Community discussions

MikroTik App
 
patrlind
just joined
Topic Author
Posts: 12
Joined: Mon Oct 19, 2020 11:48 am

Is the fetch tool working with HTTPS?

Wed Nov 10, 2021 6:31 pm

I am trying to download a rsc script from a HTTPS server I have. The server have a certificate signed by my root CA and the ca certificate is added to the list of trusted certs.
When I run the fetch command on my firewall/gateway (RB5009) I get an SSL decode error. I am not sure what that means.
[admin@gw] > /tool fetch url="https://10.10.3.21/firehol_level1" check-certificate=yes dst-path=firehol_level1.rsc
  status: failed

failure: ssl connection error: ssl: decode error (6)
[admin@gw] > 

When I run it on another Mikrotik device everything works as expected:
[admin@wap1] > /tool fetch url="https://10.10.3.21/firehol_level1" check-certificate=yes dst-path=firehol_level1.rsc
      status: finished
  downloaded: 139KiBz pause]
       total: 0KiB
    duration: 1s

[admin@wap1]

I have checked with tcpdump and there is traffic coming from the router to the web server. I also added debug log to the nginx error log and it says:
2021/11/10 17:26:00 [debug] 3239#3239: accept on 0.0.0.0:443, ready: 0
2021/11/10 17:26:00 [debug] 3239#3239: posix_memalign: 000055D782A7D330:512 @16
2021/11/10 17:26:00 [debug] 3239#3239: *11058 accept: 10.10.3.1:40842 fd:15
2021/11/10 17:26:00 [debug] 3239#3239: *11058 event timer add: 15: 60000:174145038
2021/11/10 17:26:00 [debug] 3239#3239: *11058 reusable connection: 1
2021/11/10 17:26:00 [debug] 3239#3239: *11058 epoll add event: fd:15 op:1 ev:80002001
2021/11/10 17:26:00 [debug] 3239#3239: *11058 http check ssl handshake
2021/11/10 17:26:00 [debug] 3239#3239: *11058 http recv(): 1
2021/11/10 17:26:00 [debug] 3239#3239: *11058 https ssl handshake: 0x16
2021/11/10 17:26:00 [debug] 3239#3239: *11058 tcp_nodelay
2021/11/10 17:26:00 [debug] 3239#3239: *11058 reusable connection: 0
2021/11/10 17:26:00 [debug] 3239#3239: *11058 SSL server name: "10.10.3.21"
2021/11/10 17:26:00 [debug] 3239#3239: *11058 SSL_do_handshake: -1
2021/11/10 17:26:00 [debug] 3239#3239: *11058 SSL_get_error: 2
2021/11/10 17:26:00 [debug] 3239#3239: *11058 SSL handshake handler: 0
2021/11/10 17:26:00 [debug] 3239#3239: *11058 SSL_do_handshake: -1
2021/11/10 17:26:00 [debug] 3239#3239: *11058 SSL_get_error: 1
2021/11/10 17:26:00 [info] 3239#3239: *11058 SSL_do_handshake() failed (SSL: error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error:SSL alert number 50) while SSL handshaking, client: 10.10.3.1, server: 0.0.0.0:443
2021/11/10 17:26:00 [debug] 3239#3239: *11058 close http connection: 15
2021/11/10 17:26:00 [debug] 3239#3239: *11058 event timer del: 15: 174145038
2021/11/10 17:26:00 [debug] 3239#3239: *11058 reusable connection: 0
2021/11/10 17:26:00 [debug] 3239#3239: *11058 free: 000055D782A7D330, unused: 134


The RB5009 is running 7.1rc5, the other device is running 6.49.

Is there a problem with the fetch command for HTTPS in 7.1?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is the fetch tool working with HTTPS?

Wed Nov 10, 2021 7:02 pm

"https://10.10.3.21/firehol_level1" without ".rsc" at the end?
Do not use "redirect" to download file. (do not generate content based on page requested "firehol_level1")
Put the correct non-redirected url.
 
patrlind
just joined
Topic Author
Posts: 12
Joined: Mon Oct 19, 2020 11:48 am

Re: Is the fetch tool working with HTTPS?

Wed Nov 10, 2021 7:10 pm

It is a web service I have created, it dynamically generates a firewall script based on the firehol_level1 IP block list.
It is not doing a redirect, just outputs "text/plain; charset=utf-8" data that I am then saving as an .rsc file.

This should not be relevant for the fetch tool to work, especially since it is working fine in 6.49, right?
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Is the fetch tool working with HTTPS?

Wed Nov 10, 2021 8:43 pm

Is date and time set on the device?
 
patrlind
just joined
Topic Author
Posts: 12
Joined: Mon Oct 19, 2020 11:48 am

Re: Is the fetch tool working with HTTPS?

Thu Nov 11, 2021 9:23 am

Is date and time set on the device?
Good suggestion! I had this issue on the 6.49 device, but that gave me an error message that said the certificate was from the future. On the 7.1 device however, I have the clock synced with NTP and it is showing the correct time, so it should not be this problem that I am seeing.
The error message from the server kind of hints to a problem where the client and the server cannot negotiate the same TLS version. I have tried enabling TLS 1.0, 1.1, 1.2 and 1.3. But no difference. I would expect the 7.1 version to at least support what 6.49 supports.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is the fetch tool working with HTTPS?

Thu Nov 11, 2021 10:48 am

Error message

tlsv1 alert decode error:SSL alert number 50

indicates problems with encoding/decoding peer's contents (and doesn't have much to do with TLS version apart from ciphering / key exchange algorithms used, some might work properly). Which likely points in direction of error in client's SSL implementation (on RB5009 in your case). I suggest you to open ticket with Mikrotik support so that they properly debug this issue.
 
patrlind
just joined
Topic Author
Posts: 12
Joined: Mon Oct 19, 2020 11:48 am

Re: Is the fetch tool working with HTTPS?  [SOLVED]

Wed May 04, 2022 11:47 am

This issue seems to be fixed in one of the later versions of RouterOS 7.
I am running 7.2.2 and I'm no longer getting the error.
 
User avatar
Golepix
just joined
Posts: 1
Joined: Tue Mar 28, 2023 9:57 am

Re: Is the fetch tool working with HTTPS?

Tue Mar 28, 2023 10:24 am

This issue seems to be fixed in one of the later versions of RouterOS 7.
I am running 7.2.2 and I'm no longer getting the error.
Hello, I wonder how long it takes to set up this manipulation? I heard that on a 7.2.2 version, it was a bit slow. Any advice for me please?
 
patrlind
just joined
Topic Author
Posts: 12
Joined: Mon Oct 19, 2020 11:48 am

Re: Is the fetch tool working with HTTPS?

Thu Mar 30, 2023 10:30 am

Hi Golepix, I'm not sure I understand your question. For me it wasn't slow, it was quite fast. And now you have lots of more updates available since 7.2.2. Have you tries the latest version?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is the fetch tool working with HTTPS?

Thu Mar 30, 2023 12:43 pm

Hi Golepix, I'm not sure I understand your question. For me it wasn't slow, it was quite fast. And now you have lots of more updates available since 7.2.2. Have you tries the latest version?
Do not lost time, 1 post only, also with image, and inconcludent question....
Is like a BOT or Spammer....

Who is online

Users browsing this forum: No registered users and 25 guests