segunda-feira, 6 de fevereiro de 2017

Mikrotik - Use Let’s Encrypt SSL certificate on Mikrotik RouterOS

These are step by step instructions how to import and use a Let’s Encrypt SSL certificate on your Mikrotik routerboard.
There are a number of Let’s Encrypt clients out there. But my favourite so far is acme.sh by . The only requirement is a shell. Works fine running as a unprivileged user as well.
In the steps below, I’m using DNS validation, but of course you can use web based as well.
In that case forward a port to the computer running acme.sh and use –standalone and –httpport (if you use a non standard port) instead of –dns.

Installation

  1. Download and install acme.sh. Or, if you’re in “dont-really- care-what-i-download-and-run”-mode:
    $ curl https://get.acme.sh | sh
  2. Then issue a new certificate:
    $ acme.sh --issue --dns -d router.mydomain.com
  3. Add the TXT record displayed to your DNS. Look for this:
    Domain: '_acme-challenge.router.mydomain.com' 
    TXT value: 'iamNo7r3alIaHacK3rbutItc4nBfunM3ss1nGaroUnD'
  4. After you’ve added your TXT record, issue a renewal:
    $ acme.sh --renew -d router.mydomain.com                                                                                                              [205/397] 
    [thu 12 jan. 2017 20:06:09 CET] Renew: 'router.mydomain.com' 
    [thu 12 jan. 2017 20:06:09 CET] Single domain='router.mydomain.com' 
    [thu 12 jan. 2017 20:06:09 CET] Getting domain auth token for each domain 
    [thu 12 jan. 2017 20:06:09 CET] Verifying:router.mydomain.com 
    [thu 12 jan. 2017 20:06:14 CET] Success 
    [thu 12 jan. 2017 20:06:14 CET] Verify finished, start to sign. 
    [thu 12 jan. 2017 20:06:15 CET] Cert success.
  5. Install your cert. And yes, you should specify the same file for –capath and –certpath.
    $ acme.sh --installcert -d router.mydomain.com \
              --capath /home/certs/router.mydomain.com.cer \
              --certpath /home/certs/router.mydomain.com.cer \
              --keypath /home/ogg/certs/router.mydomain.com.key
    [thu 12 jan. 2017 20:18:03 CET] Installing cert to:/home/certs/router.mydomain.com.cer
    [thu 12 jan. 2017 20:18:03 CET] Installing CA to:/home/certs/router.mydomain.com.cer
    [thu 12 jan. 2017 20:18:03 CET] Installing key to:/home/certs/router.mydomain.com.key
    You now have two files to upload to your Mikrotik device. router.mydomain.com.key and router.mydomain.com.cer.
  6. Upload the two files to your Mikrotik. I’m assuming you have ssh enabled and can login.
    $ scp router.mydomain.com.key routerboard:router.mydomain.com.key
    router.mydomain.com.key                              100% 1337     1.6KB/s   00:00
    $ scp router.mydomain.com.cer routerboard:router.mydomain.com.cer
    router.mydomain.com.cer                              100% 8888     1.6KB/s   00:00
  7. SSH into your router and import the certificates
    /certificate import file-name=router.mydomain.com.cer
    /certificate import file-name=router.mydomain.com.key
    
    you can then verify they’re imported. Remember the name of your certificate (used in the last step).
    /certificate print
    Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
     #        NAME                       COMMON-NAME                 SUBJECT-ALT-NAME         FINGERPRINT                   
     0 K    T router.mydomain.com.cer_0  router.mydomain.com         DNS:router.mydomain.com  133713371337133713371337133...
     1   L  T router.mydomain.com.cer_1  Let's Encrypt Authority X3                           713371337133713371337133713...
  8. Final step, tell your www-ssl service to use the certificate.
    /ip service set www-ssl certificate=router.mydomain.com.cer_0
And that’s it!
acme.sh already have set up a cronjob for you doing the renewal. You can then use a shell script to automatically upload after renewal. To do so, point to that script –reload-cmd for it to be run after renewal.
On the Mikrotik side, you can write a script that checks if there are any certs to import, import them. You can then run this using the Scheduler. Maybe once a day/week or so to make sure you never have outdated certificates.

Example scripts

install_cert.rsc
upload.bash

fonte: https://www.ollegustafsson.com/en/letsencrypt-routeros/

Thanks Olle Gustafsson

0 comentários: