So the two ingredients in the secret sauce are that the router automates the 90-day renewals on its own, and the cloud feature informs the router to use letsencrypt as the certificate service. Amazing!
Let's Encrypt is great for publicly accessible websites. On the contrary, router's management interface should be preferably not accessible publicly. This is why supporting a self-hosted CA that implements ACME provisioning would be better. Given that you already have ACME support in place for Let's Encrypt, do you have any plans to provide an option to specify custom ACME directory URL so that this feature can work with self-hosted provisioner without requiring public access?
Thanks, Druvis. I noticed you using Winbox under Wine and if you are perfectionist like me you may be pained because of wrong text fonts width 4:52. You can solve an issue just by replacing wrong wine tahoma font.
In case your router support containers, you could do it. There are plenty of docker containers for different registrar. I don't think there ever be a general support of DNS challenge in Mikrotik since every registrar (or whoever manages your domain) has their own API and it's almost impossible to support them in general way.
Thank you for all these videos! They are really helpful and provide invaluable insight and information!! Will it be possible to do a video about bridge vlans? a "RouterOS v7 bridge VLANs Definitive Edition"? I still see a lot of debate about bridge VLANS and me myself are also not completely sure of the way I do it is the right way...
Aside from the LE address list is not being sufficient to renew when the cert expires, it seems a reboot is needed for the new certificate to be seen after a renewal. After a reboot I also had to re-select the certificate in the SSTP Server configuration. It showed the new cert prior to reboot, after reboot 'none' was selected.
Well it seems that LE uses more then that 3 servers, when I opened in input list those servers, it didn't worked. I can saw many IP addresses trying to connect at the time of issuing an certificate from LE. Pitty
The LE address list seems to be incomplete. This doesn't work for me; the challenge attempts come from somewhere else. Can you update with the complete list?
Dynamic LetsEncript addressing is not sufficient.. as I see in the log, queries to port 80 were sent from a bunch of different addresses during enable-ssl-certificate.. where was no one matching with the dynamic list records.. So far this is useless.
Otherwise is done manually and was a mess handling an internal ca, and let's encrypt wasn't an option for +10 routers, with this I'll be up and running in no time
@@phillipsaw It works just fine. For me, the problem was that the ISP router, sitting in front of the MIkrotik, was blocking port 80 even though I did a port forward.
Hi @MikrTik. I followed the instructions to the letter. While I have the www service and the firewall rule enabled I am able to access WebFig, so I guess that port 80 is accessible from the WAN. I have the DDNS working because I'm using the DNS name for my tests. When I run enable-ssl-certificate I get progress: [error] message. Any ideas? Any debugging info which could help me solve this issue?
@@imaspower yes, my router was connecting to the internet through the ISP’s router. I opted for direct connection and everything was ok. Otherwise you need to do some port forwarding from the ISP’s router to get this working
I have a question, if that certificate will be used for web-ssl management, 90 days later if we delete and generate a new one, do we need to configure again the web-ssl to use the new certificate?
Thanks Druvis, always perfect content. I'm doing step by step everything but stuck after "enable-ssl-certificate", getting error "check that www enabled". Do you have some suggestions? Thanks
Please, once again for stupid. Can I remove certbot from my Ubuntu server and get certificates with my Mikrotik? Will it be updated every 3 months by my router? How it will be delivered to my website url, hosted on my Ubuntu server?
I still don't understand. This feature is only for your own domain name. Yes, just use it like in the video :) You will need a publicly available domain name, so that LetsEncrypt can reach you. You will have to buy a domain name (they are cheap, from 0.99USD). You can't do this with an imaginary domain name, yes.
So the two ingredients in the secret sauce are that the router automates the 90-day renewals on its own, and the cloud feature informs the router to use letsencrypt as the certificate service. Amazing!
I don't get why you would not use DNS challenges. It doesn't seem like a good idea to encourage anyone to expose the web UI.
Thanks. That's great. Could you do a printable version of these instructions (eg in the video description)?
Let's Encrypt is great for publicly accessible websites. On the contrary, router's management interface should be preferably not accessible publicly. This is why supporting a self-hosted CA that implements ACME provisioning would be better. Given that you already have ACME support in place for Let's Encrypt, do you have any plans to provide an option to specify custom ACME directory URL so that this feature can work with self-hosted provisioner without requiring public access?
Thanks, Druvis. I noticed you using Winbox under Wine and if you are perfectionist like me you may be pained because of wrong text fonts width 4:52. You can solve an issue just by replacing wrong wine tahoma font.
"Which is pretty much bragging...and no one likes that even if you have the MOST POWERFUL router ever."😂
I'd suggest to add the LE-hostnames to the video description so they can just copy and pasted.
I think theres more addresses missing for the LE list, I'm unable to complete validation when I include the source list in the firewall rule.
