So the two ingredients in the secret sauce are that the router automates the 90-day renewals on its own, and the cloud feature informs the router to use letsencrypt as the certificate service. Amazing!
@Graham_Rule
Жыл бұрын
Thanks. That's great. Could you do a printable version of these instructions (eg in the video description)?
@jembodo
Жыл бұрын
"Which is pretty much bragging...and no one likes that even if you have the MOST POWERFUL router ever."😂
@rubenduarte4909
Жыл бұрын
Thank you for all these videos! They are really helpful and provide invaluable insight and information!! Will it be possible to do a video about bridge vlans? a "RouterOS v7 bridge VLANs Definitive Edition"? I still see a lot of debate about bridge VLANS and me myself are also not completely sure of the way I do it is the right way...
@oscarcam9804
Жыл бұрын
nice information! Thanks
@vanomel528
Жыл бұрын
Thanks, Druvis. I noticed you using Winbox under Wine and if you are perfectionist like me you may be pained because of wrong text fonts width 4:52. You can solve an issue just by replacing wrong wine tahoma font.
@Smithdude_
3 ай бұрын
I think theres more addresses missing for the LE list, I'm unable to complete validation when I include the source list in the firewall rule.
@MikeKrasnenkov
8 ай бұрын
Let's Encrypt is great for publicly accessible websites. On the contrary, router's management interface should be preferably not accessible publicly. This is why supporting a self-hosted CA that implements ACME provisioning would be better. Given that you already have ACME support in place for Let's Encrypt, do you have any plans to provide an option to specify custom ACME directory URL so that this feature can work with self-hosted provisioner without requiring public access?
@flove7808
Жыл бұрын
DNS entries in firewall address lists are resolved at TTL expiry for that entry.
@dlchristman2
Жыл бұрын
Aside from the LE address list is not being sufficient to renew when the cert expires, it seems a reboot is needed for the new certificate to be seen after a renewal. After a reboot I also had to re-select the certificate in the SSTP Server configuration. It showed the new cert prior to reboot, after reboot 'none' was selected.
@willyelvis9369
Жыл бұрын
Parabéns pessoal, let’s encrypt 😂❤
@nlsqrs1
Жыл бұрын
Loved the video. Do you have the IPV6 addresses?
@kirksteinklauber260
Жыл бұрын
Wow very nice!!! this method only works if you a public IP on the WAN interface of the router I would assume. CGNAT will not work for sure.
@WyzerDev
Жыл бұрын
Great !! ... can you add letsencrypts dns entries on description ??
@rtakac
Жыл бұрын
Is there a way to this with selfhosted ACME CA?
@blindside995
Жыл бұрын
Fantastic stuff! What about DNS challenges through ACME?
@Samiron
11 ай бұрын
In case your router support containers, you could do it. There are plenty of docker containers for different registrar. I don't think there ever be a general support of DNS challenge in Mikrotik since every registrar (or whoever manages your domain) has their own API and it's almost impossible to support them in general way.
@MrLupoNino
Жыл бұрын
I have a question, if that certificate will be used for web-ssl management, 90 days later if we delete and generate a new one, do we need to configure again the web-ssl to use the new certificate?
@wreckedzilla
Жыл бұрын
:D great, thanks
@VinzentTPryce
Жыл бұрын
I'd suggest to add the LE-hostnames to the video description so they can just copy and pasted.
@pnutbuttajellee1394
Жыл бұрын
Is the "enable-ssl-certificate" command only supported in v7.x?
@ManuEvans
Жыл бұрын
The LE address list seems to be incomplete. This doesn't work for me; the challenge attempts come from somewhere else. Can you update with the complete list?
@rootsys5196
Жыл бұрын
How could we make it works when a NAT exist and use port 80 to internal webserver?
@MrLupoNino
Жыл бұрын
Could you please share the names of address list used in description?
