Community discussions

MikroTik App
 
User avatar
bigcw
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Mon Sep 08, 2014 2:38 pm

Support for ACME/Let's Encrypt certificate management

Fri Jan 02, 2015 6:13 pm

As subject, it would be great if ROS supported the new ACME-protocol for managing browser-trusted certificates from Let's Encrypt.

Let's Encrypt: https://letsencrypt.org/

Protocol spec: https://github.com/letsencrypt/acme-spec

Presentation at 31c3 on Tuesday: http://youtu.be/OZyXx8Ie4pA <-- start here if you've not heard of this before!
 
smala
just joined
Posts: 9
Joined: Fri Sep 12, 2014 6:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Mar 16, 2015 6:52 pm

+1 vote up
 
locodog
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Sun Apr 12, 2015 4:00 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Aug 08, 2015 2:20 pm

+1 vote up
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1160
Joined: Tue Oct 11, 2005 4:53 pm

Re: Support for ACME/Let's Encrypt certificate management

Tue Aug 11, 2015 3:41 pm

+1 :)
 
User avatar
stmx38
Long time Member
Long time Member
Posts: 650
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: Support for ACME/Let's Encrypt certificate management

Fri Dec 04, 2015 10:53 am

Mikrotik Team, please consider adding support of letsencrypt free SSL certificates.
Entering Public Beta

Thank you!
 
marrold
Member
Member
Posts: 427
Joined: Wed Sep 04, 2013 10:45 am

Re: Support for ACME/Let's Encrypt certificate management

Fri Dec 04, 2015 11:08 am

+1 :D
 
User avatar
kometchtech
Member Candidate
Member Candidate
Posts: 194
Joined: Sat Jun 15, 2013 4:25 am
Location: Japan
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Fri Dec 04, 2015 11:31 am

+1 too
 
rheo
just joined
Posts: 21
Joined: Tue Aug 14, 2012 8:19 am

Re: Support for ACME/Let's Encrypt certificate management

Mon Dec 07, 2015 2:28 am

+1 - would like this too
 
mavink
newbie
Posts: 32
Joined: Sun Sep 06, 2015 5:55 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun Dec 13, 2015 6:12 pm

This would be a great feature. Configure a couple of hostnames you want certificates for, and then have the firewall automatically request/renew them with letsencrypt.org. This will save a lot of time, especially when using services that require a valid certificate such as SSTP VPN's.
 
nka
newbie
Posts: 44
Joined: Tue Mar 22, 2011 7:48 pm
Location: Quebec, Canada

Re: Support for ACME/Let's Encrypt certificate management

Mon Dec 14, 2015 5:46 am

I +1 on this too :D
 
User avatar
michaeln416
just joined
Posts: 15
Joined: Mon Dec 01, 2014 5:03 am
Location: Ontario, Canada

Mon Dec 14, 2015 1:56 pm

+1

Sent from my Nexus 6P using Tapatalk
 
User avatar
kiler129
Member
Member
Posts: 354
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Mon Dec 21, 2015 2:17 am

I agree but isn't Let's Encrypt certificates www-only?
 
nka
newbie
Posts: 44
Joined: Tue Mar 22, 2011 7:48 pm
Location: Quebec, Canada

Re: Support for ACME/Let's Encrypt certificate management

Mon Dec 21, 2015 3:03 am

No, they are "certificats", can be use on anything (firewall, mail, ftp, etc...). The only "problem" is that they are 90 days lifetime... so without ACME, you'll have to update the cert manually each 3 month. Certs are actually working right now if you do install it manually.
 
peterloron
just joined
Posts: 14
Joined: Wed May 13, 2015 9:58 pm
Location: Earth

Re: Support for ACME/Let's Encrypt certificate management

Thu Dec 24, 2015 7:42 am

+1 for sure
 
amaarsh
just joined
Posts: 1
Joined: Sun Jan 03, 2016 6:45 pm

Re: Support for ACME/Let's Encrypt certificate management

Wed Jan 13, 2016 5:26 pm

+1 my vote
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu Jan 14, 2016 9:24 pm

also simple and neat ability to create and manage separate certs blacklists(including automated with scripts/scheduler from remote source oudate of it) "just in case" - would help a lot, too.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Support for ACME/Let's Encrypt certificate management

Fri Jan 15, 2016 3:07 pm

We are looking into it. No promises.
 
Toigoweb
just joined
Posts: 17
Joined: Mon Feb 16, 2015 3:21 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu Feb 25, 2016 12:11 pm

Thank you. let us up to date.
 
Boter
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Sat Sep 08, 2012 9:55 pm
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Sun Feb 28, 2016 11:11 am

+1 :)
 
the.max
just joined
Posts: 9
Joined: Sun Apr 01, 2007 3:47 pm
Location: Czech Republic, Bilina
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Mon Mar 21, 2016 1:39 am

I too +1
 
ndbjorne
just joined
Posts: 23
Joined: Sat Dec 15, 2012 5:06 pm
Location: Italy

Re: Support for ACME/Let's Encrypt certificate management

Mon Mar 21, 2016 8:55 pm

me++!
 
robsters
just joined
Posts: 1
Joined: Sat Apr 09, 2016 2:44 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Apr 09, 2016 2:47 am

Same here.. Maybe as a plugin?
 
