Creating SSL certificates on RouterOS with Let’s Encrypt

How to import your SSL certificates on RouterOS with Let’s Encrypt using DNS-based domain verification

While MikroTik RouterOS supports creation of self-signed SSL certificates, Let’s Encrypt provides a convenient way to get validated certificates without costs or hassles. Unfortunately, RouterOS doesn’t support that mechanism out of the box yet, but with the help of a second machine and the DNS challenge validation, they can be created and imported fairly easy.

For some general notes on Let’s Encrypt, refer to my introductory article. The steps are quite comparable – the most notably difference is that the certificate creation process takes place on a separate machine using DNS-validaiton, with the resulting files being transferred and imported onto your router.

Installing the client

First of all, you need to install a Let’s Encrypt client on a Linux machine.  The official one can be installed via

git clone https://github.com/letsencrypt/letsencrypt

Afterwards, several Python packages might need installing. To invoke that process, start the client once with

letsencrypt/letsencrypt-auto --help

and provide your credentials for sudo, as the system-wide installation requires root privileges. The client will invoke your distribution’s package managers to provide for the missing files.

DNS challenge validation

There are various ways to proof ownership of the domain you’re requesting a certificate for. To create certificates on a machine different from the associated A or AAAA record, DNS challenge validation is best, as otherwise you’d need to place some challenge file or set up port forwardings to the actual device.

Certificates in the web UI
Certificates in the web UI

You need access to your domain’s nameserver entries and create a TXT record. If you’re unsure what this is about, you’re better off asking your provider or system administrator, as you can easily break your website with a misconfigured DNS.

To get the require challenge, invoke the following command

letsencrypt/letsencrypt-auto certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --email your.mail@address --domains router.your.domain

and replace your.mail@address with your e-mail address and router.your.domain with the subdomain you wish to get a SSL certificate for, respectively.

You might be asked to accept the terms of service and agree to your IP address being logged. You might also be asked whether you want to share your e-mail address with EFF. Afterwards, the challenge is shown:

Please deploy a DNS TXT record under the name
_acme-challenge.router.your.domain with the following value:

123a3aBxz1tLPow0x7J3BL8Dj9atPkO3rjDo9J-PAtl

You have to add the following line to your DNS zone file, replacing the last string with what the client shows you:

_acme-challenge.router IN TXT 123a3aBxz1tLPow0x7J3BL8Dj9atPkO3rjDo9J-PAtl

Please wait a few minutes after you have done that, for the DNS records to deploy, and then press Enter.

Transferring the certificates

The Let’s Encrypt client now tries to verify the domain. If all went well, the new certificate resides in /etc/letsencrypt/live/router.your.domain from where it needs to be transferred to your router.

To do so, copy the two required files via WinBox or SCP, e.g. by

scp /etc/letsencrypt/live/router.your.domain/fullchain.pem admin@router.your.domain:/
scp /etc/letsencrypt/live/router.your.domain/privkey.pem admin@router.your.domain:/

Note: Enure that no files of the same name are on your RouterOS instance already, to avoid accidential overwriting.

Importing certificate and key

On RouterOS, you first have to import the certificate with its trust chain as well as the private key, in that respective order:

/certificate import file-name=fullchain.pem passphrase=""
/certificate import file-name=privkey.pem passphrase=""

In the output, you should see some lines like
certificates-imported: 2
and
private-keys-imported: 1

After the successful import into the certificate database, you can delete both files via

/file remove fullchain.pem
/file remove privkey.pem

to prevent unauthorized access.

Activating the certificates

To see the name and number of the freshly imported certificates, enter

/certificate print

In the NAME section, this will likely read like fullchain.pem_0 for the certificate and fullchain.pem_1 for the Let’s Encrypt CA. To enable use of the SSL certificates for your services, enter

/ip service set www-ssl certificate=fullchain.pem_0
/ip service set api-ssl certificate=fullchain.pem_0

That’s it!

Caveats

There’s one caveat though: The certificates last 90 days, just like any other Let’s Encrypt certificate, so you have to renew these in due time and go through the process again.

To ease the process, you can use wildcard certificates – see my separate blogpost about that.

