Support for ACME/Let's Encrypt certificate management

bigcw · Fri Jan 02, 2015 6:13 pm

As subject, it would be great if ROS supported the new ACME-protocol for managing browser-trusted certificates from Let's Encrypt.

Let's Encrypt: https://letsencrypt.org/

Protocol spec: https://github.com/letsencrypt/acme-spec

Presentation at 31c3 on Tuesday: http://youtu.be/OZyXx8Ie4pA <-- start here if you've not heard of this before!

smala · Mon Mar 16, 2015 6:52 pm

+1 vote up

locodog · Sat Aug 08, 2015 2:20 pm

+1 vote up

Cha0s · Tue Aug 11, 2015 3:41 pm

stmx38 · Fri Dec 04, 2015 10:53 am

Mikrotik Team, please consider adding support of letsencrypt free SSL certificates.
Entering Public Beta

Thank you!

marrold · Fri Dec 04, 2015 11:08 am

kometchtech · Fri Dec 04, 2015 11:31 am

+1 too

rheo · Mon Dec 07, 2015 2:28 am

+1 - would like this too

mavink · Sun Dec 13, 2015 6:12 pm

This would be a great feature. Configure a couple of hostnames you want certificates for, and then have the firewall automatically request/renew them with letsencrypt.org. This will save a lot of time, especially when using services that require a valid certificate such as SSTP VPN's.

nka · Mon Dec 14, 2015 5:46 am

I +1 on this too

michaeln416 · Mon Dec 14, 2015 1:56 pm

+1

Sent from my Nexus 6P using Tapatalk

kiler129 · Mon Dec 21, 2015 2:17 am

I agree but isn't Let's Encrypt certificates www-only?

nka · Mon Dec 21, 2015 3:03 am

No, they are "certificats", can be use on anything (firewall, mail, ftp, etc...). The only "problem" is that they are 90 days lifetime... so without ACME, you'll have to update the cert manually each 3 month. Certs are actually working right now if you do install it manually.

peterloron · Thu Dec 24, 2015 7:42 am

+1 for sure

amaarsh · Wed Jan 13, 2016 5:26 pm

+1 my vote

Zorro · Thu Jan 14, 2016 9:24 pm

also simple and neat ability to create and manage separate certs blacklists(including automated with scripts/scheduler from remote source oudate of it) "just in case" - would help a lot, too.

janisk · Fri Jan 15, 2016 3:07 pm

We are looking into it. No promises.

Toigoweb · Thu Feb 25, 2016 12:11 pm

Thank you. let us up to date.

Boter · Sun Feb 28, 2016 11:11 am

the.max · Mon Mar 21, 2016 1:39 am

I too +1

ndbjorne · Mon Mar 21, 2016 8:55 pm

me++!

robsters · Sat Apr 09, 2016 2:47 am

Same here.. Maybe as a plugin?

Solaris · Sun Apr 10, 2016 9:41 pm

+1 to go please

ninfa · Thu Apr 14, 2016 9:20 am

SparcAsia · Fri Apr 29, 2016 1:41 pm

Yes +100 on this topic...
What kind (aka type eg. Python, Bash etc.) of scripts are used in RouterOS?
I see this page of course...
http://wiki.mikrotik.com/wiki/Manual:Scripting
but what are they?... proprietary?
Is there a plugin to run a more common type of script like python or bash shell etc.?

Any other suggestions/recommendations for the best route to solve this problem other then in wishful thinking of a RouterOS update one day?

kiler129 · Sat Apr 30, 2016 8:20 am

What kind (aka type eg. Python, Bash etc.) of scripts are used in RouterOS?
(...)
but what are they?... proprietary?

ROS scripting engine is fully custom like terminal. That route was chosen probably due to performance & security reasons.

Is there a plugin to run a more common type of script like python or bash shell etc.?

Nope.

Any other suggestions/recommendations for the best route to solve this problem other then in wishful thinking of a RouterOS update one day?

There's no way besides external automation and updating certificates via SFTP.

