These are step by step instructions how to import and use a Let’s Encrypt SSL certificate on your Mikrotik routerboard.
There are a number of Let’s Encrypt clients out there. But my favourite so far is acme.sh by Neilpang. The only requirement is a shell. Works fine running as a unprivileged user as well.
In the steps below, I’m using DNS validation, but of course you can use web based as well.
In that case forward a port to the computer running acme.sh and use –standalone and –httpport (if you use a non standard port) instead of –dns.
acme.sh already have set up a cronjob for you doing the renewal. You can then use a shell script to automatically upload after renewal. To do so, point to that script –reload-cmd for it to be
run after renewal.
On the Mikrotik side, you can write a script that checks if there are any certs to import, import them. You can then run this using the Scheduler. Maybe once a day/week or so to make sure you never have outdated certificates.
upload.bash
fonte: https://www.ollegustafsson.com/en/letsencrypt-routeros/
Thanks Olle Gustafsson
There are a number of Let’s Encrypt clients out there. But my favourite so far is acme.sh by Neilpang. The only requirement is a shell. Works fine running as a unprivileged user as well.
In the steps below, I’m using DNS validation, but of course you can use web based as well.
In that case forward a port to the computer running acme.sh and use –standalone and –httpport (if you use a non standard port) instead of –dns.
Installation
- Download and install acme.sh. Or, if you’re in “dont-really- care-what-i-download-and-run”-mode:
$ curl https://get.acme.sh | sh
- Then issue a new certificate:
$ acme.sh --issue --dns -d router.mydomain.com
- Add the TXT record displayed to your DNS. Look for this:
Domain: '_acme-challenge.router.mydomain.com' TXT value: 'iamNo7r3alIaHacK3rbutItc4nBfunM3ss1nGaroUnD'
- After you’ve added your TXT record, issue a renewal:
$ acme.sh --renew -d router.mydomain.com [205/397] [thu 12 jan. 2017 20:06:09 CET] Renew: 'router.mydomain.com' [thu 12 jan. 2017 20:06:09 CET] Single domain='router.mydomain.com' [thu 12 jan. 2017 20:06:09 CET] Getting domain auth token for each domain [thu 12 jan. 2017 20:06:09 CET] Verifying:router.mydomain.com [thu 12 jan. 2017 20:06:14 CET] Success [thu 12 jan. 2017 20:06:14 CET] Verify finished, start to sign. [thu 12 jan. 2017 20:06:15 CET] Cert success.
- Install your cert. And yes, you should specify the same file for –capath and –certpath.
$ acme.sh --installcert -d router.mydomain.com \ --capath /home/certs/router.mydomain.com.cer \ --certpath /home/certs/router.mydomain.com.cer \ --keypath /home/ogg/certs/router.mydomain.com.key [thu 12 jan. 2017 20:18:03 CET] Installing cert to:/home/certs/router.mydomain.com.cer [thu 12 jan. 2017 20:18:03 CET] Installing CA to:/home/certs/router.mydomain.com.cer [thu 12 jan. 2017 20:18:03 CET] Installing key to:/home/certs/router.mydomain.com.key
You now have two files to upload to your Mikrotik device. router.mydomain.com.key and router.mydomain.com.cer. - Upload the two files to your Mikrotik. I’m assuming you have ssh enabled and can login.
$ scp router.mydomain.com.key routerboard:router.mydomain.com.key router.mydomain.com.key 100% 1337 1.6KB/s 00:00 $ scp router.mydomain.com.cer routerboard:router.mydomain.com.cer router.mydomain.com.cer 100% 8888 1.6KB/s 00:00
- SSH into your router and import the certificates
/certificate import file-name=router.mydomain.com.cer /certificate import file-name=router.mydomain.com.key
you can then verify they’re imported. Remember the name of your certificate (used in the last step).
/certificate print Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 K T router.mydomain.com.cer_0 router.mydomain.com DNS:router.mydomain.com 133713371337133713371337133... 1 L T router.mydomain.com.cer_1 Let's Encrypt Authority X3 713371337133713371337133713...
- Final step, tell your www-ssl service to use the certificate.
/ip service set www-ssl certificate=router.mydomain.com.cer_0
acme.sh already have set up a cronjob for you doing the renewal. You can then use a shell script to automatically upload after renewal. To do so, point to that script –reload-cmd
On the Mikrotik side, you can write a script that checks if there are any certs to import, import them. You can then run this using the Scheduler. Maybe once a day/week or so to make sure you never have outdated certificates.
Example scripts
install_cert.rscupload.bash
fonte: https://www.ollegustafsson.com/en/letsencrypt-routeros/
Thanks Olle Gustafsson
0 comentários:
Postar um comentário