Solaris
Member Candidate
Member Candidate
Posts: 111
Joined: Thu Apr 29, 2010 5:05 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun Apr 10, 2016 9:41 pm

+1 to go please :)
 
ninfa
just joined
Posts: 5
Joined: Thu Nov 26, 2015 3:09 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu Apr 14, 2016 9:20 am

++1
 
SparcAsia
just joined
Posts: 5
Joined: Mon Apr 25, 2016 2:34 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Apr 29, 2016 1:41 pm

Yes +100 on this topic...
What kind (aka type eg. Python, Bash etc.) of scripts are used in RouterOS?
I see this page of course...
http://wiki.mikrotik.com/wiki/Manual:Scripting
but what are they?... proprietary?
Is there a plugin to run a more common type of script like python or bash shell etc.?

Any other suggestions/recommendations for the best route to solve this problem other then in wishful thinking of a RouterOS update one day?
 
User avatar
kiler129
Member
Member
Posts: 354
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Sat Apr 30, 2016 8:20 am

What kind (aka type eg. Python, Bash etc.) of scripts are used in RouterOS?
(...)
but what are they?... proprietary?
ROS scripting engine is fully custom like terminal. That route was chosen probably due to performance & security reasons.
Is there a plugin to run a more common type of script like python or bash shell etc.?
Nope.
Any other suggestions/recommendations for the best route to solve this problem other then in wishful thinking of a RouterOS update one day?
There's no way besides external automation and updating certificates via SFTP.
 
SparcAsia
just joined
Posts: 5
Joined: Mon Apr 25, 2016 2:34 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat Apr 30, 2016 10:03 am

I see thanks for your constructive input. This explains that even NPKs are not possible and require signing too bad.
http://forum.mikrotik.com/viewtopic.php?t=87126

So it's got to be a script only solution I guess. That explains the rash of +1s without the more constructive discussion I'm more familiar with in the open source community these days. So I gather the RouterOS is something I can NOT download, compile and customize either? :shock:
 
nikolas22t
just joined
Posts: 18
Joined: Thu Jan 12, 2012 1:03 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu May 05, 2016 11:48 pm

No, they are "certificats", can be use on anything (firewall, mail, ftp, etc...). The only "problem" is that they are 90 days lifetime... so without ACME, you'll have to update the cert manually each 3 month. Certs are actually working right now if you do install it manually.
How you generated the certificate and installed ?
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Fri May 06, 2016 4:59 am

+1 for this

Sent from my XT1575 using Tapatalk
 
peterloron
just joined
Posts: 14
Joined: Wed May 13, 2015 9:58 pm
Location: Earth

Re: Support for ACME/Let's Encrypt certificate management

Sun May 22, 2016 9:49 pm

MikroTik team: any update on this?
 
User avatar
kiler129
Member
Member
Posts: 354
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Sun May 22, 2016 10:45 pm

There's even implementation of ACME client in bash alone: https://github.com/lukas2511/letsencrypt.sh
 
jwf1776
just joined
Posts: 9
Joined: Sat Jul 18, 2015 6:10 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat Jun 11, 2016 11:49 pm

i would envision this feature to be an extension of the current dynamic dns feature.  (this also alleviates any off router requisites)

currently ROS can register your wan ip for an auto-genterated hostname like 62190177tk28.sn.mynetname.net.

lets encypt function could register/update the SSL cert for that same hostname...
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2182
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Mon Jun 20, 2016 5:57 am

+1

Support would be great for SSTP and other SSL services.
 
netwpl
newbie
Posts: 28
Joined: Fri Jun 22, 2012 8:09 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Jun 20, 2016 3:12 pm

+1
 
syadnom
Forum Veteran
Forum Veteran
Posts: 820
Joined: Thu Jan 27, 2011 7:29 am

Re: Support for ACME/Let's Encrypt certificate management

Tue Jun 21, 2016 5:19 pm

+1

I'd doing this on another box and copying the cert over.  would be fantastic to have this in routeros!

note....  ub****ti's routers can do this... if that's  at all motivating lol
 
Hamsterman
just joined
Posts: 22
Joined: Thu Jun 30, 2016 9:10 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Jul 01, 2016 10:50 pm

+1 from me as well
 
spaxton
Member Candidate
Member Candidate
Posts: 192
Joined: Fri Jan 01, 2010 12:18 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Jul 29, 2016 8:17 pm

+1 from me, too!
 
thekrzos
newbie
Posts: 29
Joined: Tue Aug 02, 2016 10:39 am

Re: Support for ACME/Let's Encrypt certificate management

Tue Aug 02, 2016 10:52 am

+1 :)

Wysłane z mojego GT-I9195 przy użyciu Tapatalka
 
andreeii
just joined
Posts: 3
Joined: Mon Nov 04, 2013 11:49 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Aug 05, 2016 3:03 pm

+1 a little late, but this would be amazing!!!
 
randomseed
newbie
Posts: 31
Joined: Mon Dec 15, 2008 12:52 am

Re: Support for ACME/Let's Encrypt certificate management

Wed Aug 17, 2016 5:07 pm

+1 Thanks.
 
micromaxi
newbie
Posts: 43
Joined: Fri Feb 06, 2015 10:32 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Aug 20, 2016 11:31 pm

+1 would be great addon !
 
benoga
just joined
Posts: 13
Joined: Wed Mar 09, 2016 7:50 am

Re: Support for ACME/Let's Encrypt certificate management

Sun Aug 21, 2016 7:36 am

+1 for let's encrypt certificate management
 
wahoo
just joined
Posts: 4
Joined: Tue Feb 04, 2014 1:28 am

Re: Support for ACME/Let's Encrypt certificate management

Wed Aug 24, 2016 1:08 pm

+1 for Let's Encrypt SSTP
 
korniza
newbie
Posts: 26
Joined: Fri Jan 06, 2012 4:05 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat Sep 03, 2016 12:16 am

+1 also
 
micromaxi
newbie
Posts: 43
Joined: Fri Feb 06, 2015 10:32 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Sep 03, 2016 1:31 am

@mikrotik before everyone starts +1 would that at (in theory) be possible?
 