Fantastic stuff! What about DNS challenges through ACME?
In case your router support containers, you could do it. There are plenty of docker containers for different registrar. I don't think there ever be a general support of DNS challenge in Mikrotik since every registrar (or whoever manages your domain) has their own API and it's almost impossible to support them in general way.
DNS entries in firewall address lists are resolved at TTL expiry for that entry.
Thank you for all these videos! They are really helpful and provide invaluable insight and information!!
Will it be possible to do a video about bridge vlans? a "RouterOS v7 bridge VLANs Definitive Edition"?
I still see a lot of debate about bridge VLANS and me myself are also not completely sure of the way I do it is the right way...
Wow very nice!!! this method only works if you a public IP on the WAN interface of the router I would assume. CGNAT will not work for sure.
Aside from the LE address list is not being sufficient to renew when the cert expires, it seems a reboot is needed for the new certificate to be seen after a renewal. After a reboot I also had to re-select the certificate in the SSTP Server configuration. It showed the new cert prior to reboot, after reboot 'none' was selected.
Well it seems that LE uses more then that 3 servers, when I opened in input list those servers, it didn't worked. I can saw many IP addresses trying to connect at the time of issuing an certificate from LE. Pitty
Yep, seems that method no one actually checked before making a video😀
Is there a way to this with selfhosted ACME CA?
The LE address list seems to be incomplete. This doesn't work for me; the challenge attempts come from somewhere else.
Can you update with the complete list?
Dynamic LetsEncript addressing is not sufficient.. as I see in the log, queries to port 80 were sent from a bunch of different addresses during enable-ssl-certificate.. where was no one matching with the dynamic list records.. So far this is useless.
Letsencrypt issues an SSL certificate for the DNS name you speficy. It has no need and does not care for your IP addresses at all.
Finally, finally, I need some time to get the nginx reverse proxy setup for this requests but finally
Otherwise is done manually and was a mess handling an internal ca, and let's encrypt wasn't an option for +10 routers, with this I'll be up and running in no time
nice information! Thanks
I did the exact same config and got "Progress: [error] err" RB951G-2HnD RoS 7.6
Same here. Is there a way for us to get some debug on this?
Same here. Can anyone confirm that this still works for them?
@@phillipsaw It works just fine. For me, the problem was that the ISP router, sitting in front of the MIkrotik, was blocking port 80 even though I did a port forward.
Same as others: I'm unable to renew certificates. Stuck at "validation" step.
Anyone has an idea plz?
Great !! ... can you add letsencrypts dns entries on description ??
Hi @MikrTik. I followed the instructions to the letter. While I have the www service and the firewall rule enabled I am able to access WebFig, so I guess that port 80 is accessible from the WAN. I have the DDNS working because I'm using the DNS name for my tests. When I run enable-ssl-certificate I get progress: [error] message. Any ideas? Any debugging info which could help me solve this issue?
Same problem... any idea?
@@imaspower yes, my router was connecting to the internet through the ISP’s router. I opted for direct connection and everything was ok. Otherwise you need to do some port forwarding from the ISP’s router to get this working
Parabéns pessoal, let’s encrypt 😂❤
Loved the video. Do you have the IPV6 addresses?
How could we make it works when a NAT exist and use port 80 to internal webserver?
I have a question, if that certificate will be used for web-ssl management, 90 days later if we delete and generate a new one, do we need to configure again the web-ssl to use the new certificate?
Could you please share the names of address list used in description?
Is the "enable-ssl-certificate" command only supported in v7.x?
Thanks Druvis, always perfect content. I'm doing step by step everything but stuck after "enable-ssl-certificate", getting error "check that www enabled". Do you have some suggestions? Thanks
If 'www' is enabled under ip service section and it still fails, check if you can access your routers webfig using the DDNS name.
Thanks a lot@@mikrotik for fast response! I got it to work! Just started again from very beginning.
What if the router is behind a NAT?
:D great, thanks
Please, once again for stupid. Can I remove certbot from my Ubuntu server and get certificates with my Mikrotik? Will it be updated every 3 months by my router? How it will be delivered to my website url, hosted on my Ubuntu server?
No, these certificates are for the router itself, not for your Ubuntu
Hi, can we do with a domain name, I want to use with my domain name
Question unclear. You can only do this with a domain name.
@@mikrotik I want to do it with my domain name
@@mikrotik In the example, you used the default domain name, and I have a domain name and I linked with my domain name.
I still don't understand. This feature is only for your own domain name. Yes, just use it like in the video :) You will need a publicly available domain name, so that LetsEncrypt can reach you. You will have to buy a domain name (they are cheap, from 0.99USD). You can't do this with an imaginary domain name, yes.
@@mikrotik ok thank you for your answer