Community discussions

MikroTik App
 
patoberli
just joined
Topic Author
Posts: 11
Joined: Sat Jul 02, 2022 12:29 pm

Probably since 7.5 is SSL not anymore working

Tue Sep 13, 2022 2:46 pm

Hi
Since probably the upgrade to 7.5 I can't access anymore the web interface through a VPN of my Mikrotik.
The browser (regardless of Edge or Firefox) show:
Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP
I then checked the configuration and it looks like no certificate is assigned to the web-ssl process. But I'm also unable to assign one:
[admin@MikroTik] > /ip service print where name=www-ssl
Columns: NAME, PORT, CERTIFICATE, VRF
# NAME     PORT  CERTIFICATE  VRF
0 www-ssl   443  none         main
[admin@MikroTik] > /certificate print
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME
# NAME         COMMON-NAME          SUBJECT-ALT-NAME
0 Self-signed  mikrotik.pato.local  DNS:mikrotik.pato.local
[admin@MikroTik] > ip service set www-ssl certificate=mikrotik.pato.local disabled=no
input does not match any value of certificate
[admin@MikroTik] > ip service set www-ssl certificate=0 disabled=no
input does not match any value of certificate
[admin@MikroTik] > /certificate print
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME
# NAME         COMMON-NAME          SUBJECT-ALT-NAME
0 Self-signed  mikrotik.pato.local  DNS:mikrotik.pato.local
[admin@MikroTik] > /ip service print where name=www-ssl
Columns: NAME, PORT, CERTIFICATE, VRF
# NAME     PORT  CERTIFICATE  VRF
0 www-ssl   443  none         main
[admin@MikroTik] > /ip service print
Columns: NAME, PORT, CERTIFICATE, VRF
# NAME     PORT  CERTIFICATE  VRF
0 telnet     23               main
1 ftp        21
2 www        80               main
3 ssh        22               main
4 www-ssl   443  none         main
5 api      8728               main
6 winbox   8291               main
7 api-ssl  8729  none         main
[admin@MikroTik] > ip service set www-ssl certificate=Self-signed disabled=no
input does not match any value of certificate
[admin@MikroTik] > /certificate add common-name=mikrotik.pato.local subject-alt-name=DNS:mikrotik.pato.local key-size=2048 days-valid=3650 key-usage=tls-server name=self-signed2
[admin@MikroTik] > /ip service print where name=www-ssl
Columns: NAME, PORT, CERTIFICATE, VRF
# NAME     PORT  CERTIFICATE  VRF
4 www-ssl   443  none         main
[admin@MikroTik] > /certificate print
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME
# NAME          COMMON-NAME          SUBJECT-ALT-NAME
0 Self-signed   mikrotik.pato.local  DNS:mikrotik.pato.local
1 self-signed2  mikrotik.pato.local  DNS:mikrotik.pato.local
[admin@MikroTik] > ip service set www-ssl certificate=self-signed2 disabled=no
input does not match any value of certificate
[admin@MikroTik] >
Any ideas?
I luckily still have access through SSH.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Probably since 7.5 is SSL not anymore working

Tue Sep 13, 2022 3:40 pm

You're missing a step:
/certificate add common-name=mikrotik.pato.local subject-alt-name=DNS:mikrotik.pato.local key-size=2048 day
s-valid=3650 key-usage=tls-server,key-cert-sign name=self-signed
/certificate/sign self-signed
 
patoberli
just joined
Topic Author
Posts: 11
Joined: Sat Jul 02, 2022 12:29 pm

Re: Probably since 7.5 is SSL not anymore working

Tue Sep 13, 2022 5:16 pm

Thanks, that step seems to have indeed been missing. I could now assign it to the web-ssl process, but the site is weirdly still not loading. I do get a different cert warning now, the expected untrusted certificate one, but after confirming I want to access, the website doesn't load. I guess a reboot is in order.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Probably since 7.5 is SSL not anymore working

Tue Sep 13, 2022 6:53 pm

Untrusted certificate is expected when it's self-signed. You'd need to import it in browser as trusted to avoid it. Or just add permanent exception. As for why it wouldn't load further, I can't say, reboot shouldn't be required, but it can't hurt (but probably won't help either).
 
patoberli
just joined
Topic Author
Posts: 11
Joined: Sat Jul 02, 2022 12:29 pm

Re: Probably since 7.5 is SSL not anymore working

Wed Sep 14, 2022 9:55 am

You are right, the reboot didn't fix it. I think I have some issue in the NAT or firewall rules. I'm trying to access the interface through a VPN initiated by the Mikrotik. I can access it with SSH, but browser doesn't fully load.
Need to troubleshoot this further, I'm fairly sure it's a firewall/NAT issue. I can also Ping hosts behind the Mikrotik, but not access their websites.
 
patoberli
just joined
Topic Author
Posts: 11
Joined: Sat Jul 02, 2022 12:29 pm

Re: Probably since 7.5 is SSL not anymore working

Thu Sep 15, 2022 11:48 pm

Good news, I found the actual problem and was even able to solve it (wireshark ftw).
So the Mikrotik is at a remote site with an l2tp tunnel to my home site. The MTU of the tunnel (based on the Mikrotik tunnel interface information) is 1400. For some unknown reason, neither the Mikrotik nor my Ubiquiti ER-X (at the home site) created a "packet to big" packet to either side. So my client tried to use an MSS of 1500, which I think got reduced to 1400 (tunnel size), but was still to large by about 66 bytes.
I configured on the mikrotik now a mangle rule and am setting the MSS to 1344. Now the connections through this tunnel are finally working.

Need to figure out though, why my clients get a to large MSS and no fragmentation required packets between 1344 and 1400.

Who is online

Users browsing this forum: Guntis, mogiretony and 100 guests