Attivazione Accesso HTTPS a router Mikrotik con certificato Letsencrypt
Jump to navigation
Jump to search
{Stub}
- Generare il certificato in locale con certbot usando il challenge DNS
$ sudo certbot -d your.domain.name --manual --preferred-challenges dns certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate /usr/local/Cellar/certbot/0.22.2/libexec/lib/python3.6/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead. signer = key.signer(self.padding, self.hash) Performing the following challenges: dns-01 challenge for your.domain.name ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.your.domain.name with the following value: [random string to be copied as DNS TXT value] Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue
Impostare la chalenge sul proprio DNS:
$ dig _acme-challenge.your.domain.name TXT ; <<>> DiG 9.9.7-P3 <<>> _acme-challenge.your.domain.name TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36199 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_acme-challenge.your.domain.name. IN TXT ;; ANSWER SECTION: _acme-challenge.your.domain.name. 899 IN TXT "[the random string]" ;; Query time: 59 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Mar 29 13:06:36 BST 2018 ;; MSG SIZE rcvd: 1201, 14
- Procedere
[Press enter in your main terminal where you were using certbot] Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your.domain.name/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your.domain.name/privkey.pem Your cert will expire on 2018-06-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le # cd /etc/letsencrypt/live/your.domain.name/ # ls README cert.pem chain.pem fullchain.pem privkey.pem
- In realtà da qui seguire lo script github che può anche rinnovar eil certificato e caricarlo via ssh
Uploading files
Files > Upload:
Upload cert.pem Upload chain.pem
Importing certificates
Go to System > Certificates > Import
Import cert.pem Import chain.pem
Enabling SSL on our web server
On Webfig go to IP > Services and click www-ssl. Select cert.pem, check Enabled and click Ok. Enabling external traffic to reach our HTTPS web server
Ip > Firewall: Add new
Chain: input Protocol: TCP Dst. Port: 443 Action: Accept Click Ok
Move the rule on the right position of the rule chain. (Above the rules drop input).
- Caricare e configurare come da script https://github.com/GabrieleV/letsencrypt-routeros
- Terminare con
/ip service set www-ssl certificate=fire.ronchetti.it.pem_0 disabled=no
- HOWTO: Letsencrypt SSL certificate in Mikrotik - Albert Sola
- letsencrypt-routeros/letsencrypt-routeros.sh at master · gitpel/letsencrypt-routeros
Certificato self signed
/certificate add name=LocalCA common-name=LocalCA key-usage=key-cert-sign,crl-sign
/certificate sign LocalCA
/certificate add name=Webfig common-name=192.168.88.1
/certificate sign Webfig ca=LocalCA
/ip service set www-ssl certificate=Webfig disabled=no