in Security, SSL

HOWTO: Letsencrypt SSL certificate in Mikrotik

In this howto I’m going to cover how to create an SSL Certificate using letsencrypt for your Mikrotik in Mac OS. In linux should be quite similar (probably easer) and you can follow the same tutorial.

Installing letsencrypt certbot

Download page: https://certbot.eff.org

I have selected linux as an OS so I got the wrong instructions the first time. Please Mac users skip this one.

sudo -s
cd /usr/local/
mkdir Certbot
cd Certbot
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
./certbot-auto certonly
WARNING: certbot-auto support for this macOS is DEPRECATED!
Please visit certbot.eff.org to learn how to download a version of
Certbot that is packaged for your system. While an existing version
of certbot-auto may work currently, we have stopped supporting updating
system packages for your system. Please switch to a packaged version
as soon as possible.

There we go with all the instructions for Mac OSX.

$ brew install certbot
[...]
Error: Permission denied @ dir_s_mkdir - /usr/local/Frameworks
$ sudo install -d -o $(whoami) -g admin /usr/local/Frameworks
$ brew uninstall --ignore-dependencies python
$ brew install python
$ brew install certbot
$ certbot
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

This error is fine as we have not run certbot as root. So we are ready to go.

$ sudo certbot -d your.domain.name --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
/usr/local/Cellar/certbot/0.22.2/libexec/lib/python3.6/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
dns-01 challenge for your.domain.name

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.your.domain.name with the following value:

[random string to be copied as DNS TXT value]

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

Now you create your DNS TXT record on your domain name. This will depend on which domain provider you use. In my case I use CDmon which is a small company in Catalonia so the instructions has not been posted here.

Wait a while until the DNS records got propagated. You can check if this is ready with:

$ dig _acme-challenge.your.domain.name TXT

; <<>> DiG 9.9.7-P3 <<>> _acme-challenge.your.domain.name TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36199
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.your.domain.name. IN TXT

;; ANSWER SECTION:
_acme-challenge.your.domain.name. 899 IN TXT "[the random string]"

;; Query time: 59 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Mar 29 13:06:36 BST 2018
;; MSG SIZE &nbsp;rcvd: 1201, 14

Continue the certificate process on certbot

[Press enter in your main terminal where you were using certbot]
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your.domain.name/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your.domain.name/privkey.pem
Your cert will expire on 2018-06-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


# cd /etc/letsencrypt/live/your.domain.name/
# ls

README cert.pem chain.pem fullchain.pem privkey.pem

Mikrotik configuration

We just need to upload that certificates to our router, select them as a certificates and use them on our web server.

Uploading files

Files > Upload:

  • Upload cert.pem
  • Upload chain.pem

Importing certificates

Go to System > Certificates > Import

  • Import cert.pem
  • Import chain.pem

Enabling SSL on our web server

On Webfig go to IP > Services and click www-ssl. Select cert.pem, check Enabled and click Ok.

Enabling external traffic to reach our HTTPS web server

Ip > Firewall: Add new

Chain: input
Protocol: TCP
Dst. Port: 443
Action: Accept
Click Ok

Move the rule on the right position of the rule chain. (Above the rules drop input).

Validation

Go to your mikrotik: https://your.domain.name

Additionally you can check your SSL here: https://www.sslshopper.com/ssl-checker.htm

Conclusion

Now you can have a secure and encrypted access to your Mikrotik Router from everywhere with a valid SSL for free.

Drawbacks let’s encrypt certificates are only valid for 90 days so, you will have to keep renewing them.

Looking for a mikrotik to buy?

For home use I have Mikrotik hAP ac2 with double wifi chipset and gigabit ethernet. Gigabit ethernet, USB port, 4 cores and wifi ac for just £55.

For learning, experimenting and as an access point (protocol N) I recommend the cheapest Mikrotik hAP lite . It has the same features with more discrete hardware at a reduced price of £20.

For a small office or more demanding networks you would be better off with the RB2011UiAS-2HnD-IN due to have more available ports for all the extra devices. Just for £99.

Write a Comment

Comment