SparcAsia · Sat Apr 30, 2016 10:03 am

I see thanks for your constructive input. This explains that even NPKs are not possible and require signing too bad.
http://forum.mikrotik.com/viewtopic.php?t=87126

So it's got to be a script only solution I guess. That explains the rash of +1s without the more constructive discussion I'm more familiar with in the open source community these days. So I gather the RouterOS is something I can NOT download, compile and customize either?

nikolas22t · Thu May 05, 2016 11:48 pm

No, they are "certificats", can be use on anything (firewall, mail, ftp, etc...). The only "problem" is that they are 90 days lifetime... so without ACME, you'll have to update the cert manually each 3 month. Certs are actually working right now if you do install it manually.

How you generated the certificate and installed ?

efaden · Fri May 06, 2016 4:59 am

+1 for this

Sent from my XT1575 using Tapatalk

peterloron · Sun May 22, 2016 9:49 pm

MikroTik team: any update on this?

kiler129 · Sun May 22, 2016 10:45 pm

There's even implementation of ACME client in bash alone: https://github.com/lukas2511/letsencrypt.sh

jwf1776 · Sat Jun 11, 2016 11:49 pm

i would envision this feature to be an extension of the current dynamic dns feature. (this also alleviates any off router requisites)

currently ROS can register your wan ip for an auto-genterated hostname like 62190177tk28.sn.mynetname.net.

lets encypt function could register/update the SSL cert for that same hostname...

Mon Jun 20, 2016 5:57 am

+1

Support would be great for SSTP and other SSL services.

netwpl · Mon Jun 20, 2016 3:12 pm

syadnom · Tue Jun 21, 2016 5:19 pm

+1

I'd doing this on another box and copying the cert over. would be fantastic to have this in routeros!

note.... ub****ti's routers can do this... if that's at all motivating lol

Hamsterman · Fri Jul 01, 2016 10:50 pm

+1 from me as well

spaxton · Fri Jul 29, 2016 8:17 pm

+1 from me, too!

thekrzos · Tue Aug 02, 2016 10:52 am

+1

Wysłane z mojego GT-I9195 przy użyciu Tapatalka

andreeii · Fri Aug 05, 2016 3:03 pm

+1 a little late, but this would be amazing!!!

randomseed · Wed Aug 17, 2016 5:07 pm

+1 Thanks.

micromaxi · Sat Aug 20, 2016 11:31 pm

+1 would be great addon !

benoga · Sun Aug 21, 2016 7:36 am

+1 for let's encrypt certificate management

wahoo · Wed Aug 24, 2016 1:08 pm

+1 for Let's Encrypt SSTP

korniza · Sat Sep 03, 2016 12:16 am

+1 also

micromaxi · Sat Sep 03, 2016 1:31 am

@mikrotik before everyone starts +1 would that at (in theory) be possible?

WiPoint · Thu Sep 15, 2016 10:29 pm

+1

MayestroPW · Fri Oct 28, 2016 7:46 pm

+1

nosovk · Mon Nov 28, 2016 1:29 am

+1, great feature

Miracle · Tue Nov 29, 2016 7:58 am

Please support let's encrypt
thanks

DarkRoot · Wed Dec 07, 2016 12:17 am

zombie2048 · Fri Dec 09, 2016 12:51 am

+1, please!

kopimi · Sun Dec 25, 2016 3:57 pm

+3 (at least!)
I think it would be super simple to implement and it would solve so many issues for us techies.

majestic · Mon Dec 26, 2016 7:20 pm

+1 for support, it would make things much easier for a lot of us.

mbeauverd · Wed Dec 28, 2016 12:06 am

Yes +1

macroc · Sat Dec 31, 2016 5:08 pm

JasonPugh · Sun Jan 01, 2017 2:17 pm

+1, please!

gfra · Fri Jan 06, 2017 11:38 pm

lomadurov · Sat Jan 14, 2017 3:57 pm

+1, please!

callme · Sat Jan 21, 2017 9:42 am

+1 Please

Sob · Sat Jan 21, 2017 5:05 pm

Plus ones all around, but did anyone give it some thought beyond that it would be nice feature? How exactly it should work to be usable for as many scenarios as possible? Because there are quite a few.

Let's Encrypt allows to verify hostnames using different challenges:

- http - code needs to be placed on http server on default port
- dns - code needs to be placed in dns
- tls-sni - code needs to be served by https server on default port for special hostname

There's no way that just one challenge type would be usable for everyone. Let's say I want to get certificate for SSTP server. If the router is dedicated SSTP server with public address using default https port, then it's easy, it can simply use tls-sni.