WiPoint
just joined
Posts: 5
Joined: Fri Nov 16, 2012 6:47 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu Sep 15, 2016 10:29 pm

+1 :D
 
MayestroPW
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Wed Oct 26, 2016 3:28 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Oct 28, 2016 7:46 pm

+1 :)
 
nosovk
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Wed Jan 25, 2012 11:25 am
Location: Ukraine
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Mon Nov 28, 2016 1:29 am

+1, great feature
 
Miracle
Member Candidate
Member Candidate
Posts: 106
Joined: Fri Sep 11, 2015 9:04 am

Re: Support for ACME/Let's Encrypt certificate management

Tue Nov 29, 2016 7:58 am

Please support let's encrypt
thanks
 
DarkRoot
just joined
Posts: 1
Joined: Fri Nov 18, 2016 5:10 pm

Re: Support for ACME/Let's Encrypt certificate management

Wed Dec 07, 2016 12:17 am

+1 :)
 
zombie2048
just joined
Posts: 1
Joined: Fri Dec 09, 2016 12:49 am

Re: Support for ACME/Let's Encrypt certificate management

Fri Dec 09, 2016 12:51 am

+1, please!
 
kopimi
just joined
Posts: 2
Joined: Tue Dec 06, 2016 2:10 am

Re: Support for ACME/Let's Encrypt certificate management

Sun Dec 25, 2016 3:57 pm

+3 (at least!)
I think it would be super simple to implement and it would solve so many issues for us techies.
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Support for ACME/Let's Encrypt certificate management

Mon Dec 26, 2016 7:20 pm

+1 for support, it would make things much easier for a lot of us.
 
mbeauverd
just joined
Posts: 22
Joined: Mon Oct 03, 2016 10:46 am

Re: Support for ACME/Let's Encrypt certificate management

Wed Dec 28, 2016 12:06 am

Yes +1
 
macroc
just joined
Posts: 2
Joined: Mon Apr 25, 2016 12:41 am
Location: Ireland
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Sat Dec 31, 2016 5:08 pm

+ 1!
 
JasonPugh
just joined
Posts: 1
Joined: Sun Jan 01, 2017 2:15 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun Jan 01, 2017 2:17 pm

+1, please!
 
gfra
just joined
Posts: 3
Joined: Sat Dec 24, 2016 4:02 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Jan 06, 2017 11:38 pm

+1 :)
 
lomadurov
just joined
Posts: 1
Joined: Sat Jan 14, 2017 3:56 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat Jan 14, 2017 3:57 pm

+1, please!
 
callme
just joined
Posts: 14
Joined: Sat Aug 30, 2014 9:12 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Jan 21, 2017 9:42 am

+1 Please
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat Jan 21, 2017 5:05 pm

Plus ones all around, but did anyone give it some thought beyond that it would be nice feature? How exactly it should work to be usable for as many scenarios as possible? Because there are quite a few.

Let's Encrypt allows to verify hostnames using different challenges:

- http - code needs to be placed on http server on default port
- dns - code needs to be placed in dns
- tls-sni - code needs to be served by https server on default port for special hostname

There's no way that just one challenge type would be usable for everyone. Let's say I want to get certificate for SSTP server. If the router is dedicated SSTP server with public address using default https port, then it's easy, it can simply use tls-sni.

But what if IP address is shared with web server (with port 80 and 443 forwarded to LAN) and SSTP uses non-standard port (I think it will be very common setup)? Then the only right option is dns. The problem is, dns is very often hosted by registrar without any automated way to change records, so this option may not be available. The other way would be to have events for LE client, that would allow to write a script to temporarily disable port forwarding to internal web server, set it to local SSTP server and then back after successful verification. It would mean short service interruption for internal webserver, but better than nothing I guess.

It can be even worse, SSTP server might be an internal machine, which has only one non-standard port forwarded to it. That would leave dns as the only option.

Where automated updates of dns records is possible, it would be the best solution. But even that is not completely straightforward, because there may be different ways how to update records, either using standard dns updates, or some custom way, e.g. using http(s) calls to some api. Plus there might be a need to update completely different records (there are some interesting tricks you can do with LE and CNAMEs). So events and scripts is probably the only universal solution here too.

Comments, thoughts, suggestions?
 
ndbjorne
just joined
Posts: 23
Joined: Sat Dec 15, 2012 5:06 pm
Location: Italy

Re: Support for ACME/Let's Encrypt certificate management

Wed Jan 25, 2017 2:41 pm

+1+
 
undecided
Member Candidate
Member Candidate
Posts: 107
Joined: Mon May 16, 2011 11:07 am

Re: Support for ACME/Let's Encrypt certificate management

Mon Feb 06, 2017 9:07 am

We need this! +1
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 228
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Support for ACME/Let's Encrypt certificate management

Mon Feb 06, 2017 4:31 pm

 
undecided
Member Candidate
Member Candidate
Posts: 107
Joined: Mon May 16, 2011 11:07 am

Re: Support for ACME/Let's Encrypt certificate management

Tue Feb 07, 2017 9:19 am

Awesome!
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 228
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Support for ACME/Let's Encrypt certificate management

Sat Feb 25, 2017 5:24 pm

If mikrotik sites use ssl certificates of let's encrypt (https://routerboard.com and https://forum.mikrotik.com) why they have not yet integrated the solution to the routeros?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8712
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Sun Feb 26, 2017 10:14 pm

because sites are hosted not by routeros?..
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Mon Feb 27, 2017 4:36 pm

Have you tried this tutorial? Simple enough:
 
User avatar
maximan
Trainer
Trainer
Posts: 543
Joined: Sat May 29, 2004 12:10 am
Location: Rio Cuarto, Argentina
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Fri Mar 03, 2017 8:49 pm

Awesome!!!...Thank you!!


