Creating SSL certificates on RouterOS with Let’s Encrypt

How to import your SSL certificates on RouterOS with Let’s Encrypt using DNS-based domain verification

While MikroTik RouterOS supports creation of self-signed SSL certificates, Let’s Encrypt provides a convenient way to get validated certificates without costs or hassles. Unfortunately, RouterOS doesn’t support that mechanism out of the box yet, but with the help of a second machine and the DNS challenge validation, they can be created and imported fairly easy.

For some general notes on Let’s Encrypt, refer to my introductory article. The steps are quite comparable – the most notably difference is that the certificate creation process takes place on a separate machine using DNS-validaiton, with the resulting files being transferred and imported onto your router.

Installing the client

First of all, you need to install a Let’s Encrypt client on a Linux machine.  The official one can be installed via

git clone https://github.com/letsencrypt/letsencrypt

Afterwards, several Python packages might need installing. To invoke that process, start the client once with

letsencrypt/letsencrypt-auto --help

and provide your credentials for sudo, as the system-wide installation requires root privileges. The client will invoke your distribution’s package managers to provide for the missing files.

DNS challenge validation

There are various ways to proof ownership of the domain you’re requesting a certificate for. To create certificates on a machine different from the associated A or AAAA record, DNS challenge validation is best, as otherwise you’d need to place some challenge file or set up port forwardings to the actual device.

Certificates in the web UI
Certificates in the web UI

You need access to your domain’s nameserver entries and create a TXT record. If you’re unsure what this is about, you’re better off asking your provider or system administrator, as you can easily break your website with a misconfigured DNS.

To get the require challenge, invoke the following command

letsencrypt/letsencrypt-auto certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --email your.mail@address --domains router.your.domain

and replace your.mail@address with your e-mail address and router.your.domain with the subdomain you wish to get a SSL certificate for, respectively.

You might be asked to accept the terms of service and agree to your IP address being logged. You might also be asked whether you want to share your e-mail address with EFF. Afterwards, the challenge is shown:

Please deploy a DNS TXT record under the name
_acme-challenge.router.your.domain with the following value:

123a3aBxz1tLPow0x7J3BL8Dj9atPkO3rjDo9J-PAtl

You have to add the following line to your DNS zone file, replacing the last string with what the client shows you:

_acme-challenge.router IN TXT 123a3aBxz1tLPow0x7J3BL8Dj9atPkO3rjDo9J-PAtl

Please wait a few minutes after you have done that, for the DNS records to deploy, and then press Enter.

Transferring the certificates

The Let’s Encrypt client now tries to verify the domain. If all went well, the new certificate resides in /etc/letsencrypt/live/router.your.domain from where it needs to be transferred to your router.

To do so, copy the two required files via WinBox or SCP, e.g. by

scp /etc/letsencrypt/live/router.your.domain/fullchain.pem admin@router.your.domain:/
scp /etc/letsencrypt/live/router.your.domain/privkey.pem admin@router.your.domain:/

Note: Enure that no files of the same name are on your RouterOS instance already, to avoid accidential overwriting.

Importing certificate and key

On RouterOS, you first have to import the certificate with its trust chain as well as the private key, in that respective order:

/certificate import file-name=fullchain.pem passphrase=""
/certificate import file-name=privkey.pem passphrase=""

In the output, you should see some lines like
certificates-imported: 2
and
private-keys-imported: 1

After the successful import into the certificate database, you can delete both files via

/file remove fullchain.pem
/file remove privkey.pem

to prevent unauthorized access.

Activating the certificates

To see the name and number of the freshly imported certificates, enter

/certificate print

In the NAME section, this will likely read like fullchain.pem_0 for the certificate and fullchain.pem_1 for the Let’s Encrypt CA. To enable use of the SSL certificates for your services, enter

/ip service set www-ssl certificate=fullchain.pem_0
/ip service set api-ssl certificate=fullchain.pem_0

That’s it!

Caveats

There’s one caveat though: The certificates last 90 days, just like any other Let’s Encrypt certificate, so you have to renew these in due time and go through the process again.

To ease the process, you can use wildcard certificates – see my separate blogpost about that.

Florian Effenberger

Autor: Florian Effenberger

Florian engagiert sich seit über 14 Jahren für freie Software und ist einer der Gründer der The Document Foundation, der Stiftung hinter LibreOffice

4 Gedanken zu „Creating SSL certificates on RouterOS with Let’s Encrypt“

  1. What I’ve discovered is that a

    /log print where topics ~"certificate"

    yields error messages like

    certificate,info got CRL with bad signature, issued by DST Root CA X3:::Digital Signature Trust Co.:::

    This is due to the missing cross-sign certificate. To fix that, you have to import the certificate from https://www.identrust.com/certificates/trustid/root-download-x3.html by adding proper BEGIN and END headers, saving as .pem file and importing just as the other certificates.

    Afterwards, the message reads much better:

    certificate,info CRL updated for Let’s Encrypt Authority X3

  2. Es wäre richtig toll von dir wenn du diesen BLOG auch in Deutsch erstellen könntest – Saubere Arbeit auch für deine vorhergegangenen Blog’s

    1. Danke! :-) Ich hatte diesen Beitrag extra auf Englisch erstellt, da er auch international von Interesse ist. Aber mit einem Übersetzungstool solltest du die wesentlichen Aussagen eigentlich ins Deutsche übertragen können. Vereinfach gesagt installierst du den Let’s Encrypt Client, legst einen DNS-Eintrag für die Validierung an und erstellst ein Zertifikat, das du dann auf den Router kopierst und aktivierst.

Schreibe einen Kommentar