But what if IP address is shared with web server (with port 80 and 443 forwarded to LAN) and SSTP uses non-standard port (I think it will be very common setup)? Then the only right option is dns. The problem is, dns is very often hosted by registrar without any automated way to change records, so this option may not be available. The other way would be to have events for LE client, that would allow to write a script to temporarily disable port forwarding to internal web server, set it to local SSTP server and then back after successful verification. It would mean short service interruption for internal webserver, but better than nothing I guess.

It can be even worse, SSTP server might be an internal machine, which has only one non-standard port forwarded to it. That would leave dns as the only option.

Where automated updates of dns records is possible, it would be the best solution. But even that is not completely straightforward, because there may be different ways how to update records, either using standard dns updates, or some custom way, e.g. using http(s) calls to some api. Plus there might be a need to update completely different records (there are some interesting tricks you can do with LE and CNAMEs). So events and scripts is probably the only universal solution here too.

Comments, thoughts, suggestions?

ndbjorne · Wed Jan 25, 2017 2:41 pm

undecided · Mon Feb 06, 2017 9:07 am

We need this! +1

juliokato · Mon Feb 06, 2017 4:31 pm

My contribution

https://www.ollegustafsson.com/en/letsencrypt-routeros/

undecided · Tue Feb 07, 2017 9:19 am

Awesome!

juliokato · Sat Feb 25, 2017 5:24 pm

If mikrotik sites use ssl certificates of let's encrypt (https://routerboard.com and https://forum.mikrotik.com) why they have not yet integrated the solution to the routeros?

Chupaka · Sun Feb 26, 2017 10:14 pm

because sites are hosted not by routeros?..

Mon Feb 27, 2017 4:36 pm

Have you tried this tutorial? Simple enough:

My contribution

https://www.ollegustafsson.com/en/letsencrypt-routeros/

maximan · Fri Mar 03, 2017 8:49 pm

My contribution

https://www.ollegustafsson.com/en/letsencrypt-routeros/

Awesome!!!...Thank you!!

M.

palhaland · Mon Mar 06, 2017 8:47 pm

I created a deploy script for acme.sh to deploy to a routeros server

If anyone would like to have a look at it.
https://github.com/Neilpang/acme.sh/pull/706

dattl · Fri Mar 10, 2017 8:20 pm

+1 acme for renewing cert on mynetname.net would be just YIIIHHHAA!

MetUys · Fri Sep 01, 2017 1:43 pm

+1

Just a thought and pardon if I fall out the window on this...

What if the created ROS package for this did an inspection of the TLS SNI Domain Hint but only during the setup of a cert if using TLS-SNI mode?
This way it could capture the validation requests and respond appropriately completing the setup for it .
I say during setup only as this would have obvious impacts to resources and services while it inspects.
If users are looking for this feature they might be willing to take that knock during the small setup window every 3months per cert.
(if you don't want to, then don't install the package or setup any certs on it)

How I envisage the package options:
- Global settings for ACME protocol requirements (notification email address, etc...) or maybe allow this to also be set per cert (if anyone has the need for this?)
- allow for more than one cert (you might want different certs for different things)
- allow for multiple SANs per cert, where the first SAN in the list will be the name of the cert (the SNI domain hint inspection would look for all of these during that cert's setup/re-validation)
- allow for auto adding of Cloud DNS to a SAN (makes it easier to not fat finger it)
- allow for service(s) to be specified for use with that cert (hotspot, SSTP, OpenVPN, API-SSL, WWW-SSL, etc) further improving its automation ability
- Allow for different strength keys (more robustness and control)

Notes: why only SAN names... Common Name field removal is well underway (see more on this here: https://groups.google.com/a/chromium.or ... GT2fLJrAeo)
however if users want the CN, so be it, I have no objections to it.