Florian Effenberger

Autor: Florian Effenberger

Florian engagiert sich seit über 16 Jahren für freie Software und ist einer der Gründer der The Document Foundation, der Stiftung hinter LibreOffice

7 Gedanken zu „Creating SSL certificates on RouterOS with Let’s Encrypt“

  1. What I’ve discovered is that a

    /log print where topics ~"certificate"

    yields error messages like

    certificate,info got CRL with bad signature, issued by DST Root CA X3:::Digital Signature Trust Co.:::

    This is due to the missing cross-sign certificate. To fix that, you have to import the certificate from https://www.identrust.com/certificates/trustid/root-download-x3.html by adding proper BEGIN and END headers, saving as .pem file and importing just as the other certificates.

    Afterwards, the message reads much better:

    certificate,info CRL updated for Let’s Encrypt Authority X3

  2. Es wäre richtig toll von dir wenn du diesen BLOG auch in Deutsch erstellen könntest – Saubere Arbeit auch für deine vorhergegangenen Blog’s

    1. Danke! :-) Ich hatte diesen Beitrag extra auf Englisch erstellt, da er auch international von Interesse ist. Aber mit einem Übersetzungstool solltest du die wesentlichen Aussagen eigentlich ins Deutsche übertragen können. Vereinfach gesagt installierst du den Let’s Encrypt Client, legst einen DNS-Eintrag für die Validierung an und erstellst ein Zertifikat, das du dann auf den Router kopierst und aktivierst.

  3. Thanks for your helpful guide. Unfortunately the Identrust link now redirects to a page showing many possible downloads, leaving me unsure which one to use. Also, after importing the certificate, what has to be done to enable it? BTW I also had to do the following to enable SSL and disable non-SSL:
    /ip service
    set www-ssl certificate=https-cert disabled=no
    set www disabled=yes

    1. I didn’t test yet (currently no RouterOS with public certificates active on my side), but I would guess it’s the TrustID X3 Root Certificate.

      You don’t have to do anything else after importing. To enable the certificates, use

      /ip service set certificate=YourCertificate www-ssl
      /ip service enable www-ssl

  4. In case it helps anyone, this is the script I created to automate the certificate handling. I use https://acmehelper.com/ to automate LetsEncrypt certificate renewals and find it very helpful. It always creates wildcard certificates, which give flexibility. The script for certificate renewal is running on secure.example.net for this example. I nearly always use hostnames, even though in this case the router IP address is in a private network.

    #!/bin/bash
    #
    # Update certificates on Mikrotik router
    #
    # Function to install on router
    function installer {
    echo “In the installer function to install new certificate in router”
    scp /root/mikrotik/certs/*.pem whoever@router.example.com:/
    ssh whoever@router.example.com “/certificate import file-name=fullchain.pem passphrase=\”\””
    ssh whoever@router.example.com “/certificate import file-name=privkey.pem passphrase=\”\””
    ssh whoever@router.example.com “/file remove fullchain.pem”
    ssh whoever@router.example.com “/file remove privkey.pem”
    ssh whoever@router.example.com “/ip service set www-ssl certificate=fullchain.pem_0”
    ssh whoever@router.example.com “/ip service set api-ssl certificate=fullchain.pem_0”
    mv /root/mikrotik/certs/fullchain.pem /root/mikrotik/certs/fullchain.old
    mv /root/mikrotik/certs/privkey.pem /root/mikrotik/certs/privkey.old
    exit 0
    }
    # Make sure directory is there for certs
    mkdir -p /root/mikrotik/certs
    # Copy certificates from the security server
    scp root@secure.example.net:acmehelper/certs/example.com/fullchain.pem /root/mikrotik/certs/
    scp root@secure.example.net:acmehelper/certs/example.com/privkey.pem /root/mikrotik/certs/
    # Compare with the old ones, install in router if different
    cmp –silent /root/mikrotik/certs/fullchain.old /root/mikrotik/certs/fullchain.pem || installer
    cmp –silent /root/mikrotik/certs/privkey.old /root/mikrotik/certs/privkey.pem || installer
    echo “Certificate is unchanged, no need for action”

Schreibe einen Kommentar

Ich stimme der Datenschutzerklärung zu