Hello dear sirs, I'm using RouterOS 7.1rc5 and very glad it supports Let's Encrypt certs.
Here's the question - what's the proper way to renew cert?


So as you can see cert name changed, but cert dates are not! Of course it works fine when I delete old first and then do enable-ssl-certificate, but it's strange as for me. Is it intended behavior or kind of minor bug? It would be great to have one command for renewal IMO.

Thanks in advance, regards, Konstantin

It is ROS 7. ¯\_(ツ)_/¯

I guess nobody at MT expec that someone needs to renew a LE cert. So they did not implement it.

But I also need a certificate renewal command. I would also like to understand in what kind of support

According to the MikroTik docs site, it somehow does automated renewals.. but the issue that I see with this is you would need to leave the webfig port open 24/7 because you don't know when these renewals are going to happen. It is much better to be able to use a script because then port 80 can be opened only for the renewal and closed afterwards.

According to the MikroTik docs site, it somehow does automated renewals.. but the issue that I see with this is you would need to leave the webfig port open 24/7 because you don't know when these renewals are going to happen. It is much better to be able to use a script because then port 80 can be opened only for the renewal and closed afterwards.

100% Agree

LE clients usually renew certificates when they have less than 30 days before expiration, so it's likely that RouterOS will use the same (or different time, but also static). You could make a script that would look at certificate's expiration, enable access to web a bit in advance, and then disable it again when certificate gets renewed. It's a desperate solution, but if you don't want web open all the time, it may be usable, before they come up with something better, i.e. ability to run custom scripts by LE client exactly when needed.

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in.

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in.

+1
IMHO, the simplest solution would be to dedicate a port to cert renewal and WebFig out of it.
I think LetsEncrypt mandates ports 80 or 443 (not sure).

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in.

+1
IMHO, the simplest solution would be to dedicate a port to cert renewal and WebFig out of it.
I think LetsEncrypt mandates ports 80 or 443 (not sure).

Port 80 is required for the cert verification.

Until MikroTik decides to properly document the feature (and give it a UI probably), the easiest way is to regularly call the command yourself via the scheduler. 30 days would be a good number, that's well before it is actually expiring, but you're still not spamming the LE servers by updating too often.

What ROS does is renaming the existing certificate, so all services that you bound the certificate to (api-ssl, www-ssl, sstp, ...) will also have been updated to the new service. The important thing is that there doesn't seem to be any additional steps necessary after the renewal.

I'm not sure if Web-Fig is a web server or as a separate service, It could be a simple Web-Fig enable/disable functionality. I don't mine the port 80 if they cant use it to log in.

This is my single biggest complaint about it.

I have a list of 'allowed' in IP/Services to stop login attempts but this also blocks LE from verifying.. The feature would be a LOT better if it would allow the challenge verification from *any* to work and still only allow the administration pages to load from the whitelisted ranges.

Unless I am missing something, hopefully I am..

It is possible to allow and deny access to port 80 only for a few sec @ the certificate renewal, Via script & scheduler.
I never used Webfig for management and before the Let's encrypt implantation it was always disabled even at LAN.
I think the best approach would be challenge-type implantation. although I'm not sure how it would be possible to use the DNS challenge for the DDNS, It certainly is an option for custom DNS with the domain name.

https://letsencrypt.org/docs/challenge-types/
https://community.letsencrypt.org/t/dns ... tion/86438

It is possible to allow and deny access to port 80 only for a few sec @ the certificate renewal, Via script & scheduler.

I think the best approach would be challenge-type implantation. although I'm not sure how it would be possible to use the DNS challenge for the DDNS, It certainly is an option for custom DNS with the domain name.

https://letsencrypt.org/docs/challenge-types/

I went back to forwarding port 80 and using the acme.sh script with the routeros deploy hook.

I don't use the web-conf either, except maybe emergency access, but even that is limited... Even if there is never another 0-day, having the service open to the world the has login failures that are annoying in the logs.

Most of the login fails are related to bots, I added a few firewall rules port knocking TCP syn and ICMP rules. After that, I never got any Webfig fail login log. Bear in mind my VPS's are mostly located at Hetzner, They are all hammered with bots all day long.

Most of the login fails are related to bots

I am aware..

Just annoying.. I do keys only for SSH, so nobody is going to brute-force that, but have incoming TCP 22 open to the world.

I 'drop' after x attempts just to keep the logs clear, so that I don't miss something actually important.

SSH and Webfig are not the same. Cant change the WebFig port to any other port than 80 for SSL purposes, But SSH simply can change the port to some random port with a public key at the MT and a private key at the Client's SSH terminal. limit the access to The SSH Port with the src address of the local VPN and it is protected as it can be.

SSH and Webfig are not the same. Cant change the WebFig port to any other port than 80 for SSL purposes, But SSH simply can change the port to some random port with a public key at the MT and a private key at the Client's SSH terminal. limit the access to The SSH Port with the src address of the local VPN and it is protected as it can be.

Oh I am aware, changing the port does very little though. It is still found, published, and hit.

If you are going to require VPN to access SSH, what is the point of changing the port, behind the VPN?

Personally, if I need to SSH in, chances are, it is to figure out why the VPN is broken.

