Use Let’s Encrypt SSL certificate on Mikrotik RouterOS

These are step by step instructions how to import and use a Let’s Encrypt SSL certificate on your Mikrotik routerboard.

There are a number of Let’s Encrypt clients out there. But my favourite so far is by . The only requirement is a shell. Works fine running as a unprivileged user as well.

In the steps below, I’m using DNS validation, but of course you can use web based as well.

In that case forward a port to the computer running and use –standalone and –httpport (if you use a non standard port) instead of –dns.


  1. Download and install Or, if you’re in ”dont-really- care-what-i-download-and-run”-mode:
    $ curl | sh
  2. Then issue a new certificate:
    $ --issue --dns -d
  3. Add the TXT record displayed to your DNS. Look for this:
    Domain: '' 
    TXT value: 'iamNo7r3alIaHacK3rbutItc4nBfunM3ss1nGaroUnD'
  4. After you’ve added your TXT record, issue a renewal:
    $ --renew -d                                                                                                              [205/397] 
    [thu 12 jan. 2017 20:06:09 CET] Renew: '' 
    [thu 12 jan. 2017 20:06:09 CET] Single domain='' 
    [thu 12 jan. 2017 20:06:09 CET] Getting domain auth token for each domain 
    [thu 12 jan. 2017 20:06:09 CET] 
    [thu 12 jan. 2017 20:06:14 CET] Success 
    [thu 12 jan. 2017 20:06:14 CET] Verify finished, start to sign. 
    [thu 12 jan. 2017 20:06:15 CET] Cert success.
  5. Install your cert. And yes, you should specify the same file for –capath and –certpath.
    $ --installcert -d \
              --capath /home/ogg/certs/ \
              --certpath /home/ogg/certs/ \
              --keypath /home/ogg/certs/
    [thu 12 jan. 2017 20:18:03 CET] Installing cert to:/home/ogg/certs/
    [thu 12 jan. 2017 20:18:03 CET] Installing CA to:/home/ogg/certs/
    [thu 12 jan. 2017 20:18:03 CET] Installing key to:/home/ogg/certs/

    You now have two files to upload to your Mikrotik device. and

  6. Upload the two files to your Mikrotik. I’m assuming you have ssh enabled and can login.
    $ scp                              100% 1337     1.6KB/s   00:00
    $ scp                              100% 8888     1.6KB/s   00:00
  7. SSH into your router and import the certificates
    /certificate import
    /certificate import

    you can then verify they’re imported. Remember the name of your certificate (used in the last step).

    /certificate print
    Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
     #        NAME                       COMMON-NAME                 SUBJECT-ALT-NAME         FINGERPRINT                   
     0 K    T  133713371337133713371337133...
     1   L  T  Let's Encrypt Authority X3                           713371337133713371337133713...
  8. Final step, tell your www-ssl service to use the certificate.
    /ip service set www-ssl

And that’s it! already have set up a cronjob for you doing the renewal. You can then use a shell script to automatically upload after renewal. To do so, point to that script –reload-cmd <scriptpath> for it to be run after renewal.

On the Mikrotik side, you can write a script that checks if there are any certs to import, import them. You can then run this using the Scheduler. Maybe once a day/week or so to make sure you never have outdated certificates.

Example scripts


Hairpin NAT example

Here is an example config to configure a hairpin NAT on Mikrotik.

In this example I have a webserver on and my Mikrotik router is on After adding these rules I can access my webserver via my public IP from inside the LAN. Which is a nice feature.

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether01-WAN to-addresses=
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=! src-address=
... other NAT rules
add action=dst-nat chain=dstnat comment="Forward port 80 to webserver on" dst-address=! dst-address-type=local dst-port=80 protocol=tcp \
to-addresses= to-ports=80

More information can be found here.