Thoughts?

nirv · Wed Sep 06, 2017 12:43 am

jonthorpe · Sat Oct 14, 2017 2:13 am

After trying the script at https://www.ollegustafsson.com/en/letsencrypt-routeros/ for updating an SSTP certificate, I decided to write one that only relies on a BASH script:
https://gist.github.com/JonathanThorpe/ ... 5162dafe43

You'll need the following:
1. Create a DSA SSH Key so that the host running the BASH script can login to MikroTik.
2. Install acme.sh as per the instructions in https://www.ollegustafsson.com/en/letsencrypt-routeros/
3. Update the following:
----
ACME=/root/.acme.sh/acme.sh
DOMAIN=remote.mydomain.tld
CERTPATH=/var/router-certs
CERT=$DOMAIN.cer
KEY=$DOMAIN.key
ROUTER=router_os_IP
ROUTER_USER=username_to_login_to_routeros
----

If the script is run on a cron, it should renew certificates and when they renew, the commands should be run on the Mikrotik to update the cert.

brad0x52 · Tue Nov 14, 2017 12:08 am

I've got a couple routers that I use LetsEncrypt certificates for SSTP. Since it took me a bit to figure out why things weren't working at first, I've included my tweaked scripts below. Additionally, I created a dedicated user on my Linux server for managing certificates and set it up to log into my routers with certificate login. If the username is identical on both systems, it can be omitted in the command as well.

This script runs shortly after acme.sh in cron to upload the certificates to the routers. Yes, I know this would have been more graceful as a foreach loop, but I've only got 2 routers and I was in a hurry.

#!/usr/bin/env bash
set -e
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
DOMAIN=vpn1.example.net
CERT=vpn1.example.net.cer
KEY=vpn1.example.ne.key
ROUTER=<Router 1 IP Address>

cd $DIR/$DOMAIN

if [ -f $CERT ]; then
        echo -n "Uploading $DOMAIN certificate $ROUTER router..."
        scp -q $CERT $ROUTER:$CERT
        scp -q $KEY $ROUTER:$KEY
        echo "done!"
        exit 0
fi

DOMAIN=vpn2.example.net
CERT=vpn2.example.net.cer
KEY=vpn2.example.ne.key
ROUTER=<Router 2 IP Address>

cd $DIR/$DOMAIN

if [ -f $CERT ]; then
        echo -n "Uploading $DOMAIN certificate $ROUTER router..."
        scp -q $CERT $ROUTER:$CERT
        scp -q $KEY $ROUTER:$KEY
        rm $CERT $KEY
        echo "done!"
        exit 0
fi

On my routers, I have this script scheduled to run 30 minutes after the files are scheduled to be uploaded:

:if ([:len [/file find name=vpn1.example.net]] > 0) do={ 
    
    :put "Deleting Old Certificate"
        /certificate remove vpn1.example.net.cer_0
        :delay 1
    :put "Importing new Certificate"
        /certificate import file-name=vpn1.example.net.cer passphrase=""
        /certificate import file-name=vpn1.example.net.key passphrase=""
        :delay 1
    :put "Assigning certificate to SSTP Server"
        /interface sstp-server server set certificate=vpn1.example.net.cer_0
        :delay 1
    :put "Cleaning up files"
        /file remove vpn1.example.net.cer
        /file remove vpn1.example.net.key
    :put "Certificate installation complete"
}

colinardo · Fri Nov 24, 2017 1:11 pm

Hi there,
developed my own solution with a MetaROUTER Instance to renew Let's Encrypt certificates on the router itself.
Have a look at https://www.administrator.de/contentid/355746 for a tutorial (german).

Best regards
@colinardo

Cha0s · Fri Nov 24, 2017 3:24 pm

Unfortunately metarouter is pretty much a forgotten feature by MikroTIk.

Currently MetaRouter can be used on

RB400, RB700 series except models with SPI flash, RB900 series except models with SPI flash, RB2011 boards
Listed PPC boards: RB1000, RB1100, RB1100AH and RB800.

