Community discussions

MikroTik App
 
zarianu
just joined
Topic Author
Posts: 16
Joined: Wed Nov 18, 2020 11:42 am

Let's Encrypt cert renewal

Sun Oct 31, 2021 7:14 am

Hello dear sirs, I'm using RouterOS 7.1rc5 and very glad it supports Let's Encrypt certs.
Here's the question - what's the proper way to renew cert?

2 K    ET name="letsencrypt-autogen_2021-06-24T00:05:32Z" issuer=C=US,O=Let's Encrypt,CN=R3 digest-algorithm=sha256 key-type=rsa common-name="hq.zalyan.net" 
           key-size=2048 subject-alt-name=DNS:hq.zalyan.net days-valid=89 trusted=yes key-usage=digital-signature,key-encipherment,tls-server,tls-client 
           serial-number="04210D8651E5580AE0977354CB3E16569FE5" fingerprint="86bf48e4bb6489bd475c6dab933276951643d3ac20027ea00d1dd8ab95559ff6" 
           akid=142eb317b75856cbae500940e61faf9d8b14c2c6 skid=d2a428a2cb7c4aafaf3c0ad6f70820cccada0333 invalid-before=jun/24/2021 06:05:30 
           invalid-after=sep/22/2021 06:05:29 
           
[kost@hq.zalyan.net-NEW] > /certificate/enable-ssl-certificate dns-name=hq.zalyan.net
  progress: [success] ssl certificate updated
           invalid-after=sep/22/2021 06:05:29 
      
2 K    ET name="letsencrypt-autogen_2021-10-31T05:00:43Z" issuer=C=US,O=Let's Encrypt,CN=R3 digest-algorithm=sha256 key-type=rsa common-name="hq.zalyan.net" 
           key-size=2048 subject-alt-name=DNS:hq.zalyan.net days-valid=89 trusted=yes key-usage=digital-signature,key-encipherment,tls-server,tls-client 
           serial-number="04210D8651E5580AE0977354CB3E16569FE5" fingerprint="86bf48e4bb6489bd475c6dab933276951643d3ac20027ea00d1dd8ab95559ff6" 
           akid=142eb317b75856cbae500940e61faf9d8b14c2c6 skid=d2a428a2cb7c4aafaf3c0ad6f70820cccada0333 invalid-before=jun/24/2021 06:05:30 
           invalid-after=sep/22/2021 06:05:29 

So as you can see cert name changed, but cert dates are not! Of course it works fine when I delete old first and then do enable-ssl-certificate, but it's strange as for me. Is it intended behavior or kind of minor bug? It would be great to have one command for renewal IMO.

Thanks in advance, regards, Konstantin
 
infabo
Long time Member
Long time Member
Posts: 586
Joined: Thu Nov 12, 2020 12:07 pm

Re: Let's Encrypt cert renewal

Wed Nov 03, 2021 10:32 am

It is ROS 7. ¯\_(ツ)_/¯

I guess nobody at MT expec that someone needs to renew a LE cert. So they did not implement it.
 
duronus
just joined
Posts: 5
Joined: Tue Sep 22, 2015 1:47 pm

Re: Let's Encrypt cert renewal

Sun Dec 26, 2021 8:08 pm

But I also need a certificate renewal command. I would also like to understand in what kind of support
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Let's Encrypt cert renewal

Sun Dec 26, 2021 11:41 pm

According to the MikroTik docs site, it somehow does automated renewals.. but the issue that I see with this is you would need to leave the webfig port open 24/7 because you don't know when these renewals are going to happen. It is much better to be able to use a script because then port 80 can be opened only for the renewal and closed afterwards.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Tue Dec 28, 2021 2:39 am

According to the MikroTik docs site, it somehow does automated renewals.. but the issue that I see with this is you would need to leave the webfig port open 24/7 because you don't know when these renewals are going to happen. It is much better to be able to use a script because then port 80 can be opened only for the renewal and closed afterwards.
100% Agree
2021-12-28_04-06-22.png
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Let's Encrypt cert renewal

