While MikroTik RouterOS supports creation of self-signed SSL certificates, Let’s Encrypt provides a convenient way to get validated certificates without costs or hassles. Unfortunately, RouterOS doesn’t support that mechanism out of the box yet, but with the help of a second machine and the DNS challenge validation, they can be created and imported fairly easy.
For some general notes on Let’s Encrypt, refer to my introductory article. The steps are quite comparable – the most notably difference is that the certificate creation process takes place on a separate machine using DNS-validaiton, with the resulting files being transferred and imported onto your router.
Installing the client
First of all, you need to install a Let’s Encrypt client on a Linux machine. The official one can be installed via
git clone https://github.com/letsencrypt/letsencrypt
Afterwards, several Python packages might need installing. To invoke that process, start the client once with
letsencrypt/letsencrypt-auto --help
and provide your credentials for sudo, as the system-wide installation requires root privileges. The client will invoke your distribution’s package managers to provide for the missing files.
DNS challenge validation
There are various ways to proof ownership of the domain you’re requesting a certificate for. To create certificates on a machine different from the associated A or AAAA record, DNS challenge validation is best, as otherwise you’d need to place some challenge file or set up port forwardings to the actual device.
You need access to your domain’s nameserver entries and create a TXT record. If you’re unsure what this is about, you’re better off asking your provider or system administrator, as you can easily break your website with a misconfigured DNS.
To get the require challenge, invoke the following command
letsencrypt/letsencrypt-auto certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --email your.mail@address --domains router.your.domain
and replace your.mail@address with your e-mail address and router.your.domain with the subdomain you wish to get a SSL certificate for, respectively.
You might be asked to accept the terms of service and agree to your IP address being logged. You might also be asked whether you want to share your e-mail address with EFF. Afterwards, the challenge is shown:
Please deploy a DNS TXT record under the name
_acme-challenge.router.your.domain with the following value:
123a3aBxz1tLPow0x7J3BL8Dj9atPkO3rjDo9J-PAtl
You have to add the following line to your DNS zone file, replacing the last string with what the client shows you:
_acme-challenge.router IN TXT 123a3aBxz1tLPow0x7J3BL8Dj9atPkO3rjDo9J-PAtl
Please wait a few minutes after you have done that, for the DNS records to deploy, and then press Enter.
Transferring the certificates
The Let’s Encrypt client now tries to verify the domain. If all went well, the new certificate resides in /etc/letsencrypt/live/router.your.domain from where it needs to be transferred to your router.
To do so, copy the two required files via WinBox or SCP, e.g. by
scp /etc/letsencrypt/live/router.your.domain/fullchain.pem admin@router.your.domain:/ scp /etc/letsencrypt/live/router.your.domain/privkey.pem admin@router.your.domain:/
Note: Enure that no files of the same name are on your RouterOS instance already, to avoid accidential overwriting.
Importing certificate and key
On RouterOS, you first have to import the certificate with its trust chain as well as the private key, in that respective order:
/certificate import file-name=fullchain.pem passphrase="" /certificate import file-name=privkey.pem passphrase=""
In the output, you should see some lines like
certificates-imported: 2
and
private-keys-imported: 1
After the successful import into the certificate database, you can delete both files via
/file remove fullchain.pem /file remove privkey.pem
to prevent unauthorized access.
Activating the certificates
To see the name and number of the freshly imported certificates, enter
/certificate print
In the NAME section, this will likely read like fullchain.pem_0 for the certificate and fullchain.pem_1 for the Let’s Encrypt CA. To enable use of the SSL certificates for your services, enter
/ip service set www-ssl certificate=fullchain.pem_0 /ip service set api-ssl certificate=fullchain.pem_0
That’s it!
Caveats
There’s one caveat though: The certificates last 90 days, just like any other Let’s Encrypt certificate, so you have to renew these in due time and go through the process again.
To ease the process, you can use wildcard certificates – see my separate blogpost about that.
