment="IP Services HTTP"]

:log info "Script - Certificate renewal end"
 
pincio
just joined
Posts: 7
Joined: Thu Aug 04, 2016 9:17 pm

Re: Let's Encrypt automatic certificate renewal

Thu Dec 01, 2022 4:15 pm

If it would be helpful to you I wrote an auto-renewal script, you can find it @ https://github.com/pincioc/LetsEncrypt_OSScript

Ratings and comments are highly appreciated.

Mauro
 
ivanforreg2015
just joined
Posts: 3
Joined: Mon Apr 10, 2023 7:42 pm

Re: Let's Encrypt automatic certificate renewal

Fri Apr 14, 2023 12:20 pm

If it would be helpful to you I wrote an auto-renewal script, you can find it @ https://github.com/pincioc/LetsEncrypt_OSScript

Ratings and comments are highly appreciated.

Mauro
Good afternoon Mauro!
Please help me.

I am running your script:
https://github.com/pincioc/LetsEncrypt_ ... issues/new

Line of code
  :if ( [/certificate enable-ssl-certificate dns-name=$dnsName] = 0 ) do={ ...
} else={
         :log info "[Letsencrypt_OSScript] - Nothing to do!"
}
always returns non-zero.
Every time I run the script, I get a log message "[Letsencrypt_OSScript] - Nothing to do!"
But this updates the certificate anyway!

I can't find documentation of what type of data the command should return
[/certificate enable-ssl-certificate dns-name=$dnsName]
Please share information about the return data type for the function
[/certificate enable-ssl-certificate dns-name=$dnsName]
.

Many thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let's Encrypt automatic certificate renewal

Fri Apr 14, 2023 6:09 pm

The script is full of errors,

Read instead the manuals & see the videos.
https://help.mikrotik.com/docs/display/ ... rtificates
 
ivanforreg2015
just joined
Posts: 3
Joined: Mon Apr 10, 2023 7:42 pm

Re: Let's Encrypt automatic certificate renewal

Thu Apr 20, 2023 1:00 pm

Good day.
Line of code
  :if ( [/certificate enable-ssl-certificate dns-name=$dnsName] = 0 ) do={ ...
} else={
         :log info "[Letsencrypt_OSScript] - Nothing to do!"
}
always returns non-zero.

I rewrote this part of the script.
Perhaps someone will find it useful.
#script name
:local scrname "scr-LetsEncrypt-vpn-sampledomain"

:local Daysbefore 30
:local dnsName "vpn.sampledomain.com"

#cert name
:local certName "crt-vpn-le"

:local array [ :toarray "" ]
:local newvalue ""


:if ( ([/certificate/print count-only where common-name =$dnsName] = 0 ) || ( ([/certificate/print count-only where common-name=$dnsName] > 0) && ([/certificate/get value-name=days-valid [find common-name=$dnsName]] <  $Daysbefore) ) ) do={

	:log info "$scrname - Try to open port in firewall and enable service"
	/ip firewall/filter/add chain=input dst-port=80 protocol=tcp action=accept place-before=0 comment=$scrname
	/ip service enable [find port=80]

	:log info "$scrname - Start certificate update process"
	:set $newvalue [/certificate enable-ssl-certificate dns-name=$dnsName as-value]
	:log info "$scrname - Stop certificate update process"
	:delay 20000ms
	:log info "$scrname - Certificate update message: $[:tostr $newvalue]"

	:if ([:typeof [:find [:tostr $newvalue] "[error]"]]="nil") do={
		:log info "$scrname - Certificate Updated - Close doors"
		
		#Optional code. Can be deleted. START
		#Here I am renaming the resulting certificate, since I am using dual WANs and two different certificates for my ipsec RoadWarriors.

		:set $newvalue [/certificate/get value-name=name [find name~$certName]]
		/certificate remove [find name~$certName]
		:log info "$scrname - Certificate $newvalue removed"
		
		:local dttm [:tostr [/system clock get date]]
		:set newvalue ( $newvalue . [:pick $dttm 0 3] . [:pick $dttm 4 6] . [:pick $dttm 7 11] . "-")
		:set $dttm [:tostr [/system clock get time]]
		:set newvalue ( $newvalue . [:pick $dttm 0 2] . [:pick $dttm 3 5] . [:pick $dttm 6 8])
		:set newvalue ( $certName . "-" . $newvalue )

		/certificate set name=$newvalue [find name~"letsencrypt-autogen"]
		:log info "$scrname - Certificate renamed to $newvalue"

	
		#####
		:set newvalue [/certificate get [/certificate find where common-name=$dnsName] name ]
		:set $array ( $array, $newvalue );
		# :put [:tostr $array] 

		#R3 - its LetsEncrypt R3 for my RoadWarriors
		:set $newvalue [/certificate get [/certificate find where common-name="R3"] name ]
		# :put $newvalue
		:set $array ( $array, $newvalue );
		# :put [:tostr $array]
		/ip/ipsec/identity set [/ip/ipsec/identity find where  comment="RoadWarriors"] certificate=$array
		:log info "$scrname - array: $[:tostr $array]"
		#####

		#Optional code. Can be deleted. END
		
	} else={
		:log error "$scrname - Unable to generate certification - Close doors"
	}
     
	
	log info "$scrname - Remove custom firewall roule and disable services"
	/ip firewall/filter/remove [find comment=$scrname]
	/ip service disable [find port=80]

} else={
	:log info "$scrname - Nothing to do!"
}
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Let's Encrypt automatic certificate renewal

Thu Apr 20, 2023 2:26 pm

Sorry, but is STILL full of errors...
 
ivanforreg2015
just joined
Posts: 3
Joined: Mon Apr 10, 2023 7:42 pm

Re: Let's Encrypt automatic certificate renewal

Fri Apr 21, 2023 3:17 pm

Sorry, but is STILL full of errors...
Good day!
I am not a programmer.
This script works for me on CCR2004 ROS 7.8
If it's not difficult for you, please point out the mistakes.
Many thanks!
 
edmond25
just joined
Posts: 1
Joined: Wed Nov 22, 2023 6:01 pm

Re: Let's Encrypt automatic certificate renewal

Wed Nov 22, 2023 6:14 pm

Sorry, but is STILL full of errors...
Good day!
I am not a programmer.
This script works for me on CCR2004 ROS 7.8
If it's not difficult for you, please point out the mistakes.
Many thanks!
I used your code on X86 platform. It works to create the certificate but fail to renew the certificate even it is < 30 days valid. I found that the code following:

:if ( ([/certificate/print count-only where common-name =$dnsName] = 0 ) || ( ([/certificate/print count-only where common-name=$dnsName] > 0) && ([/certificate/get value-name=days-valid [find common-name=$dnsName]] < $Daysbefore) ) ) do={

may be wrong. I checked that "[/certificate/get value-name=days-valid [find common-name=$dnsName]" is the root of problem. It cannot draw the value of days-valid. Therefore, script will never enter renewal process.

I rewrite it into this version

:if ( ([/certificate/print count-only where common-name =$dnsName] = 0 ) || ( ([/certificate/print count-only where common-name=$dnsName] > 0) && ([/certificate get [find common-name=$dnsName] days-valid] < $Daysbefore) ) ) do={

It can read the days-valid correctly by verify to display value in log

:log info [/certificate get [find common-name=$dnsName] days-valid]

Please update me if I am misunderstanding

Who is online

Users browsing this forum: almdandi, Bing [Bot], korg and 82 guests