Tue Dec 28, 2021 3:58 am

LE clients usually renew certificates when they have less than 30 days before expiration, so it's likely that RouterOS will use the same (or different time, but also static). You could make a script that would look at certificate's expiration, enable access to web a bit in advance, and then disable it again when certificate gets renewed. It's a desperate solution, but if you don't want web open all the time, it may be usable, before they come up with something better, i.e. ability to run custom scripts by LE client exactly when needed.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Tue Dec 28, 2021 7:11 pm

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in.
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: Let's Encrypt cert renewal

Fri Dec 31, 2021 7:02 pm

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in.
+1
IMHO, the simplest solution would be to dedicate a port to cert renewal and WebFig out of it.
I think LetsEncrypt mandates ports 80 or 443 (not sure).
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Fri Dec 31, 2021 7:15 pm

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in.
+1
IMHO, the simplest solution would be to dedicate a port to cert renewal and WebFig out of it.
I think LetsEncrypt mandates ports 80 or 443 (not sure).
Port 80 is required for the cert verification.
 
graealex
just joined
Posts: 14
Joined: Fri Feb 03, 2017 7:39 pm

Re: Let's Encrypt cert renewal

Sun Jan 02, 2022 3:07 pm

Until MikroTik decides to properly document the feature (and give it a UI probably), the easiest way is to regularly call the
/certificate enable-ssl-certificate dns-name=xy
command yourself via the scheduler. 30 days would be a good number, that's well before it is actually expiring, but you're still not spamming the LE servers by updating too often.

What ROS does is renaming the existing certificate, so all services that you bound the certificate to (api-ssl, www-ssl, sstp, ...) will also have been updated to the new service. The important thing is that there doesn't seem to be any additional steps necessary after the renewal.
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt cert renewal

Tue Feb 08, 2022 7:48 pm

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in.
This is my single biggest complaint about it.

I have a list of 'allowed' in IP/Services to stop login attempts but this also blocks LE from verifying.. The feature would be a LOT better if it would allow the challenge verification from *any* to work and still only allow the administration pages to load from the whitelisted ranges.

Unless I am missing something, hopefully I am..
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 5:24 am

It is possible to allow and deny access to port 80 only for a few sec @ the certificate renewal, Via script & scheduler.
I never used Webfig for management and before the Let's encrypt implantation it was always disabled even at LAN.
I think the best approach would be challenge-type implantation. although I'm not sure how it would be possible to use the DNS challenge for the DDNS, It certainly is an option for custom DNS with the domain name.

https://letsencrypt.org/docs/challenge-types/
https://community.letsencrypt.org/t/dns ... tion/86438
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 5:39 am

It is possible to allow and deny access to port 80 only for a few sec @ the certificate renewal, Via script & scheduler.

I think the best approach would be challenge-type implantation. although I'm not sure how it would be possible to use the DNS challenge for the DDNS, It certainly is an option for custom DNS with the domain name.

https://letsencrypt.org/docs/challenge-types/
I went back to forwarding port 80 and using the acme.sh script with the routeros deploy hook.

I don't use the web-conf either, except maybe emergency access, but even that is limited... Even if there is never another 0-day, having the service open to the world the has login failures that are annoying in the logs.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 5:48 am

Most of the login fails are related to bots, I added a few firewall rules port knocking TCP syn and ICMP rules. After that, I never got any Webfig fail login log. Bear in mind my VPS's are mostly located at Hetzner, They are all hammered with bots all day long.
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 6:05 am

Most of the login fails are related to bots
I am aware..

Just annoying.. I do keys only for SSH, so nobody is going to brute-force that, but have incoming TCP 22 open to the world.

I 'drop' after x attempts just to keep the logs clear, so that I don't miss something actually important.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 6:38 am

SSH and Webfig are not the same. Cant change the WebFig port to any other port than 80 for SSL purposes, But SSH simply can change the port to some random port with a public key at the MT and a private key at the Client's SSH terminal. limit the access to The SSH Port with the src address of the local VPN and it is protected as it can be.
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 6:53 am

SSH and Webfig are not the same. Cant change the WebFig port to any other port than 80 for SSL purposes, But SSH simply can change the port to some random port with a public key at the MT and a private key at the Client's SSH terminal. limit the access to The SSH Port with the src address of the local VPN and it is protected as it can be.
Oh I am aware, changing the port does very little though. It is still found, published, and hit.

