Let's Encrypt certificates for RouterOS / Mikrotik
- Dedicated Linux renew and push certificates to RouterOS / Mikrotik
- After CertBot renew your certificates
- The script connects to RouterOS / Mikrotik using DSA Key (without password or user input)
- Delete previous certificate files
- Delete the previous certificate
- Upload two new files: Certificate and Key
- Import Certificate and Key
- Change SSTP Server Settings to use new certificate
- Delete certificate and key files form RouterOS / Mikrotik storage
Similar way you can use on Debian/CentOS/AMI Linux/Arch/Others
Download the repo to your system
sudo -s
cd /opt
git clone https://github.com/gitpel/letsencrypt-routeros
Edit the settings file:
vim /opt/letsencrypt-routeros/letsencrypt-routeros.settings
Variable Name | Data |
---|---|
ROUTEROS_USER | admin |
ROUTEROS_HOST | 10.0.254.254 |
ROUTEROS_SSH_PORT | 22 |
ROUTEROS_PRIVATE_KEY | /opt/letsencrypt-routeros/id_dsa |
DOMAIN | router.mydomain.com |
Change permissions:
chmod +x /opt/letsencrypt-routeros/letsencrypt-routeros.sh
Generate DSA Key for RouterOS
Make sure to leave the passphrase blank (-N "")
ssh-keygen -t dsa -f /opt/letsencrypt-routeros/id_dsa -N ""
Send Generated DSA Key to RouterOS / Mikrotik
source /opt/letsencrypt-routeros/letsencrypt-routeros.settings
scp -P $ROUTEROS_SSH_PORT /opt/letsencrypt-routeros/id_dsa.pub "$ROUTEROS_USER"@"$ROUTEROS_HOST":"id_dsa.pub"
Check that user is the same as in the settings file letsencrypt-routeros.settings
Check Mikrotik ssh port in /ip services ssh
Check Mikrotik firewall to accept on SSH port
:put "Enable SSH"
/ip service enable ssh
:put "Add to the user DSA Public Key"
/user ssh-keys import user=admin public-key-file=id_dsa.pub
Install CertBot using official manuals https://certbot.eff.org/#ubuntuxenial-other
for Ubuntu 16.04
apt update
apt install software-properties-common -y
add-apt-repository ppa:certbot/certbot
apt update
apt install certbot -y
In the first time, you will need to create Certificates manually and put domain TXT record
follow CertBot instructions
source /opt/letsencrypt-routeros/letsencrypt-routeros.settings
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok
To use settings form the settings file:
./opt/letsencrypt-routeros/letsencrypt-routeros.sh
To use script without settings file:
./opt/letsencrypt-routeros/letsencrypt-routeros.sh [RouterOS User] [RouterOS Host] [SSH Port] [SSH Private Key] [Domain]
To use script with CertBot hooks:
certbot certonly --preferred-challenges=dns --manual -d $DOMAIN --manual-public-ip-logging-ok --post-hook /opt/letsencrypt-routeros/letsencrypt-routeros.sh
You can easily edit script to execute your commands on RouterOS / Mikrotik after certificates renewal Add these strings in the «.sh» file before «exit 0» to have www-ssl and api-ssl works with Let's Encrypt SSL
$routeros /ip service set www-ssl certificate=$DOMAIN.pem_0
$routeros /ip service set api-ssl certificate=$DOMAIN.pem_0
Copyright 2018 Konstantin Gimpel
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.