In other words, CCR, RB3011, RB850Gx2, RB1100AHx4, etc which have enough cpu/storage/memory resources are not supported.

gimpeltik · Tue Nov 28, 2017 4:20 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:

Dedicated Linux renew and push certificates to RouterOS / Mikrotik
After CertBot renew your certificates
The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
Delete previous certificate files
Delete the previous certificate
Upload two new files: Certificate and Key
Import Certificate and Key
Change SSTP Server Settings to use new certificate
Delete certificate and key files form RouterOS / Mikrotik storage

https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:

certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh

nka · Thu Nov 30, 2017 5:44 pm

Dedicated Linux renew and push certificates to RouterOS / Mikrotik

this is the only sad part. My CCR should be able to do it by itself!

dattl · Fri Feb 02, 2018 5:14 pm

+1
Maybe the acme.sh code helps you to find an easy solution: https://github.com/Neilpang/acme.sh
Thats the easiest way for letsencrypt that i know.

hanfelt · Mon Feb 12, 2018 4:21 pm

+1 would be really handy

omidkosari · Fri Mar 16, 2018 7:01 pm

+1 for RouterOS self Lets Encrypt management .

Largelos · Mon Apr 23, 2018 8:58 pm

+1 for support by routeros directly

WarMaster · Sun May 27, 2018 10:26 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:

Dedicated Linux renew and push certificates to RouterOS / Mikrotik

After CertBot renew your certificates

The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)

Delete previous certificate files

Delete the previous certificate

Upload two new files: Certificate and Key

Import Certificate and Key

Change SSTP Server Settings to use new certificate

Delete certificate and key files form RouterOS / Mikrotik storage
https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
Code: Select all
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh

I am wondering; because the "first" validation method is manual (by creating a TXT record at your DNS provider) it seems the renewal process also needs a TXT DNS record validation.
After I successfully installed the certificates on my Mikrotik with the provided script I did a "certbot renew --dry-run" as to simulate a certifcate renewal. Certbot quickly prompts an error stating:
"The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping."

I do believe there has to be one of the 3 ways to authenticate the domain(s) for which the certificates are to be renewed (http-01, tls-sni-01 or dns-01). There are currently to my knowledge no plugins/addons/scripts in routerOS which provide these methods of authentication. Which basically means you have to re-do the TXT thing with your DNS provider and thus manually updating your certificates every 3 months.

Sob · Sun May 27, 2018 10:55 pm

It depends. Some DNS providers have API access for editing records, so if you use one of them, everything can be scripted and made fully automatic.

WarMaster · Mon May 28, 2018 2:49 pm

It depends. Some DNS providers have API access for editing records, so if you use one of them, everything can be scripted and made fully automatic.

A few do, most don't have a plugin available. However, the registration via the script is based on the manual TXT verification which in turn determines the way certbot stores the information regarding the particular certificate. So you'd have to fidget around with the certbot config to get this working properly. Furthermore; in the readme it is suggested the TXT verification is only once. I think this is false.

The topic is a request for ACME support which either suggests a request for http and/or tls-sni support. This script just isn't a solution for the proposed request.

Sob · Mon May 28, 2018 5:27 pm

As far as I know, domain verification lasts for a while, I think it was longer than 90 days for certificate, but eventually it has to be repeated, it's not valid forever.

DNS hosters without API access may be a problem for now, but it will get better, when people start to request this functionality (and Let's Encrypt is a good reason why they would do that). If yours doesn't want to do it, there are others to choose from. I wouldn't view this as THE problem. For now it's zero support for this in RouterOS. It's of course nice that I can do it with external Linux server, but if I don't have one already, it's highly impractical to get it just for this.

And when you think about it, it shouldn't be hard at all. Take the DNS method. RouterOS can already work with certificates, so it needs to extend it, so that you can request a certificate to be signed by LE. If you check some of the simpler clients (e.g. https://dehydrated.io/), there isn't too much to do. When it would be about to happen, there would be an event (hook), where you could put your own script to update DNS records. If the hoster's API would be based on http(s), then fetch tool in RouterOS should be all what's needed. It it would use standard DNS updates, RouterOS already has a tool for it, only so far it's limited to A records only. But that's the most of it already implemented, extending it to also support TXT records can't be hard. And that's it, happy end.

And actually, RouterOS could not only update records on remote server, it could BE the server. Not the full authoritative one with all bells and whistles, but only with basic functionality to serve TXT records, when you'd point _acme-challenge subdomain to it from main server using CNAME. Again, most of what's required for this is already in RouterOS.

