Community discussions

 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

cant' activate purchased SSL certificate for hotspot

Mon Jun 11, 2018 2:22 pm

Hi, I'm trying to setup an HTTPs Hotspot.
I purchased an SSL certificate on namecheap.com and I created the certificate request with:
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
create-certificate-request
template	ca-template
key-passphrase	mypassphrase
but when I try to activate it pasting the content of certificate-request.pem as csr, I get this error: "Domain name is invalid or contains a typo. Please use only a-z, 0-9, dot or hyphen in CSR domains"

what am I doing wrong? Thanks
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Mon Jun 11, 2018 7:02 pm

You need a FQDN to be able to get a valid CA signed cert. Namecheap isn't going to allow you to sign "myCa" since you have no proof of ownership over that name.

Use something like hotspot.your-isp.com.
 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Tue Jun 12, 2018 9:11 am

So I just have to use my own domain?
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Tue Jun 12, 2018 2:38 pm

Yes, you need to be able to prove ownership of it in some way, eg email to postmaster@example.com should be receivable or if you use free Let's Encrypt cert, challenge files at example.com/.well-known/acme-challenge.
 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Wed Jun 13, 2018 12:11 pm

I uploaded to the router the .crt file from namecheap.com and I imported it with:
/certificate
import file-name=mydomain_com.crt
passphrase	*****
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
import file-name=certificate-request_key.pem
passphrase	*****
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
(certificate-request_key.pem is the file created from the router)
then I setup the https:
/ip service set www-ssl certificate=mydomain_com.crt_0
/ip hotspot profile set hsprof1 login-by=https ssl-certificate=mydomain_com.crt_0
but when I try to connect to the hotspot, I get this error:
net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Wed Jun 13, 2018 4:51 pm

Make sure your RouterOS is up to date. You can use something like https://testssl.sh for verifying that TLS support is working correctly.
 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Wed Jun 13, 2018 5:20 pm

Make sure your RouterOS is up to date.
I have RouterOS v6.40.1, do I have to update to the last one?
You can use something like https://testssl.sh for verifying that TLS support is working correctly.
I didn't understand how to use it on the router, can you help me?
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Wed Jun 13, 2018 6:29 pm

If you're running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc).

You use testssl.sh from any Linux system and test it against your hotspot. If your hotspot is publicly reachable you can also post the link here for testing.
 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Thu Jun 14, 2018 3:51 pm

If you're running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc).

You use testssl.sh from any Linux system and test it against your hotspot. If your hotspot is publicly reachable you can also post the link here for testing.
I upgraded to v6.42.3 and now when I connect to the hotspot and the popup opens, I get this warning:
Untrusted SSL certificate
The security certificate for this network does not come from a trusted authority. The connection to this is not recommended.
Unfortunately I don't have a linux installation, I tried with a live version but unsuccesfully. Is there a windows equivalent?
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Thu Jun 14, 2018 4:46 pm

That message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!
 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Thu Jun 14, 2018 4:55 pm

That message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!
Here is the .crt file from namecheap, i renamed it because of invalid file extension. my domain is uala.datalit.it
You do not have the required permissions to view the files attached to this post.
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Thu Jun 14, 2018 7:17 pm

There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
You do not have the required permissions to view the files attached to this post.
 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Fri Jun 15, 2018 11:56 am

There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
I renamed your file into uala_datalit_intermediate.crt and I tried to import it with:
import file-name=uala_datalit_intermediate.crt
passphrase	*****
but when I try:
import file-name=certificate-request_key.pem
passphrase	*****
I get:
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0
maybe I have to delete the old one?
the wiki talks about a .key file that I didn't have, before I used certificate-request_key.pem but I'm not sure this is right.
https://wiki.mikrotik.com/wiki/SSL_Certificate_setup
https://wiki.mikrotik.com/wiki/Manual:H ... PS_example
 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Mon Jun 18, 2018 10:29 am

I deleted the certificate and I tried to recreate the request and reimport the certificate adding your intermediate cert as you did.
/certificate> import file-name=uala_datalit_intermediate.crt 
passphrase: *******
     certificates-imported: 2
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

/certificate> import file-name=certificate-request_key.pem     
passphrase: *******
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
Then I selected the certificata in services and in hotspot, but now I get
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

maybe I should buy a certificate from a provider indicated in the wiki such as rapidssl, godaddy, register, opensrs, thawte, but they are more expensive and there are lot of possibilities, which one should I buy?
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Mon Jun 18, 2018 7:08 pm

Any signed cert should be fine, price is not important, even a free one from Let's Encrypt should work.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn't using modern protocols / ciphers. I don't know if there are any options in RouterOS, but make sure to disable SSL 2.0 / SSL 3.0 and only use TLS 1.0 / 1.1 / 1.2.
 
