I have seen that lets encrypt can be used on RouterOS devices.
The drawback is to open port 80 to the world and there are workarounds using /ip/firewall/xyz rules to block port 80 and allow to only specific sources.
There is another option and it's to use some kind of reverse proxy such as nginx or haproxy or others... with some ACLs that will only pass through the relevant path to the webfig port 80 while showing another static page for all other port 80 traffic.
Have anyone tried to do such a thing?
I believe that a simple WAF exists in a container already and if someone wants to tinker a bit with coraza you can try to modify:
https://github.com/docker-servers/coraza-caddy

for RouterOS.