Ok, I got a litle carried away with the last one, so forget it. But the rest is not hard. It's not 100% perfect solution for everyone, but it's important to get started.

muetzekoeln · Fri Jun 29, 2018 2:37 pm

+1 for native RouterOS package

with no virtual OpenWRT instance or Linux-System requirement, please!

benoga · Fri Jul 06, 2018 10:38 am

+1 for native RouterOS letsencrypt-package

Jaggl · Thu Aug 23, 2018 2:46 pm

+1 would be nice to have it

BostjanC · Mon Nov 19, 2018 11:41 am

Request from 2015. Still not resolved?
Well, I also give it +1.
It would be nice to have. And also the latest version.

armandfumal · Mon Nov 19, 2018 4:57 pm

I vote +1

netwpl · Mon Dec 10, 2018 1:33 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:

Dedicated Linux renew and push certificates to RouterOS / Mikrotik

After CertBot renew your certificates

The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)

Delete previous certificate files

Delete the previous certificate

Upload two new files: Certificate and Key

Import Certificate and Key

Change SSTP Server Settings to use new certificate

Delete certificate and key files form RouterOS / Mikrotik storage
https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
Code: Select all
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh

ok, so your script works for me, but how to script it to renew my certificate after 2-3 months, even when my DNS has no APIs to (automatically) change the DNS TXT file...

should i schedule a cronjob once a month to execute: certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh ???

stmx38 · Tue Mar 12, 2019 9:21 pm

The ACME Protocol is an IETF Standard

mtk89 · Sat May 04, 2019 5:06 pm

What about this?

https://github.com/ndilieto/uacme

ACMEv2 client written in plain C code with minimal dependencies

codesur · Thu May 07, 2020 5:24 pm

+1
please, this feature would be very helpful

slaughterlt · Thu Jan 07, 2021 10:31 pm

+1 karma points
As I am managing 30+ mikrotiks +30 from me :)

danb35 · Fri Jan 08, 2021 2:46 pm

I agree, it'd be great to have this integrated into RouterOS (so long as it had robust support for DNS validation, and not only HTTP). Until that happens, the script noted up-thread is a good starting point. I've forked it (like 75+ others) and made what I think are a few improvements:

Most importantly, updated both the script and the README to use RSA SSH keys rather than DSA keys--the latter are deprecated and won't work any more.
Allow the user to specify an alternate config file. I now have two switches to manage, this lets me deploy certs to both of them without keeping two copies of the script around.
Along with this change, removed the ability to specify all the connection parameters at the command line--you can't do "letsencrypt-routeros.sh USER HOST PORT KEY DOMAIN" any more. But you can create any number of config files to address this need.
Deploy the fullchain.pem file rather than cert.pem, to present a complete chain of trust
Implement a couple of sensible defaults (for SSH port and private key) if not set in the config file

What isn't changed is that this should work with any ACME client that has the capability to call a script after cert issuance, though it expects files to be in the places certbot places them by default (you can specify alternate locations in the config file if needed). And it should run on any Unix-y OS you want to run it on--I'm using a Ubuntu LXC on a Proxmox host, but it should be fine under any Linux distro, *BSD, on a Raspberry Pi, etc.

https://github.com/danb35/letsencrypt-routeros for my version.

leosnake2208 · Sun Apr 11, 2021 1:45 pm

You can use Let's Encrypt RouterOS / Mikrotik script
How it works:

Dedicated Linux renew and push certificates to RouterOS / Mikrotik

After CertBot renew your certificates

The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)

Delete previous certificate files

Delete the previous certificate

Upload two new files: Certificate and Key

Import Certificate and Key

Change SSTP Server Settings to use new certificate

Delete certificate and key files form RouterOS / Mikrotik storage
https://github.com/gitpel/letsencrypt-routeros

To use script with CertBot hooks:
Code: Select all
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh

this is not a solution as long as we needed additional non-RouterOS host.

shalak · Sat Sep 18, 2021 3:50 pm

+1 for integrated ACME client, even with dns-challenge-only mode!

The biggest issue with solutions presented here is that to automate those scripts, we need to store credentials/keys to routerOS on ACME client hosts. Those credentials can also be used to do pretty much anything else, so in case the ACME client is compromised, the whole network managed by rotuerOS is compromised as well.