Our private keys are as secure as we can make them, all admins have keys. I leave 22 open to the world on our systems because unless you have our user names, physically get our key, and thePIN to unlock the key, it is safe.

I trust the SSH daemon more than any of the other running services.

As I said, block after x SSH attempts just to keep the logs clean..

Web-conf required to enabled and open to the world to have LE work, is just wrong, I had hoped I had missed something..

I would change any port that I can ( I have trust issues :d ) VPN was a final touch.
Most of the residential ISP's have a drop rule for port 22 so... .

I would change any port that I can ( I have trust issues :d )

Security through obscurity isn't security. Changing the port seems like a 90s thing to do. Port-scanners will find them anyways.

Having to remember the new port numbers, when trying to figure out why something isn't working, just adds another useless level to trouble shooting.

I use a VPN to get a /26 at home, all ports are open for my homelab, but I also in charge of some colo gear.. Keep it simple, but keep it secure..

I was hoping that LE being built into RouterOS now would make things simplier, but no.. Back to the old-way.. I still have hope for LE being built in, but it just isn't ready yet. Best to just port-forward TCP 80 to another machine for the time being.

Port knocking + TCP SYN would stop the scanners.
for troubleshooting yes you are correct.
Honestly, if the setup is in a production environment why not use ZeroTier or Tailscale. If not what Mikrotik currently provides is more than enough for home/lab.

Port knocking + TCP SYN would stop the scanners.

Honestly, if the setup is in a production environment why not use ZeroTier or Tailscale.

Honeypots stop the scanners... Try connecting to specific IPs that you shouldn't, and the IP gets added to the network drop list, along with it's neighbors.

Port-knocking again is security by obscurity.. And when troubleshooting something not working, is the port-knocking not working, or is the router offline.. Just build it secure in the first place.

I don't care about the attempts, the honeypots catch/block most of them anyways. I get annoyed by the log of the login attempts, don't want to miss something important. That is just for SSH, the other IP/Services have access lists to block off the world.

Looking at ZeroTier and similar, but have security concerns..

Most of the residential ISP's have a drop rule for port 22 so... .

What do you mean by that ?
The CPE the IPSs provide, forbids incoming connections from the Internet to port 22 ?

Most of the residential ISP's have a drop rule for port 22 so... .

What do you mean by that ?
The CPE the IPSs provide, forbids incoming connections from the Internet to port 22 ?

I haven't seen this done on 22, but incoming TCP 25, 80, 443 and so on, have a drop rule on the gateway that the CPE's connect to, unless on a business plan, because it is against nearly every residental ToS to host servers.

https://www.telus.com/en/ab/support/art ... res-policy

I'm sorry if my questions seem obvious for many (most ?) but:

Until MikroTik decides to properly document the feature (and give it a UI probably),

Have anyone a pointer on this command within or outside (blogs, ...) Mikrotik documentation ?
What are requirements to test this function in a lab ? Having an Internet facing Mikrotik box ? Managing a public DNS entry ?

Have anyone a pointer on this command within or outside (blogs, ...) Mikrotik documentation ?
What are requirements to test this function in a lab ? Having an Internet facing Mikrotik box ? Managing a public DNS entry ?

In IP/Services you need 'www' on port 80, open to the world and a forward DNS entry..

Then in the terminal,

certificate/enable-ssl-certificate dns-name=forward.example.com

https://help.mikrotik.com/docs/display/ROS/Certificates

@olivier2831

Correct. it is not at the CPE level, It's at the ISP firewall.

@kevinds

Honeypots stop the scanners

I rather have a stateless firewall or TUM.

Just build it secure in the first place.

It is secure enough, But true it's not v 2022.

don't want to miss something important. That is just for SSH, the other IP/Services have access lists to block off the world.

remote log and local log with a custom action for important services like SSH is a good practice

Looking at ZeroTier and similar, but have security concerns.

Bare Wireguard, separated VLAN for MGM interfaces.

letsencrypt-autogen_2022-02-23T12:29:26Z
why are certificates requested from le named so weird? Is it too much to just use the SAN as name?

If it would be helpful to you I wrote an auto-renewal script, you can find it @ https://github.com/pincioc/LetsEncrypt_OSScript

Ratings and comments are highly appreciated.

Mauro

I have made a basic script to renew :

I just add a look and my cert expires in 14 days. If I run manually from the terminal :


It says it succeeded, the name changed (letsencrypt-autogen_2023-01-03T15:47:57Z) but in WinBox it still says that it will expire in 14 days. Also www-ssl service has an issue since the renew, when I try to connect I get a PR_END_OF_FILE_ERROR error. I deleted it end generated a new one, and it worked.

Did I miss something for it to renew properly ?

....
It says it succeeded, the name changed (letsencrypt-autogen_2023-01-03T15:47:57Z) but in WinBox it still says that it will expire in 14 days. Also www-ssl service has an issue since the renew, when I try to connect I get a PR_END_OF_FILE_ERROR error. I deleted it end generated a new one, and it worked.

Did I miss something for it to renew properly ?

You could try disable / enable HTTPS service, HTH

I am using script.
and
However, since certificate is used for IKE2 VPN it also needs to be modified like:
However, i do not know how to fix the script, to detect currect / new certificate name to be assigned to ipsec identity , any help?