Community discussions

MikroTik App
 
mszru
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Wed Aug 10, 2016 10:42 am

Let's Encrypt certificate automatic renewal in ROS v7

Sat Mar 11, 2023 4:48 pm

Hi there!

I was expecting that the certificate generated by the command below would be renewed automatically, but that hasn't happened. Mine has just expired and I do not see any signs of incoming connections to port 80. The www and www-ssl IP services are running and port 80 is open for Let's Encrypt hosts:
/certificate enable-ssl-certificate dns-name=my.domain.com

In the terminal I see that the certificate has expired (E flag). WinBox displayed it as valid until I restarted the application :).
> /certificate/print 
Flags: K - PRIVATE-KEY; E - EXPIRED; T - TRUSTED
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME
#     NAME                                      COMMON-NAME                            SUBJECT-ALT-NAME     
0   T dns-nextdns-io.pem_0                      USERTrust ECC Certification Authority                       
1 KET letsencrypt-autogen_2022-12-11T14:48:10Z  <removed>.ddns.net                      DNS:<removed>.ddns.net

Shall I run the /certificate/enable-ssl-certificate again to remove the expired certificate and generate a new one?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt certificate automatic renewal in ROS v7

Sat Mar 11, 2023 4:53 pm

Auto-renewal doesn't work. You can use scripts for renewal later on.
 
mszru
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Wed Aug 10, 2016 10:42 am

Re: Let's Encrypt certificate automatic renewal in ROS v7

Sat Mar 11, 2023 7:49 pm

The /certificate enable-ssl-certificate command removed previously generated certificate and imported a new one. To automate this I've created a script and set it to run every 90 days in the scheduler. Thank you!
/ip service enable www;
/ip firewall filter enable [find comment=letsencrypt];
/log info "Let's Encrypt certificate renewal started";

/certificate enable-ssl-certificate dns-name=<removed>.ddns.net;

/ip service disable www;
/ip firewall filter disable [find comment=letsencrypt];
/log info "Let's Encrypt certificate renewal completed";
And the firewall rule:
> /ip/firewall/filter/print where comment=letsencrypt
Flags: X - disabled, I - invalid; D - dynamic 
 0 X  ;;; letsencrypt
      chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=80 log=yes log-prefix="" 
 
hennotaht
just joined
Posts: 17
Joined: Thu Jan 18, 2018 10:40 pm

Re: Let's Encrypt certificate automatic renewal in ROS v7

Sat Jan 20, 2024 8:47 pm

Where can I find documentation about enable-ssl-certificate's options? I need to set it to use staging server to debug my script without running into rate limit.
 
kevinds
Long time Member
Long time Member
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt certificate automatic renewal in ROS v7

Mon Jan 22, 2024 1:33 am

The www and www-ssl IP services are running and port 80 is open for Let's Encrypt hosts:
How? Let's Encrypt doesn't publish their servers.
 
mszru
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Wed Aug 10, 2016 10:42 am

Re: Let's Encrypt certificate automatic renewal in ROS v7

Mon Jan 22, 2024 2:26 am

I need to set it to use staging server...
I don't think you can do that. The documentation states that "dns-name" is the only option available for this command.
 
wfburton
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Mon Apr 10, 2023 1:09 am

Re: Let's Encrypt certificate automatic renewal in ROS v7

Mon Jan 22, 2024 2:39 am

Let's Encrypt and dynamic Address List firewall rules

viewtopic.php?t=192147
 
kevinds
Long time Member
Long time Member
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt certificate automatic renewal in ROS v7

Mon Jan 22, 2024 2:42 am

Let's Encrypt and dynamic Address List firewall rules
Cool

With their insistence on never giving up their list of servers, I'm surprised they made it that easy.. *thinking* Going to investigate this a lot more.

I am very curious why their IPs keep ending up on my automated blacklists, should be able to track them better if the list is accurate. :)
 
mszru
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Wed Aug 10, 2016 10:42 am

Re: Let's Encrypt certificate automatic renewal in ROS v7

Mon Jan 22, 2024 2:52 am

The www and www-ssl IP services are running and port 80 is open for Let's Encrypt hosts:
How? Let's Encrypt doesn't publish their servers.
I followed MikroTik's video instructions where they suggested creating an address list and using it in a firewall rule for port 80.

That didn't work for me, so I removed the address list, created a script that opens the port just before the certificate renewal and closes immediately after, and set it to run every 90 days.
 
kevinds
Long time Member
Long time Member
Posts: 640
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt certificate automatic renewal in ROS v7

Mon Jan 22, 2024 2:55 am

That didn't work for me, so I removed the address list, created a script that opens the port just before the certificate renewal and closes immediately after, and set it to run every 90 days.
I setup a second system, either container or VPS, NAT'd behind the router, it does the renewal and with a hook, pushes it to RouterOS.

My issue with the address list is, is it complete, have they added new server FQDNs.
 
hennotaht
just joined
Posts: 17
Joined: Thu Jan 18, 2018 10:40 pm

Re: Let's Encrypt certificate automatic renewal in ROS v7

Mon Jan 22, 2024 4:02 pm

I need to set it to use staging server...
I don't think you can do that. The documentation states that "dns-name" is the only option available for this command.
[tvv@MikroTik] /certificate> enable-ssl-certificate 
append     as-value     dns-name     do     duration     interval     once     without-paging
What do these options do?
 
mszru
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Wed Aug 10, 2016 10:42 am

Re: Let's Encrypt certificate automatic renewal in ROS v7

Tue Jan 23, 2024 12:13 am

[tvv@MikroTik] /certificate> enable-ssl-certificate 
append     as-value     dns-name     do     duration     interval     once     without-paging
What do these options do?
Those are generic options that you may find in almost every print command. See the "print parameters" at the scripting help page. They have nothing to do with certificates or Let's Encrypt.

Who is online

Users browsing this forum: abdullanetworking, cmmike, uxertxo and 32 guests