If you are going to require VPN to access SSH, what is the point of changing the port, behind the VPN?

Personally, if I need to SSH in, chances are, it is to figure out why the VPN is broken.

Our private keys are as secure as we can make them, all admins have keys. I leave 22 open to the world on our systems because unless you have our user names, physically get our key, and thePIN to unlock the key, it is safe.

I trust the SSH daemon more than any of the other running services.

As I said, block after x SSH attempts just to keep the logs clean..

Web-conf required to enabled and open to the world to have LE work, is just wrong, I had hoped I had missed something..
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 7:07 am

I would change any port that I can ( I have trust issues :d ) VPN was a final touch.
Most of the residential ISP's have a drop rule for port 22 so... .
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 7:20 am

I would change any port that I can ( I have trust issues :d )
Security through obscurity isn't security. Changing the port seems like a 90s thing to do. Port-scanners will find them anyways.

Having to remember the new port numbers, when trying to figure out why something isn't working, just adds another useless level to trouble shooting.

I use a VPN to get a /26 at home, all ports are open for my homelab, but I also in charge of some colo gear.. Keep it simple, but keep it secure..

I was hoping that LE being built into RouterOS now would make things simplier, but no.. Back to the old-way.. I still have hope for LE being built in, but it just isn't ready yet. Best to just port-forward TCP 80 to another machine for the time being.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 7:35 am

Port knocking + TCP SYN would stop the scanners.
for troubleshooting yes you are correct.
Honestly, if the setup is in a production environment why not use ZeroTier or Tailscale. If not what Mikrotik currently provides is more than enough for home/lab.
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 8:31 am

Port knocking + TCP SYN would stop the scanners.

Honestly, if the setup is in a production environment why not use ZeroTier or Tailscale.
Honeypots stop the scanners... ;) Try connecting to specific IPs that you shouldn't, and the IP gets added to the network drop list, along with it's neighbors.

Port-knocking again is security by obscurity.. And when troubleshooting something not working, is the port-knocking not working, or is the router offline.. Just build it secure in the first place.

I don't care about the attempts, the honeypots catch/block most of them anyways. I get annoyed by the log of the login attempts, don't want to miss something important. That is just for SSH, the other IP/Services have access lists to block off the world.

Looking at ZeroTier and similar, but have security concerns..
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 9:34 am

Most of the residential ISP's have a drop rule for port 22 so... .
What do you mean by that ?
The CPE the IPSs provide, forbids incoming connections from the Internet to port 22 ?
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 9:53 am

Most of the residential ISP's have a drop rule for port 22 so... .
What do you mean by that ?
The CPE the IPSs provide, forbids incoming connections from the Internet to port 22 ?
I haven't seen this done on 22, but incoming TCP 25, 80, 443 and so on, have a drop rule on the gateway that the CPE's connect to, unless on a business plan, because it is against nearly every residental ToS to host servers.

https://www.telus.com/en/ab/support/art ... res-policy
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 10:01 am

I'm sorry if my questions seem obvious for many (most ?) but:
Until MikroTik decides to properly document the feature (and give it a UI probably),
Have anyone a pointer on this command within or outside (blogs, ...) Mikrotik documentation ?
What are requirements to test this function in a lab ? Having an Internet facing Mikrotik box ? Managing a public DNS entry ?
 
kevinds
Long time Member
Long time Member
Posts: 575
Joined: Wed Jan 14, 2015 8:41 am

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 10:06 am

Have anyone a pointer on this command within or outside (blogs, ...) Mikrotik documentation ?
What are requirements to test this function in a lab ? Having an Internet facing Mikrotik box ? Managing a public DNS entry ?
In IP/Services you need 'www' on port 80, open to the world and a forward DNS entry..