M.
 
palhaland
just joined
Posts: 12
Joined: Mon Aug 15, 2016 9:05 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Mar 06, 2017 8:47 pm

I created a deploy script for acme.sh to deploy to a routeros server

If anyone would like to have a look at it.
https://github.com/Neilpang/acme.sh/pull/706
 
dattl
just joined
Posts: 10
Joined: Sun Sep 27, 2015 1:57 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Mar 10, 2017 8:20 pm

+1 acme for renewing cert on mynetname.net would be just YIIIHHHAA!
 
MetUys
newbie
Posts: 32
Joined: Mon Mar 17, 2014 1:19 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Sep 01, 2017 1:43 pm

+1

Just a thought and pardon if I fall out the window on this...

What if the created ROS package for this did an inspection of the TLS SNI Domain Hint but only during the setup of a cert if using TLS-SNI mode?
This way it could capture the validation requests and respond appropriately completing the setup for it .
I say during setup only as this would have obvious impacts to resources and services while it inspects.
If users are looking for this feature they might be willing to take that knock during the small setup window every 3months per cert.
(if you don't want to, then don't install the package or setup any certs on it)

How I envisage the package options:
- Global settings for ACME protocol requirements (notification email address, etc...) or maybe allow this to also be set per cert (if anyone has the need for this?)
- allow for more than one cert (you might want different certs for different things)
- allow for multiple SANs per cert, where the first SAN in the list will be the name of the cert (the SNI domain hint inspection would look for all of these during that cert's setup/re-validation)
- allow for auto adding of Cloud DNS to a SAN (makes it easier to not fat finger it)
- allow for service(s) to be specified for use with that cert (hotspot, SSTP, OpenVPN, API-SSL, WWW-SSL, etc) further improving its automation ability
- Allow for different strength keys (more robustness and control)

Notes: why only SAN names... Common Name field removal is well underway (see more on this here: https://groups.google.com/a/chromium.or ... GT2fLJrAeo)
however if users want the CN, so be it, I have no objections to it.

Thoughts?
 
nirv
just joined
Posts: 2
Joined: Sun Mar 22, 2015 1:40 pm

Re: Support for ACME/Let's Encrypt certificate management

Wed Sep 06, 2017 12:43 am

+1+
 
jonthorpe
just joined
Posts: 16
Joined: Mon Oct 27, 2014 3:25 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Oct 14, 2017 2:13 am

After trying the script at https://www.ollegustafsson.com/en/letsencrypt-routeros/ for updating an SSTP certificate, I decided to write one that only relies on a BASH script:
https://gist.github.com/JonathanThorpe/ ... 5162dafe43

You'll need the following:
1. Create a DSA SSH Key so that the host running the BASH script can login to MikroTik.
2. Install acme.sh as per the instructions in https://www.ollegustafsson.com/en/letsencrypt-routeros/
3. Update the following:
----
ACME=/root/.acme.sh/acme.sh
DOMAIN=remote.mydomain.tld
CERTPATH=/var/router-certs
CERT=$DOMAIN.cer
KEY=$DOMAIN.key
ROUTER=router_os_IP
ROUTER_USER=username_to_login_to_routeros
----

If the script is run on a cron, it should renew certificates and when they renew, the commands should be run on the Mikrotik to update the cert.
 
brad0x52
just joined
Posts: 13
Joined: Thu Oct 15, 2015 8:48 pm

Re: Support for ACME/Let's Encrypt certificate management

Tue Nov 14, 2017 12:08 am

I've got a couple routers that I use LetsEncrypt certificates for SSTP. Since it took me a bit to figure out why things weren't working at first, I've included my tweaked scripts below. Additionally, I created a dedicated user on my Linux server for managing certificates and set it up to log into my routers with certificate login. If the username is identical on both systems, it can be omitted in the command as well.

This script runs shortly after acme.sh in cron to upload the certificates to the routers. Yes, I know this would have been more graceful as a foreach loop, but I've only got 2 routers and I was in a hurry.
#!/usr/bin/env bash
set -e
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
DOMAIN=vpn1.example.net
CERT=vpn1.example.net.cer
KEY=vpn1.example.ne.key
ROUTER=<Router 1 IP Address>

cd $DIR/$DOMAIN

if [ -f $CERT ]; then
        echo -n "Uploading $DOMAIN certificate $ROUTER router..."
        scp -q $CERT $ROUTER:$CERT
        scp -q $KEY $ROUTER:$KEY
        echo "done!"
        exit 0
fi

DOMAIN=vpn2.example.net
CERT=vpn2.example.net.cer
KEY=vpn2.example.ne.key
ROUTER=<Router 2 IP Address>

cd $DIR/$DOMAIN

if [ -f $CERT ]; then
        echo -n "Uploading $DOMAIN certificate $ROUTER router..."
        scp -q $CERT $ROUTER:$CERT
        scp -q $KEY $ROUTER:$KEY
        rm $CERT $KEY
        echo "done!"
        exit 0
fi
On my routers, I have this script scheduled to run 30 minutes after the files are scheduled to be uploaded:

:if ([:len [/file find name=vpn1.example.net]] > 0) do={ 
    
    :put "Deleting Old Certificate"
        /certificate remove vpn1.example.net.cer_0
        :delay 1
    :put "Importing new Certificate"
        /certificate import file-name=vpn1.example.net.cer passphrase=""
        /certificate import file-name=vpn1.example.net.key passphrase=""
        :delay 1
    :put "Assigning certificate to SSTP Server"
        /interface sstp-server server set certificate=vpn1.example.net.cer_0
        :delay 1
    :put "Cleaning up files"
        /file remove vpn1.example.net.cer
        /file remove vpn1.example.net.key
    :put "Certificate installation complete"
}
 
User avatar
colinardo
just joined
Posts: 19
Joined: Sun Jan 08, 2017 9:02 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Nov 24, 2017 1:11 pm

Hi there,
developed my own solution with a MetaROUTER Instance to renew Let's Encrypt certificates on the router itself.
Have a look at https://www.administrator.de/contentid/355746 for a tutorial (german).

Best regards
@colinardo
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1160
Joined: Tue Oct 11, 2005 4:53 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Nov 24, 2017 3:24 pm

Unfortunately metarouter is pretty much a forgotten feature by MikroTIk.
Currently MetaRouter can be used on

RB400, RB700 series except models with SPI flash, RB900 series except models with SPI flash, RB2011 boards
Listed PPC boards: RB1000, RB1100, RB1100AH and RB800.
In other words, CCR, RB3011, RB850Gx2, RB1100AHx4, etc which have enough cpu/storage/memory resources are not supported.
 
gimpeltik
just joined
Posts: 5
Joined: Tue Nov 28, 2017 4:13 pm

Re: Support for ACME/Let's Encrypt certificate management  [SOLVED]

Tue Nov 28, 2017 4:20 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:
  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage

https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh
 
nka
newbie
Posts: 44
Joined: Tue Mar 22, 2011 7:48 pm
Location: Quebec, Canada

Re: Support for ACME/Let's Encrypt certificate management

Thu Nov 30, 2017 5:44 pm

Dedicated Linux renew and push certificates to RouterOS / Mikrotik
this is the only sad part. My CCR should be able to do it by itself! :(
 
dattl
just joined
Posts: 10
Joined: Sun Sep 27, 2015 1:57 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Feb 02, 2018 5:14 pm

+1
Maybe the acme.sh code helps you to find an easy solution: https://github.com/Neilpang/acme.sh
Thats the easiest way for letsencrypt that i know.
 
hanfelt
just joined
Posts: 1
Joined: Fri Jun 01, 2012 3:38 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Feb 12, 2018 4:21 pm

+1 would be really handy
 
User avatar
omidkosari
Trainer
Trainer
Posts: 640
Joined: Fri Sep 01, 2006 4:18 pm
Location: Canada, Toronto

Re: Support for ACME/Let's Encrypt certificate management

Fri Mar 16, 2018 7:01 pm

+1 for RouterOS self Lets Encrypt management .
 
Largelos
just joined
Posts: 14
Joined: Thu Jan 31, 2013 1:24 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Apr 23, 2018 8:58 pm

+1 for support by routeros directly
 
WarMaster
just joined
Posts: 9
Joined: Wed Oct 25, 2017 10:36 am
Location: The Netherlands

Re: Support for ACME/Let's Encrypt certificate management

Sun May 27, 2018 10:26 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:
  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage
https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh
I am wondering; because the "first" validation method is manual (by creating a TXT record at your DNS provider) it seems the renewal process also needs a TXT DNS record validation.
After I successfully installed the certificates on my Mikrotik with the provided script I did a "certbot renew --dry-run" as to simulate a certifcate renewal. Certbot quickly prompts an error stating:
"The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping."

I do believe there has to be one of the 3 ways to authenticate the domain(s) for which the certificates are to be renewed (http-01, tls-sni-01 or dns-01). There are currently to my knowledge no plugins/addons/scripts in routerOS which provide these methods of authentication. Which basically means you have to re-do the TXT thing with your DNS provider and thus manually updating your certificates every 3 months.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun May 27, 2018 10:55 pm

It depends. Some DNS providers have API access for editing records, so if you use one of them, everything can be scripted and made fully automatic.
 
WarMaster
just joined
Posts: 9
Joined: Wed Oct 25, 2017 10:36 am
Location: The Netherlands

Re: Support for ACME/Let's Encrypt certificate management

Mon May 28, 2018 2:49 pm

It depends. Some DNS providers have API access for editing records, so if you use one of them, everything can be scripted and made fully automatic.
A few do, most don't have a plugin available. However, the registration via the script is based on the manual TXT verification which in turn determines the way certbot stores the information regarding the particular certificate. So you'd have to fidget around with the certbot config to get this working properly. Furthermore; in the readme it is suggested the TXT verification is only once. I think this is false.

The topic is a request for ACME support which either suggests a request for http and/or tls-sni support. This script just isn't a solution for the proposed request.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon May 28, 2018 5:27 pm

As far as I know, domain verification lasts for a while, I think it was longer than 90 days for certificate, but eventually it has to be repeated, it's not valid forever.

DNS hosters without API access may be a problem for now, but it will get better, when people start to request this functionality (and Let's Encrypt is a good reason why they would do that). If yours doesn't want to do it, there are others to choose from. I wouldn't view this as THE problem. For now it's zero support for this in RouterOS. It's of course nice that I can do it with external Linux server, but if I don't have one already, it's highly impractical to get it just for this.

