In this howto I’m going to cover how to create an SSL Certificate using letsencrypt for your Mikrotik in Mac OS. In linux should be quite similar (probably easer) and you can follow the same tutorial.
Installing letsencrypt certbot
Download page: https://certbot.eff.org
I have selected linux as an OS so I got the wrong instructions the first time. Please Mac users skip this one.
sudo -s cd /usr/local/ mkdir Certbot cd Certbot wget https://dl.eff.org/certbot-auto chmod +x certbot-auto ./certbot-auto certonly WARNING: certbot-auto support for this macOS is DEPRECATED! Please visit certbot.eff.org to learn how to download a version of Certbot that is packaged for your system. While an existing version of certbot-auto may work currently, we have stopped supporting updating system packages for your system. Please switch to a packaged version as soon as possible.
There we go with all the instructions for Mac OSX.
$ brew install certbot [...] Error: Permission denied @ dir_s_mkdir - /usr/local/Frameworks $ sudo install -d -o $(whoami) -g admin /usr/local/Frameworks $ brew uninstall --ignore-dependencies python $ brew install python $ brew install certbot $ certbot The following error was encountered: [Errno 13] Permission denied: '/var/log/letsencrypt' Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
This error is fine as we have not run certbot as root. So we are ready to go.
$ sudo certbot -d your.domain.name --manual --preferred-challenges dns certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate /usr/local/Cellar/certbot/0.22.2/libexec/lib/python3.6/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead. signer = key.signer(self.padding, self.hash) Performing the following challenges: dns-01 challenge for your.domain.name ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.your.domain.name with the following value:
[random string to be copied as DNS TXT value]
Before continuing, verify the record is deployed. ——————————————————————————- Press Enter to Continue
Now you create your DNS TXT record on your domain name. This will depend on which domain provider you use. In my case I use CDmon which is a small company in Catalonia so the instructions has not been posted here.
Wait a while until the DNS records got propagated. You can check if this is ready with:
$ dig _acme-challenge.your.domain.name TXT ; <<>> DiG 9.9.7-P3 <<>> _acme-challenge.your.domain.name TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36199 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_acme-challenge.your.domain.name. IN TXT ;; ANSWER SECTION: _acme-challenge.your.domain.name. 899 IN TXT "[the random string]" ;; Query time: 59 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Mar 29 13:06:36 BST 2018 ;; MSG SIZE rcvd: 1201, 14
Continue the certificate process on certbot
[Press enter in your main terminal where you were using certbot] Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your.domain.name/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your.domain.name/privkey.pem Your cert will expire on 2018-06-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le # cd /etc/letsencrypt/live/your.domain.name/ # ls README cert.pem chain.pem fullchain.pem privkey.pem
Mikrotik configuration
We just need to upload that certificates to our router, select them as a certificates and use them on our web server.
Uploading files
Files > Upload:
- Upload cert.pem
- Upload chain.pem
Importing certificates
Go to System > Certificates > Import
- Import cert.pem
- Import chain.pem
Enabling SSL on our web server
On Webfig go to IP > Services and click www-ssl. Select cert.pem, check Enabled and click Ok.
Enabling external traffic to reach our HTTPS web server
Ip > Firewall: Add new
Chain: input
Protocol: TCP
Dst. Port: 443
Action: Accept
Click Ok
Move the rule on the right position of the rule chain. (Above the rules drop input).
Validation
Go to your mikrotik: https://your.domain.name
Additionally you can check your SSL here: https://www.sslshopper.com/ssl-checker.htm
Conclusion
Now you can have a secure and encrypted access to your Mikrotik Router from everywhere with a valid SSL for free.
Drawbacks let’s encrypt certificates are only valid for 90 days so, you will have to keep renewing them.
Looking for a mikrotik to buy?
For home use I have Mikrotik hAP ac2 with double wifi chipset and gigabit ethernet. Gigabit ethernet, USB port, 4 cores and wifi ac for just £55.
For learning, experimenting and as an access point (protocol N) I recommend the cheapest Mikrotik hAP lite . It has the same features with more discrete hardware at a reduced price of £20.
For a small office or more demanding networks you would be better off with the RB2011UiAS-2HnD-IN due to have more available ports for all the extra devices. Just for £99.
Hey Albert,
thanks for sharing your insights. Have you found a convenient (= automated) way of renewing the certificate?
Best regards,
Constantin
Hi Constantin,
In fact just after writing this howto I found a script that automates all the process, although I haven’t had time to test it yet.
You can test it yourself: https://github.com/gitpel/letsencrypt-routeros
Thanks for your comment,
Albert
Hi Albert,
Thanks a lot! With the help of your HOWTO and github gitpel I was able to advance in my goal to install the SSL certificate on multiple routers via shellscript. Available in mi github (https://github.com/alexmbarbosa/mikrotikSSL). Thanks!!
Excellent job