Michele
just joined
Topic Author
Posts: 18
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Tue Jun 19, 2018 12:08 am

Any signed cert should be fine, price is not important, even a free one from Let's Encrypt should work.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn't using modern protocols / ciphers. I don't know if there are any options in RouterOS, but make sure to disable SSL 2.0 / SSL 3.0 and only use TLS 1.0 / 1.1 / 1.2.
This old doc says SSLv2, SSLv3, TLS but you can't select which protocols use
https://mikrotik.com/testdocs/ros/3.0/s ... ficate.php
 
User avatar
routik
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 14, 2009 5:40 pm
Location: Abuja-Nigeria
Contact:

Re: cant' activate purchased SSL certificate for hotspot

Mon Jul 23, 2018 10:16 pm

Hi all,
@Michele did you later resolve this issue?

I also want to purchase SSL certificate from namecheap and will really appreciate if there can be a comprehensive guide on how to really go about getting a trusted signed SSL certificate on a LAN Hotspot. I already have a domain with namecheap abcdomain.com and my LAN hotspot DNS name is hotspot.abcdomain.com.

Any guidance will be highly appreciated.

Below are instructions from namecheap.
in order to secure your website, it is necessary to obtain an SSL certificate and complete all the required steps:
1) CSR code generation
2) SSL certificate activation
3) SSL certificate validation
4) SSL certificate installation

Due to the security reasons, it is recommended to generate the CSR code on your hosting server.

However, you can use any online tool instead. You are welcome to generate the CSR code using this online tool: https://decoder.link/csr_generator

Once the CSR code is generated, you will see the pop-up window with 3 tabs: "CSR", "Private key" and "Certificate".

The first "CSR" tab contains your CSR code that includes the following tags: “-----BEGIN CERTIFICATE REQUEST-----" and “-----END CERTIFICATE REQUEST-----”.

On the second "Private key" tab, there will be your private key. Your private key should begin with: -----BEGIN RSA PRIVATE KEY----- and end with: -----END RSA PRIVATE KEY-----

Please keep in mind that it is necessary to save the private key in order order to use it for the SSL certificate installation.

The third "Certificate" tab you will see a self-signed SSL certifcate that should *not* be used instead of your Comodo SSL certificate.

Please copy your CSR code and paste it into the “CSR” field on the fist step of activation in order to activate the certificate.

For more information how to activate an SSL certificate, feel free to check this guide: https://www.namecheap.com/support/knowl ... ertificate.

There are 3 DCV (Domain Control Validation) methods that you can choose from: the email-based, the HTTP-based and the DNS-based one.

For more information, feel free to check this guide about SSL Validation: https://www.namecheap.com/support/knowl ... ertificate

Please keep in mind that once the activation and validation are completed and the certificate is issued by Comodo, it is necessary to install the SSL certificate on your hosting server.

More information on how to install an SSL certificate can be found via this link: https://www.namecheap.com/support/knowl ... rtificates

You can check the installation of your certificate using this tool: https://decoder.link/sslchecker
I enjoy building wireless network with @Mikrotik
 
User avatar
routik
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 14, 2009 5:40 pm
Location: Abuja-Nigeria
Contact:

Re: cant' activate purchased SSL certificate for hotspot

Tue Jul 24, 2018 12:48 am

I read here https://wiki.mikrotik.com/wiki/Manual:H ... PS_example that
Note: Browser will still warn end-user about redirection even with CA signed certificate! This warning message cannot be avoided.
Can someone kindly explain if this is the true case. Even with CA signed Certificates?
I enjoy building wireless network with @Mikrotik
 
kevinds
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Jan 14, 2015 8:41 am

Re: cant' activate purchased SSL certificate for hotspot

Tue Jul 24, 2018 11:19 am

I read here https://wiki.mikrotik.com/wiki/Manual:H ... PS_example that
Note: Browser will still warn end-user about redirection even with CA signed certificate! This warning message cannot be avoided.
Can someone kindly explain if this is the true case. Even with CA signed Certificates?
Maybe and sometimes..

If your redirection is doing a re-direct when someone opens https://www.google.com then yes, it will warn the user because you are not google.com..

The error will be be domain mis-match though.

The newer OSs, mobile and Windows 10 (not sure about MacOS), pop up an alert now when connecting to Hotspots that require authentication, 'tap here to authenticate', then it opens the webpage for the AP to 'accept' or 'enter code/password'. I have no idea how to use this feature though. I don't know the back-end process though. Likely documented somewhere. haha

Get your certificate imported correctly, you should be able to access the hotspot page with no errors using the domain your certificate it for. After that, look into that process. Just opening your browser's homepage, yes, that will still cause a name mismatch.

Who is online

Users browsing this forum: nomatter, vecernik87 and 46 guests