And when you think about it, it shouldn't be hard at all. Take the DNS method. RouterOS can already work with certificates, so it needs to extend it, so that you can request a certificate to be signed by LE. If you check some of the simpler clients (e.g. https://dehydrated.io/), there isn't too much to do. When it would be about to happen, there would be an event (hook), where you could put your own script to update DNS records. If the hoster's API would be based on http(s), then fetch tool in RouterOS should be all what's needed. It it would use standard DNS updates, RouterOS already has a tool for it, only so far it's limited to A records only. But that's the most of it already implemented, extending it to also support TXT records can't be hard. And that's it, happy end.

And actually, RouterOS could not only update records on remote server, it could BE the server. Not the full authoritative one with all bells and whistles, but only with basic functionality to serve TXT records, when you'd point _acme-challenge subdomain to it from main server using CNAME. Again, most of what's required for this is already in RouterOS.

Ok, I got a litle carried away with the last one, so forget it. But the rest is not hard. It's not 100% perfect solution for everyone, but it's important to get started.
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 167
Joined: Fri Jun 29, 2018 2:34 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Jun 29, 2018 2:37 pm

+1 for native RouterOS package

with no virtual OpenWRT instance or Linux-System requirement, please!
 
benoga
just joined
Posts: 13
Joined: Wed Mar 09, 2016 7:50 am

Re: Support for ACME/Let's Encrypt certificate management

Fri Jul 06, 2018 10:38 am

+1 for native RouterOS letsencrypt-package
 
Jaggl
just joined
Posts: 24
Joined: Mon Aug 27, 2012 3:00 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu Aug 23, 2018 2:46 pm

+1 would be nice to have it
 
BostjanC
just joined
Posts: 21
Joined: Tue Nov 13, 2018 9:28 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Nov 19, 2018 11:41 am

Request from 2015. Still not resolved?
Well, I also give it +1.
It would be nice to have. And also the latest version.
 
User avatar
armandfumal
Member Candidate
Member Candidate
Posts: 163
Joined: Wed Apr 25, 2012 5:50 pm
Location: Weiswampach,LUX
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Mon Nov 19, 2018 4:57 pm

I vote +1
 
netwpl
newbie
Posts: 28
Joined: Fri Jun 22, 2012 8:09 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Dec 10, 2018 1:33 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:
  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage
https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh
ok, so your script works for me, but how to script it to renew my certificate after 2-3 months, even when my DNS has no APIs to (automatically) change the DNS TXT file...

should i schedule a cronjob once a month to execute: certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh ???
 
User avatar
stmx38
Long time Member
Long time Member
Posts: 650
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: Support for ACME/Let's Encrypt certificate management

Tue Mar 12, 2019 9:21 pm

 
mtk89
just joined
Posts: 2
Joined: Sat May 04, 2019 4:49 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat May 04, 2019 5:06 pm

What about this?

https://github.com/ndilieto/uacme

ACMEv2 client written in plain C code with minimal dependencies
 
codesur
just joined
Posts: 1
Joined: Thu May 07, 2020 5:23 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu May 07, 2020 5:24 pm

+1
please, this feature would be very helpful
 
slaughterlt
just joined
Posts: 8
Joined: Sun Jun 10, 2012 9:14 pm

Re: Support for ACME/Let's Encrypt certificate management

Thu Jan 07, 2021 10:31 pm

+1 karma points
As I am managing 30+ mikrotiks +30 from me :)
 
danb35
just joined
Posts: 1
Joined: Fri Jan 08, 2021 1:28 am

Re: Support for ACME/Let's Encrypt certificate management

Fri Jan 08, 2021 2:46 pm

I agree, it'd be great to have this integrated into RouterOS (so long as it had robust support for DNS validation, and not only HTTP). Until that happens, the script noted up-thread is a good starting point. I've forked it (like 75+ others) and made what I think are a few improvements:
  • Most importantly, updated both the script and the README to use RSA SSH keys rather than DSA keys--the latter are deprecated and won't work any more.
  • Allow the user to specify an alternate config file. I now have two switches to manage, this lets me deploy certs to both of them without keeping two copies of the script around.
  • Along with this change, removed the ability to specify all the connection parameters at the command line--you can't do "letsencrypt-routeros.sh USER HOST PORT KEY DOMAIN" any more. But you can create any number of config files to address this need.
  • Deploy the fullchain.pem file rather than cert.pem, to present a complete chain of trust
  • Implement a couple of sensible defaults (for SSH port and private key) if not set in the config file
What isn't changed is that this should work with any ACME client that has the capability to call a script after cert issuance, though it expects files to be in the places certbot places them by default (you can specify alternate locations in the config file if needed). And it should run on any Unix-y OS you want to run it on--I'm using a Ubuntu LXC on a Proxmox host, but it should be fine under any Linux distro, *BSD, on a Raspberry Pi, etc.

https://github.com/danb35/letsencrypt-routeros for my version.
Last edited by danb35 on Sat Jan 09, 2021 1:25 pm, edited 1 time in total.
 
leosnake2208
just joined
Posts: 1
Joined: Sun Apr 11, 2021 1:43 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun Apr 11, 2021 1:45 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:
  • Dedicated Linux renew and push certificates to RouterOS / Mikrotik
  • After CertBot renew your certificates
  • The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
  • Delete previous certificate files
  • Delete the previous certificate
  • Upload two new files: Certificate and Key
  • Import Certificate and Key
  • Change SSTP Server Settings to use new certificate
  • Delete certificate and key files form RouterOS / Mikrotik storage
https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh
this is not a solution as long as we needed additional non-RouterOS host.
 
