Use Let’s Encrypt SSL certificate on Mikrotik RouterOS

These are step by step instructions how to import and use a Let’s Encrypt SSL certificate on your Mikrotik routerboard.

There are a number of Let’s Encrypt clients out there. But my favourite so far is acme.sh by . The only requirement is a shell. Works fine running as a unprivileged user as well.

In the steps below, I’m using DNS validation, but of course you can use web based as well.

In that case forward a port to the computer running acme.sh and use –standalone and –httpport (if you use a non standard port) instead of –dns.

Installation

  1. Download and install acme.sh. Or, if you’re in ”dont-really- care-what-i-download-and-run”-mode:
    $ curl https://get.acme.sh | sh
  2. Then issue a new certificate:
    $ acme.sh --issue --dns -d router.mydomain.com
  3. Add the TXT record displayed to your DNS. Look for this:
    Domain: '_acme-challenge.router.mydomain.com' 
    TXT value: 'iamNo7r3alIaHacK3rbutItc4nBfunM3ss1nGaroUnD'
  4. After you’ve added your TXT record, issue a renewal:
    $ acme.sh --renew -d router.mydomain.com                                                                                                              [205/397] 
    [thu 12 jan. 2017 20:06:09 CET] Renew: 'router.mydomain.com' 
    [thu 12 jan. 2017 20:06:09 CET] Single domain='router.mydomain.com' 
    [thu 12 jan. 2017 20:06:09 CET] Getting domain auth token for each domain 
    [thu 12 jan. 2017 20:06:09 CET] Verifying:router.mydomain.com 
    [thu 12 jan. 2017 20:06:14 CET] Success 
    [thu 12 jan. 2017 20:06:14 CET] Verify finished, start to sign. 
    [thu 12 jan. 2017 20:06:15 CET] Cert success.
  5. Install your cert. And yes, you should specify the same file for –capath and –certpath.
    $ acme.sh --installcert -d router.mydomain.com \
              --capath /home/ogg/certs/router.mydomain.com.cer \
              --certpath /home/ogg/certs/router.mydomain.com.cer \
              --keypath /home/ogg/certs/router.mydomain.com.key
    [thu 12 jan. 2017 20:18:03 CET] Installing cert to:/home/ogg/certs/router.mydomain.com.cer
    [thu 12 jan. 2017 20:18:03 CET] Installing CA to:/home/ogg/certs/router.mydomain.com.cer
    [thu 12 jan. 2017 20:18:03 CET] Installing key to:/home/ogg/certs/router.mydomain.com.key

    You now have two files to upload to your Mikrotik device. router.mydomain.com.cer and router.mydomain.com.cer.

  6. Upload the two files to your Mikrotik. I’m assuming you have ssh enabled and can login.
    $ scp router.mydomain.com.key kutersv16-sw1:router.mydomain.com.key
    router.mydomain.com.key                              100% 1337     1.6KB/s   00:00
    $ scp router.mydomain.com.cer kutersv16-sw1:router.mydomain.com.cer
    router.mydomain.com.cer                              100% 8888     1.6KB/s   00:00
  7. SSH into your router and import the certificates
    /certificate import file-name=router.mydomain.com.cer
    /certificate import file-name=router.mydomain.com.key
    

    you can then verify they’re imported. Remember the name of your certificate (used in the last step).

    /certificate print
    Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
     #        NAME                       COMMON-NAME                 SUBJECT-ALT-NAME         FINGERPRINT                   
     0 K    T router.mydomain.com.cer_0  router.mydomain.com         DNS:router.mydomain.com  133713371337133713371337133...
     1   L  T router.mydomain.com.cer_1  Let's Encrypt Authority X3                           713371337133713371337133713...
  8. Final step, tell your www-ssl service to use the certificate.
    /ip service set www-ssl certificate=router.mydomain.com.cer_0

And that’s it!

acme.sh already have set up a cronjob for you doing the renewal. You can then use a shell script to automatically upload after renewal. To do so, point to that script –reload-cmd <scriptpath> for it to be run after renewal.

On the Mikrotik side, you can write a script that checks if there are any certs to import, import them. You can then run this using the Scheduler. Maybe once a day/week or so to make sure you never have outdated certificates.

Example scripts

install_cert.rsc
upload.bash

Hairpin NAT example

Here is an example config to configure a hairpin NAT on Mikrotik.

In this example I have a webserver on 192.168.88.80 and my Mikrotik router is on 192.168.88.1. After adding these rules I can access my webserver via my public IP from inside the LAN. Which is a nice feature.


/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether01-WAN to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=!192.168.88.1 src-address=192.168.88.0/24
... other NAT rules
add action=dst-nat chain=dstnat comment="Forward port 80 to webserver on 192.168.88.80" dst-address=!192.168.88.1 dst-address-type=local dst-port=80 protocol=tcp \
to-addresses=192.168.88.80 to-ports=80

More information can be found here.