I'm wondering if there's a way to flip the flow - add a script in routerOS, feed with with ACME client credentials and setup a scheduled script on routerOS that will periodically SFTP the certs from ACME client and apply them?

erkexzcx · Sun Sep 19, 2021 9:58 am

I am probably out of the loop and/or just struggling to understand why would someone need ACME on Mikrotik router?

Using webUI to manage Mikrotik? Instead one could use WinBox. Do not trust included encryption of WinBox protocol? Just configure all remote Mikrotik routers to be reachable via VPN only (or connect all routers to the same VPN network) and access via VPN only.

I have a small home server behind Mikrotik router. Yes, there I also have ACME client and I generated SSL for "/ip cloud" because I need SSL for services that are hosted on server and port-forwarded in router (and not hosted on Mikrotik router).

I am 100% sure that once people got ACME support in Mikrotik routers, the next thing they will be requesting is something like Nginx for reverse proxy that adds SSL support.

fems · Tue Apr 05, 2022 12:48 pm

+1 need dns-challenge
For example, IKE2 VPN use a certificate from CA would be much more convenient than self signed certificate.
My ISp only has dynamic public ip and blocked port 80.

rextended · Tue Apr 05, 2022 9:52 pm

+1 need dns-challenge
For example, IKE2 VPN use a certificate from CA would be much more convenient than self signed certificate.
My ISp only has dynamic public ip and blocked port 80.

Ah, not?
Before write something, RTFM or search on Google...

/certificate enable-ssl-certificate dns-name=mydomain.ext

https://help.mikrotik.com/docs/display/ ... rtificates
The command has additional 'dns-name' parameter for custom certificate generation (default DNS name is the same as IP/Cloud).
Note that the DNS name must point to the router and port TCP/80 must be available

Sob · Wed Apr 06, 2022 12:33 am

Ah, yes. DNS challenge, meaning that instead of publishing verification for LE using HTTP, it's published in DNS. So you need external DNS server and some API for LE client to add required record. It allows to acquire certificates even for devices without exposed port 80.

mkx · Wed Apr 06, 2022 8:08 am

But isn't requesting support for DNS challenge a bit counter the idea that everything should use HTTP(S) (like DoH)? Different DNS providers have different APIs to handle DNS records, which makes implementation on a closed system like ROS even more challenging. At the same time HTTP challenge is pretty simple and works everywhere, just not on networks of some over-protective (not to call them censorial) ISPs blocking port 80. If router is behind some NAT device and/or sharing same IP:port with multiple domains, then there's surely some reverse proxy in place already, so why not let that box handle certificate renewal for ROS device as well?

Sigh. I guess I'll never understand some people.

Sob · Wed Apr 06, 2022 3:52 pm

DNS challenge adds more flexibility. For example, I want trusted certificate for SSTP, but because there's only one public address and ports 80 and 443 are already forwarded to internal webserver, SSTP needs to use another port. And as a result, router itself can't get LE certificate anymore, because HTTP validation requires port 80. If there was support for DNS validation, it would be possible.

If there's internal webserver, it would be possible to have LE client there and upload certificates to router, but there may be different reason why port 80 may not be available, e.g. some ISPs supposedly block incoming "server" ports on home connections (not here, fortunately).

Yes, it requires external DNS server. But it's no problem, because if I have own domain, I must already have DNS server for it. As for supporting all kinds of methods for updating DNS records, it's no big problem either. Because even though there are many DNS providers, there doesn't have to be built-in support for all of them, just a hook/event to do the update, which is either some HTTPS request (there's already /tool/fetch) or standard DNS update (/tool/dns-update exists, only it would need to be extended to support TXT records, not just A as it is now; that can't be difficult).