User avatar
shalak
newbie
Posts: 48
Joined: Sat Aug 24, 2019 11:47 am

Re: Support for ACME/Let's Encrypt certificate management

Sat Sep 18, 2021 3:50 pm

+1 for integrated ACME client, even with dns-challenge-only mode!

The biggest issue with solutions presented here is that to automate those scripts, we need to store credentials/keys to routerOS on ACME client hosts. Those credentials can also be used to do pretty much anything else, so in case the ACME client is compromised, the whole network managed by rotuerOS is compromised as well.

I'm wondering if there's a way to flip the flow - add a script in routerOS, feed with with ACME client credentials and setup a scheduled script on routerOS that will periodically SFTP the certs from ACME client and apply them?
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 265
Joined: Mon Oct 07, 2019 11:42 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun Sep 19, 2021 9:58 am

I am probably out of the loop and/or just struggling to understand why would someone need ACME on Mikrotik router?

Using webUI to manage Mikrotik? Instead one could use WinBox. Do not trust included encryption of WinBox protocol? Just configure all remote Mikrotik routers to be reachable via VPN only (or connect all routers to the same VPN network) and access via VPN only.

I have a small home server behind Mikrotik router. Yes, there I also have ACME client and I generated SSL for "/ip cloud" because I need SSL for services that are hosted on server and port-forwarded in router (and not hosted on Mikrotik router).

I am 100% sure that once people got ACME support in Mikrotik routers, the next thing they will be requesting is something like Nginx for reverse proxy that adds SSL support.
 
fems
just joined
Posts: 3
Joined: Tue Mar 31, 2009 11:56 pm

Re: Support for ACME/Let's Encrypt certificate management

Tue Apr 05, 2022 12:48 pm

+1 need dns-challenge
For example, IKE2 VPN use a certificate from CA would be much more convenient than self signed certificate.
My ISp only has dynamic public ip and blocked port 80.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12558
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Tue Apr 05, 2022 9:52 pm

+1 need dns-challenge
For example, IKE2 VPN use a certificate from CA would be much more convenient than self signed certificate.
My ISp only has dynamic public ip and blocked port 80.
Ah, not?
Before write something, RTFM or search on Google...
/certificate enable-ssl-certificate dns-name=mydomain.ext
https://help.mikrotik.com/docs/display/ ... rtificates
The command has additional 'dns-name' parameter for custom certificate generation (default DNS name is the same as IP/Cloud).
Note that the DNS name must point to the router and port TCP/80 must be available
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Wed Apr 06, 2022 12:33 am

Ah, yes. DNS challenge, meaning that instead of publishing verification for LE using HTTP, it's published in DNS. So you need external DNS server and some API for LE client to add required record. It allows to acquire certificates even for devices without exposed port 80.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12990
Joined: Thu Mar 03, 2016 10:23 pm

Re: Support for ACME/Let's Encrypt certificate management

Wed Apr 06, 2022 8:08 am

But isn't requesting support for DNS challenge a bit counter the idea that everything should use HTTP(S) (like DoH)? Different DNS providers have different APIs to handle DNS records, which makes implementation on a closed system like ROS even more challenging. At the same time HTTP challenge is pretty simple and works everywhere, just not on networks of some over-protective (not to call them censorial) ISPs blocking port 80. If router is behind some NAT device and/or sharing same IP:port with multiple domains, then there's surely some reverse proxy in place already, so why not let that box handle certificate renewal for ROS device as well?

Sigh. I guess I'll never understand some people. :roll:
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Support for ACME/Let's Encrypt certificate management

Wed Apr 06, 2022 3:52 pm

DNS challenge adds more flexibility. For example, I want trusted certificate for SSTP, but because there's only one public address and ports 80 and 443 are already forwarded to internal webserver, SSTP needs to use another port. And as a result, router itself can't get LE certificate anymore, because HTTP validation requires port 80. If there was support for DNS validation, it would be possible.

If there's internal webserver, it would be possible to have LE client there and upload certificates to router, but there may be different reason why port 80 may not be available, e.g. some ISPs supposedly block incoming "server" ports on home connections (not here, fortunately).

Yes, it requires external DNS server. But it's no problem, because if I have own domain, I must already have DNS server for it. As for supporting all kinds of methods for updating DNS records, it's no big problem either. Because even though there are many DNS providers, there doesn't have to be built-in support for all of them, just a hook/event to do the update, which is either some HTTPS request (there's already /tool/fetch) or standard DNS update (/tool/dns-update exists, only it would need to be extended to support TXT records, not just A as it is now; that can't be difficult).