You can also give proper names to the certificates, e.g. by
/certificate set 0 name="router.your.domain"/certificate set 1 name="Let's Encrypt Authority X3"
Replace 0 and 1 with the respective certificate IDs.
What I’ve discovered is that a
/log print where topics ~"certificate"yields error messages like
certificate,info got CRL with bad signature, issued by DST Root CA X3:::Digital Signature Trust Co.:::
This is due to the missing cross-sign certificate. To fix that, you have to import the certificate from https://www.identrust.com/certificates/trustid/root-download-x3.html by adding proper BEGIN and END headers, saving as .pem file and importing just as the other certificates.
Afterwards, the message reads much better:
certificate,info CRL updated for Let’s Encrypt Authority X3
Es wäre richtig toll von dir wenn du diesen BLOG auch in Deutsch erstellen könntest – Saubere Arbeit auch für deine vorhergegangenen Blog’s
Danke! :-) Ich hatte diesen Beitrag extra auf Englisch erstellt, da er auch international von Interesse ist. Aber mit einem Übersetzungstool solltest du die wesentlichen Aussagen eigentlich ins Deutsche übertragen können. Vereinfach gesagt installierst du den Let’s Encrypt Client, legst einen DNS-Eintrag für die Validierung an und erstellst ein Zertifikat, das du dann auf den Router kopierst und aktivierst.
Thanks for your helpful guide. Unfortunately the Identrust link now redirects to a page showing many possible downloads, leaving me unsure which one to use. Also, after importing the certificate, what has to be done to enable it? BTW I also had to do the following to enable SSL and disable non-SSL:
/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yes
I didn’t test yet (currently no RouterOS with public certificates active on my side), but I would guess it’s the TrustID X3 Root Certificate.
You don’t have to do anything else after importing. To enable the certificates, use
/ip service set certificate=YourCertificate www-ssl/ip service enable www-ssl
In case it helps anyone, this is the script I created to automate the certificate handling. I use https://acmehelper.com/ to automate LetsEncrypt certificate renewals and find it very helpful. It always creates wildcard certificates, which give flexibility. The script for certificate renewal is running on secure.example.net for this example. I nearly always use hostnames, even though in this case the router IP address is in a private network.
#!/bin/bash
#
# Update certificates on Mikrotik router
#
# Function to install on router
function installer {
echo “In the installer function to install new certificate in router”
scp /root/mikrotik/certs/*.pem whoever@router.example.com:/
ssh whoever@router.example.com “/certificate import file-name=fullchain.pem passphrase=\”\””
ssh whoever@router.example.com “/certificate import file-name=privkey.pem passphrase=\”\””
ssh whoever@router.example.com “/file remove fullchain.pem”
ssh whoever@router.example.com “/file remove privkey.pem”
ssh whoever@router.example.com “/ip service set www-ssl certificate=fullchain.pem_0”
ssh whoever@router.example.com “/ip service set api-ssl certificate=fullchain.pem_0”
mv /root/mikrotik/certs/fullchain.pem /root/mikrotik/certs/fullchain.old
mv /root/mikrotik/certs/privkey.pem /root/mikrotik/certs/privkey.old
exit 0
}
# Make sure directory is there for certs
mkdir -p /root/mikrotik/certs
# Copy certificates from the security server
scp root@secure.example.net:acmehelper/certs/example.com/fullchain.pem /root/mikrotik/certs/
scp root@secure.example.net:acmehelper/certs/example.com/privkey.pem /root/mikrotik/certs/
# Compare with the old ones, install in router if different
cmp –silent /root/mikrotik/certs/fullchain.old /root/mikrotik/certs/fullchain.pem || installer
cmp –silent /root/mikrotik/certs/privkey.old /root/mikrotik/certs/privkey.pem || installer
echo “Certificate is unchanged, no need for action”
Hi Florian,
Thanks a lot! With the help of your HOWTO and github gitpel I was able to advance in my goal to install the SSL certificate on multiple routers via shellscript. Available in my github (https://github.com/alexmbarbosa/mikrotikSSL). Thanks!!