While MikroTik RouterOS supports creation of self-signed SSL certificates, Let’s Encrypt provides a convenient way to get validated certificates without costs or hassles. Unfortunately, RouterOS doesn’t support that mechanism out of the box yet, but with the help of a second machine and the DNS challenge validation, they can be created and imported fairly easy.
For some general notes on Let’s Encrypt, refer to my introductory article. The steps are quite comparable – the most notably difference is that the certificate creation process takes place on a separate machine using DNS-validaiton, with the resulting files being transferred and imported onto your router.
Installing the client
First of all, you need to install a Let’s Encrypt client on a Linux machine. The official one can be installed via
git clone https://github.com/letsencrypt/letsencrypt
Afterwards, several Python packages might need installing. To invoke that process, start the client once with
and provide your credentials for sudo, as the system-wide installation requires root privileges. The client will invoke your distribution’s package managers to provide for the missing files.
DNS challenge validation
There are various ways to proof ownership of the domain you’re requesting a certificate for. To create certificates on a machine different from the associated A or AAAA record, DNS challenge validation is best, as otherwise you’d need to place some challenge file or set up port forwardings to the actual device.
You need access to your domain’s nameserver entries and create a TXT record. If you’re unsure what this is about, you’re better off asking your provider or system administrator, as you can easily break your website with a misconfigured DNS.
To get the require challenge, invoke the following command
letsencrypt/letsencrypt-auto certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --email your.mail@address --domains router.your.domain
and replace your.mail@address with your e-mail address and router.your.domain with the subdomain you wish to get a SSL certificate for, respectively.
You might be asked to accept the terms of service and agree to your IP address being logged. You might also be asked whether you want to share your e-mail address with EFF. Afterwards, the challenge is shown:
Please deploy a DNS TXT record under the name
_acme-challenge.router.your.domain with the following value:
You have to add the following line to your DNS zone file, replacing the last string with what the client shows you:
_acme-challenge.router IN TXT 123a3aBxz1tLPow0x7J3BL8Dj9atPkO3rjDo9J-PAtl
Please wait a few minutes after you have done that, for the DNS records to deploy, and then press Enter.
Transferring the certificates
The Let’s Encrypt client now tries to verify the domain. If all went well, the new certificate resides in /etc/letsencrypt/live/router.your.domain from where it needs to be transferred to your router.
To do so, copy the two required files via WinBox or SCP, e.g. by
scp /etc/letsencrypt/live/router.your.domain/fullchain.pem email@example.com:/ scp /etc/letsencrypt/live/router.your.domain/privkey.pem firstname.lastname@example.org:/
Note: Enure that no files of the same name are on your RouterOS instance already, to avoid accidential overwriting.
Importing certificate and key
On RouterOS, you first have to import the certificate with its trust chain as well as the private key, in that respective order:
/certificate import file-name=fullchain.pem passphrase="" /certificate import file-name=privkey.pem passphrase=""
In the output, you should see some lines like
After the successful import into the certificate database, you can delete both files via
/file remove fullchain.pem /file remove privkey.pem
to prevent unauthorized access.
Activating the certificates
To see the name and number of the freshly imported certificates, enter
In the NAME section, this will likely read like fullchain.pem_0 for the certificate and fullchain.pem_1 for the Let’s Encrypt CA. To enable use of the SSL certificates for your services, enter
/ip service set www-ssl certificate=fullchain.pem_0 /ip service set api-ssl certificate=fullchain.pem_0
There’s one caveat though: The certificates last 90 days, just like any other Let’s Encrypt certificate, so you have to renew these in due time and go through the process again.
To ease the process, you can use wildcard certificates – see my separate blogpost about that.