Current LE client in RouterOS is good as technology preview, but final version needs different approach, not just single-purpose LE client, but universal ACME client. For start, support for multiple certificates:
/certificate/acme-client
add name=main common-name=myrouter.example.net use-for=www=ssl,sstp-server
add name=api common-name=api.myrouter.example.net use-for=api-ssl
And more options, because there's not only LE, the protocol is supported by more CAs:
/certificate/acme-client
add name=mycertificate common-name=myrouter.example.net acme-server="https://acme-v02.api.letsencrypt.org/directory" challenge=http-01
Then hooks/events to allow to do pretty much anything you may need (take them from e.g. https://github.com/dehydrated-io/dehydrated):
/certificate/acme-client
add name=mycertificate challenge=dns-01 on-deploy-challenge="<some script>" on-clean-challenge="<some script>" on-deploy-cert="<some script>" on-invalid-challenge="<some script>"
For example, on-deploy-challenge could be:
/tool/dns-update dns-server=a.ns.example.net key-name=<something> key=<something> zone=example.net name=_acme-challenge type=TXT value=$"challenge-value"
Or even for use with HTTP validation:
/ip firewall filter enable [find comment="access to http for LE"]
And it should provide some feedback:
> /certificate/acme-client/print detail
0   name="myrouter.example.net" issued-at="2022-01-20 04:50:34" next-renewal="2022-03-20 05:00:00" ...
Some commands to control it could be useful too:
/certificate/acme-client/revoke 0
/certificate/acme-client/force-renew 0
And the beauty of it is that it's not difficult, almost everything is there already, it just needs some interface to it and make some things configurable instead of using hardcoded values.
 
Radek01
just joined
Posts: 19
Joined: Wed Mar 01, 2023 11:20 am

Re: Support for ACME/Let's Encrypt certificate management

Fri Apr 14, 2023 5:10 pm

My Mikrotik Router hasn't the certificate/acme-client submenu. What is needed to do for it? I didn't understand something.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12558
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Support for ACME/Let's Encrypt certificate management

Fri Apr 14, 2023 6:02 pm

My Mikrotik Router hasn't the certificate/acme-client submenu. What is needed to do for it? I didn't understand something.
They are all examples of proposed commands, nothing exists.....
Read more carefully instead of copy&paste...
 
Radek01
just joined
Posts: 19
Joined: Wed Mar 01, 2023 11:20 am

Re: Support for ACME/Let's Encrypt certificate management

Fri Apr 14, 2023 8:25 pm

OK, thanks. But it would be nice to have such possibilities about certificates.
 
phin
just joined
Posts: 21
Joined: Mon Dec 04, 2017 11:25 pm

Re: Support for ACME/Let's Encrypt certificate management

Wed Jun 28, 2023 8:55 pm


Current LE client in RouterOS is good as technology preview, but final version needs different approach, not just single-purpose LE client, but universal ACME client. For start, support for multiple certificates:

And the beauty of it is that it's not difficult, almost everything is there already, it just needs some interface to it and make some things configurable instead of using hardcoded values.
YES YES YES! I am currently working on a SCEP server or automated way to push certs to my couple of home routers as I have always had it on my checklist to fix my ssl hell at home. This would be AWESOME!
 
squeegeesplatter
just joined
Posts: 2
Joined: Sat Aug 26, 2023 8:19 pm

Re: Support for ACME/Let's Encrypt certificate management

Mon Sep 11, 2023 9:15 am

Current LE client in RouterOS is good as technology preview, but final version needs different approach, not just single-purpose LE client, but universal ACME client.
+1
i don't use letsencrypt; i run my own ca that supports acme.
 
hennotaht
just joined
Posts: 17
Joined: Thu Jan 18, 2018 10:40 pm

Re: Support for ACME/Let's Encrypt certificate management

Sat Jan 20, 2024 6:43 pm

+1 for a better solution which accounts for different services like SSTP VPN etc, not just www-ssl.
 
optio
Forum Veteran
Forum Veteran
Posts: 945
Joined: Mon Dec 26, 2022 2:57 pm

Re: Support for ACME/Let's Encrypt certificate management

Sun Jan 21, 2024 6:01 pm

While this topic is marked as solved using letsencrypt-routeros.sh shell script on external system, it is possible to do that all inside ROS if device support containers, see Run-acme.sh-in-docker, image on docker hub: neilpang/acme.sh.
Acme.sh config dir must be mounted for this container (--config-home param for acme.sh container CMD must be added with path of mounted dir) and its content accessible from /file (not as container store and dir name prefix must not be dot), then it is possible to access certificate and key files generated for host(s) and import into ROS certificates or copy into other dir for other containers usage with ROS script. Also https port most be forwarded to this container for acme.sh to work.
 
hennotaht
just joined
Posts: 17
Joined: Thu Jan 18, 2018 10:40 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Feb 02, 2024 4:06 pm

Also https port most be forwarded to this container for acme.sh to work.
How would SSTP server work then?
 
optio
Forum Veteran
Forum Veteran
Posts: 945
Joined: Mon Dec 26, 2022 2:57 pm

Re: Support for ACME/Let's Encrypt certificate management

Fri Feb 02, 2024 5:57 pm

Temporary while acme.sh script in container is performing, after is done port forward can be disabled and enabled for other service, this can be handled by ROS script or manually since you cannot have same port open for other services. If you have port 443 used by other service and must be always active you can't use acme.sh. For HTTPS web services this can be workarounded by some reverse proxy, but for others, like SSTP you can't use it over same WAN IP, unless SSTP can be also handled by some reverse proxy (idk. did not work with SSTP).
 
optio
Forum Veteran
Forum Veteran
Posts: 945
Joined: Mon Dec 26, 2022 2:57 pm

Re: Support for ACME/Let's Encrypt certificate management

Tue Feb 06, 2024 1:08 am

@hennotaht some update, it seems you can use acme.sh with non standard HTTP port with --httpport param and --tlsport param for HTTPS as documented here, these params can added to container CMD and existing service on ROS can work on standard port.

Edit: it seems this is feature just for reverse proxy, still issuer needs to access web service over standard ports, so it will not help for your case.

Who is online

Users browsing this forum: mada3k, seriosha and 44 guests