Community discussions

 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

cant' activate purchased SSL certificate for hotspot

Mon Jun 11, 2018 2:22 pm

Hi, I'm trying to setup an HTTPs Hotspot.
I purchased an SSL certificate on namecheap.com and I created the certificate request with:
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
create-certificate-request
template	ca-template
key-passphrase	mypassphrase
but when I try to activate it pasting the content of certificate-request.pem as csr, I get this error: "Domain name is invalid or contains a typo. Please use only a-z, 0-9, dot or hyphen in CSR domains"

what am I doing wrong? Thanks
 
R1CH
Long time Member
Long time Member
Posts: 519
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Mon Jun 11, 2018 7:02 pm

You need a FQDN to be able to get a valid CA signed cert. Namecheap isn't going to allow you to sign "myCa" since you have no proof of ownership over that name.

Use something like hotspot.your-isp.com.
 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Tue Jun 12, 2018 9:11 am

So I just have to use my own domain?
 
R1CH
Long time Member
Long time Member
Posts: 519
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Tue Jun 12, 2018 2:38 pm

Yes, you need to be able to prove ownership of it in some way, eg email to postmaster@example.com should be receivable or if you use free Let's Encrypt cert, challenge files at example.com/.well-known/acme-challenge.
 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Wed Jun 13, 2018 12:11 pm

I uploaded to the router the .crt file from namecheap.com and I imported it with:
/certificate
import file-name=mydomain_com.crt
passphrase	*****
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
import file-name=certificate-request_key.pem
passphrase	*****
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
(certificate-request_key.pem is the file created from the router)
then I setup the https:
/ip service set www-ssl certificate=mydomain_com.crt_0
/ip hotspot profile set hsprof1 login-by=https ssl-certificate=mydomain_com.crt_0
but when I try to connect to the hotspot, I get this error:
net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
 
R1CH
Long time Member
Long time Member
Posts: 519
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Wed Jun 13, 2018 4:51 pm

Make sure your RouterOS is up to date. You can use something like https://testssl.sh for verifying that TLS support is working correctly.
 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Wed Jun 13, 2018 5:20 pm

Make sure your RouterOS is up to date.
I have RouterOS v6.40.1, do I have to update to the last one?
You can use something like https://testssl.sh for verifying that TLS support is working correctly.
I didn't understand how to use it on the router, can you help me?
 
R1CH
Long time Member
Long time Member
Posts: 519
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Wed Jun 13, 2018 6:29 pm

If you're running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc).

You use testssl.sh from any Linux system and test it against your hotspot. If your hotspot is publicly reachable you can also post the link here for testing.
 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Thu Jun 14, 2018 3:51 pm

If you're running 6.40.1 your router may already be compromised as you have not installed critical security patches, you should update ASAP and check for signs of compromise (modified DNS, additional users, VPN tunnels, etc).

You use testssl.sh from any Linux system and test it against your hotspot. If your hotspot is publicly reachable you can also post the link here for testing.
I upgraded to v6.42.3 and now when I connect to the hotspot and the popup opens, I get this warning:
Untrusted SSL certificate
The security certificate for this network does not come from a trusted authority. The connection to this is not recommended.
Unfortunately I don't have a linux installation, I tried with a live version but unsuccesfully. Is there a windows equivalent?
 
R1CH
Long time Member
Long time Member
Posts: 519
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Thu Jun 14, 2018 4:46 pm

That message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!
 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Thu Jun 14, 2018 4:55 pm

That message means the .crt you supplied to the hotspot wasn't signed properly. Make sure it's the certificate you got from namecheap and not one generated by RouterOS.

You can also link the .crt file here and I can take a look. Make sure you never post the private key though!
Here is the .crt file from namecheap, i renamed it because of invalid file extension. my domain is uala.datalit.it
You do not have the required permissions to view the files attached to this post.
 
R1CH
Long time Member
Long time Member
Posts: 519
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Thu Jun 14, 2018 7:17 pm

There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
You do not have the required permissions to view the files attached to this post.
 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Fri Jun 15, 2018 11:56 am

There seems to be a missing intermediary cert, I'm not entirely sure how RouterOS handles this but try importing the following instead (I added the intermediate cert to the chain).
I renamed your file into uala_datalit_intermediate.crt and I tried to import it with:
import file-name=uala_datalit_intermediate.crt
passphrase	*****
but when I try:
import file-name=certificate-request_key.pem
passphrase	*****
I get:
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0
maybe I have to delete the old one?
the wiki talks about a .key file that I didn't have, before I used certificate-request_key.pem but I'm not sure this is right.
https://wiki.mikrotik.com/wiki/SSL_Certificate_setup
https://wiki.mikrotik.com/wiki/Manual:H ... PS_example
 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Mon Jun 18, 2018 10:29 am

I deleted the certificate and I tried to recreate the request and reimport the certificate adding your intermediate cert as you did.
/certificate> import file-name=uala_datalit_intermediate.crt 
passphrase: *******
     certificates-imported: 2
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

/certificate> import file-name=certificate-request_key.pem     
passphrase: *******
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
Then I selected the certificata in services and in hotspot, but now I get
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

maybe I should buy a certificate from a provider indicated in the wiki such as rapidssl, godaddy, register, opensrs, thawte, but they are more expensive and there are lot of possibilities, which one should I buy?
 
R1CH
Long time Member
Long time Member
Posts: 519
Joined: Sun Oct 01, 2006 11:44 pm

Re: cant' activate purchased SSL certificate for hotspot

Mon Jun 18, 2018 7:08 pm

Any signed cert should be fine, price is not important, even a free one from Let's Encrypt should work.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn't using modern protocols / ciphers. I don't know if there are any options in RouterOS, but make sure to disable SSL 2.0 / SSL 3.0 and only use TLS 1.0 / 1.1 / 1.2.
 
Michele
just joined
Topic Author
Posts: 15
Joined: Thu Aug 04, 2016 12:35 pm

Re: cant' activate purchased SSL certificate for hotspot

Tue Jun 19, 2018 12:08 am

Any signed cert should be fine, price is not important, even a free one from Let's Encrypt should work.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH seems to indicate either the hotspot or your browser isn't using modern protocols / ciphers. I don't know if there are any options in RouterOS, but make sure to disable SSL 2.0 / SSL 3.0 and only use TLS 1.0 / 1.1 / 1.2.
This old doc says SSLv2, SSLv3, TLS but you can't select which protocols use
https://mikrotik.com/testdocs/ros/3.0/s ... ficate.php

I'm missing the .key file origin described in OpenSSL example but not in trusted certificate authority example
https://wiki.mikrotik.com/wiki/Manual:H ... PS_example

Who is online

Users browsing this forum: binh, Pea and 22 guests