Then in the terminal,

certificate/enable-ssl-certificate dns-name=forward.example.com

https://help.mikrotik.com/docs/display/ROS/Certificates
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 10:53 am

@olivier2831
Correct. it is not at the CPE level, It's at the ISP firewall.
Last edited by own3r1138 on Wed Feb 09, 2022 11:12 am, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Let's Encrypt cert renewal

Wed Feb 09, 2022 11:11 am

@kevinds
Honeypots stop the scanners
I rather have a stateless firewall or TUM.
Just build it secure in the first place.
It is secure enough, But true it's not v 2022.

don't want to miss something important. That is just for SSH, the other IP/Services have access lists to block off the world.
remote log and local log with a custom action for important services like SSH is a good practice
Looking at ZeroTier and similar, but have security concerns.
Bare Wireguard, separated VLAN for MGM interfaces.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: Let's Encrypt cert renewal

Wed Feb 23, 2022 2:38 pm

letsencrypt-autogen_2022-02-23T12:29:26Z
why are certificates requested from le named so weird? Is it too much to just use the SAN as name?
 
pincio
just joined
Posts: 7
Joined: Thu Aug 04, 2016 9:17 pm

Re: Let's Encrypt cert renewal

Thu Dec 01, 2022 4:10 pm

If it would be helpful to you I wrote an auto-renewal script, you can find it @ https://github.com/pincioc/LetsEncrypt_OSScript

Ratings and comments are highly appreciated.

Mauro
 
lox
just joined
Posts: 20
Joined: Wed Oct 05, 2022 1:05 pm

Re: Let's Encrypt cert renewal

Tue Jan 03, 2023 5:48 pm

I have made a basic script to renew :
:local dnsName "mydomain.com";
/ip service enable [find name="www"];
/certificate enable-ssl-certificate dns-name=$dnsName;
/ip service disable [find name="www"];

I just add a look and my cert expires in 14 days. If I run manually from the terminal :

/ip service enable [find name="www"]
/certificate enable-ssl-certificate dns-name=mydomain.com
  progress: [success] ssl certificate updated
/ip service disable [find name="www"]

It says it succeeded, the name changed (letsencrypt-autogen_2023-01-03T15:47:57Z) but in WinBox it still says that it will expire in 14 days. Also www-ssl service has an issue since the renew, when I try to connect I get a PR_END_OF_FILE_ERROR error. I deleted it end generated a new one, and it worked.

Did I miss something for it to renew properly ?
 
zarianu
just joined
Topic Author
Posts: 16
Joined: Wed Nov 18, 2020 11:42 am

Re: Let's Encrypt cert renewal

Thu Jan 12, 2023 5:44 am

....
It says it succeeded, the name changed (letsencrypt-autogen_2023-01-03T15:47:57Z) but in WinBox it still says that it will expire in 14 days. Also www-ssl service has an issue since the renew, when I try to connect I get a PR_END_OF_FILE_ERROR error. I deleted it end generated a new one, and it worked.

Did I miss something for it to renew properly ?

You could try disable / enable HTTPS service, HTH
 
hkusulja
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri Apr 13, 2012 1:14 am

Re: Let's Encrypt cert renewal

Thu Nov 09, 2023 12:52 pm

I am using script.
/ip service set www disabled=no
/certificate enable-ssl-certificate dns-name=remote.company.com
and
/system scheduler
add interval=2w3h name=letsencrypt-renew on-event="/ip/firewall/filter/set disabled=no [find comment=\"HTTP\"]\r\
    \n/certificate enable-ssl-certificate dns-name=remote.company.com\r\
    \n/ip/firewall/filter/set disabled=yes [find comment=\"HTTP\"]" policy=read,write start-date=2023-01-01 start-time=03:00:00
However, since certificate is used for IKE2 VPN it also needs to be modified like:
/ip ipsec identity
set [find peer=ike2] certificate=letsencrypt-autogen_2023-11-07T20:00:30Z,intermediate,root
However, i do not know how to fix the script, to detect currect / new certificate name to be assigned to ipsec identity , any help?

Who is online

Users browsing this forum: No registered users and 19 guests