Current LE client in RouterOS is good as technology preview, but final version needs different approach, not just single-purpose LE client, but universal ACME client. For start, support for multiple certificates:

/certificate/acme-client
add name=main common-name=myrouter.example.net use-for=www=ssl,sstp-server
add name=api common-name=api.myrouter.example.net use-for=api-ssl

And more options, because there's not only LE, the protocol is supported by more CAs:

/certificate/acme-client
add name=mycertificate common-name=myrouter.example.net acme-server="https://acme-v02.api.letsencrypt.org/directory" challenge=http-01

Then hooks/events to allow to do pretty much anything you may need (take them from e.g. https://github.com/dehydrated-io/dehydrated):

/certificate/acme-client
add name=mycertificate challenge=dns-01 on-deploy-challenge="<some script>" on-clean-challenge="<some script>" on-deploy-cert="<some script>" on-invalid-challenge="<some script>"

For example, on-deploy-challenge could be:

/tool/dns-update dns-server=a.ns.example.net key-name=<something> key=<something> zone=example.net name=_acme-challenge type=TXT value=$"challenge-value"

Or even for use with HTTP validation:

/ip firewall filter enable [find comment="access to http for LE"]

And it should provide some feedback:

> /certificate/acme-client/print detail
0   name="myrouter.example.net" issued-at="2022-01-20 04:50:34" next-renewal="2022-03-20 05:00:00" ...

Some commands to control it could be useful too:

/certificate/acme-client/revoke 0
/certificate/acme-client/force-renew 0

And the beauty of it is that it's not difficult, almost everything is there already, it just needs some interface to it and make some things configurable instead of using hardcoded values.

Radek01 · Fri Apr 14, 2023 5:10 pm

My Mikrotik Router hasn't the certificate/acme-client submenu. What is needed to do for it? I didn't understand something.

rextended · Fri Apr 14, 2023 6:02 pm

My Mikrotik Router hasn't the certificate/acme-client submenu. What is needed to do for it? I didn't understand something.

They are all examples of proposed commands, nothing exists.....
Read more carefully instead of copy&paste...

Radek01 · Fri Apr 14, 2023 8:25 pm

OK, thanks. But it would be nice to have such possibilities about certificates.

phin · Wed Jun 28, 2023 8:55 pm

Current LE client in RouterOS is good as technology preview, but final version needs different approach, not just single-purpose LE client, but universal ACME client. For start, support for multiple certificates:

And the beauty of it is that it's not difficult, almost everything is there already, it just needs some interface to it and make some things configurable instead of using hardcoded values.

YES YES YES! I am currently working on a SCEP server or automated way to push certs to my couple of home routers as I have always had it on my checklist to fix my ssl hell at home. This would be AWESOME!

squeegeesplatter · Mon Sep 11, 2023 9:15 am

Current LE client in RouterOS is good as technology preview, but final version needs different approach, not just single-purpose LE client, but universal ACME client.

+1
i don't use letsencrypt; i run my own ca that supports acme.

hennotaht · Sat Jan 20, 2024 6:43 pm

+1 for a better solution which accounts for different services like SSTP VPN etc, not just www-ssl.

optio · Sun Jan 21, 2024 6:01 pm

While this topic is marked as solved using letsencrypt-routeros.sh shell script on external system, it is possible to do that all inside ROS if device support containers, see Run-acme.sh-in-docker, image on docker hub: neilpang/acme.sh.
Acme.sh config dir must be mounted for this container (--config-home param for acme.sh container CMD must be added with path of mounted dir) and its content accessible from /file (not as container store and dir name prefix must not be dot), then it is possible to access certificate and key files generated for host(s) and import into ROS certificates or copy into other dir for other containers usage with ROS script. Also https port most be forwarded to this container for acme.sh to work.

hennotaht · Fri Feb 02, 2024 4:06 pm

Also https port most be forwarded to this container for acme.sh to work.

How would SSTP server work then?

optio · Fri Feb 02, 2024 5:57 pm

Temporary while acme.sh script in container is performing, after is done port forward can be disabled and enabled for other service, this can be handled by ROS script or manually since you cannot have same port open for other services. If you have port 443 used by other service and must be always active you can't use acme.sh. For HTTPS web services this can be workarounded by some reverse proxy, but for others, like SSTP you can't use it over same WAN IP, unless SSTP can be also handled by some reverse proxy (idk. did not work with SSTP).

optio · Tue Feb 06, 2024 1:08 am

@hennotaht some update, it seems you can use acme.sh with non standard HTTP port with --httpport param and --tlsport param for HTTPS as documented here, these params can added to container CMD and existing service on ROS can work on standard port.

Edit: it seems this is feature just for reverse proxy, still issuer needs to access web service over standard ports, so it will not help for your case.

Who is online