@dj9choco
Жыл бұрын
Finally, finally, I need some time to get the nginx reverse proxy setup for this requests but finally
@dj9choco
Жыл бұрын
Otherwise is done manually and was a mess handling an internal ca, and let's encrypt wasn't an option for +10 routers, with this I'll be up and running in no time
@JirkaHarcarik
Жыл бұрын
Well it seems that LE uses more then that 3 servers, when I opened in input list those servers, it didn't worked. I can saw many IP addresses trying to connect at the time of issuing an certificate from LE. Pitty
@vladkarpenko2649
Жыл бұрын
Yep, seems that method no one actually checked before making a video😀
@jucosorin
Жыл бұрын
Hi @MikrTik. I followed the instructions to the letter. While I have the www service and the firewall rule enabled I am able to access WebFig, so I guess that port 80 is accessible from the WAN. I have the DDNS working because I'm using the DNS name for my tests. When I run enable-ssl-certificate I get progress: [error] message. Any ideas? Any debugging info which could help me solve this issue?
@imaspower
Жыл бұрын
Same problem... any idea?
@jucosorin
Жыл бұрын
@@imaspower yes, my router was connecting to the internet through the ISP’s router. I opted for direct connection and everything was ok. Otherwise you need to do some port forwarding from the ISP’s router to get this working
@isaken5186
Жыл бұрын
What if the router is behind a NAT?
@kiwi31
2 ай бұрын
Same as others: I'm unable to renew certificates. Stuck at "validation" step. Anyone has an idea plz?
@FunkyKong
2 ай бұрын
I don't get why you would not use DNS challenges. It doesn't seem like a good idea to encourage anyone to expose the web UI.
@hey_leao
Жыл бұрын
I did the exact same config and got "Progress: [error] err" RB951G-2HnD RoS 7.6
@jucosorin
Жыл бұрын
Same here. Is there a way for us to get some debug on this?
@phillipsaw
Жыл бұрын
Same here. Can anyone confirm that this still works for them?
@jucosorin
Жыл бұрын
@@phillipsaw It works just fine. For me, the problem was that the ISP router, sitting in front of the MIkrotik, was blocking port 80 even though I did a port forward.
@SOHOLAB
8 ай бұрын
Thanks Druvis, always perfect content. I'm doing step by step everything but stuck after "enable-ssl-certificate", getting error "check that www enabled". Do you have some suggestions? Thanks
@mikrotik
8 ай бұрын
If 'www' is enabled under ip service section and it still fails, check if you can access your routers webfig using the DDNS name.
@SOHOLAB
8 ай бұрын
Thanks a lot@@mikrotik for fast response! I got it to work! Just started again from very beginning.
@intp7th
Жыл бұрын
Please, once again for stupid. Can I remove certbot from my Ubuntu server and get certificates with my Mikrotik? Will it be updated every 3 months by my router? How it will be delivered to my website url, hosted on my Ubuntu server?
@mikrotik
Жыл бұрын
No, these certificates are for the router itself, not for your Ubuntu
@mahamatahmat6720
Жыл бұрын
Hi, can we do with a domain name, I want to use with my domain name
@mikrotik
Жыл бұрын
Question unclear. You can only do this with a domain name.
@mahamatahmat6720
Жыл бұрын
@@mikrotik I want to do it with my domain name
@mahamatahmat6720
Жыл бұрын
@@mikrotik In the example, you used the default domain name, and I have a domain name and I linked with my domain name.
@mikrotik
Жыл бұрын
I still don't understand. This feature is only for your own domain name. Yes, just use it like in the video :) You will need a publicly available domain name, so that LetsEncrypt can reach you. You will have to buy a domain name (they are cheap, from 0.99USD). You can't do this with an imaginary domain name, yes.
@mahamatahmat6720
Жыл бұрын
@@mikrotik ok thank you for your answer
@anfedoro
26 күн бұрын
Dynamic LetsEncript addressing is not sufficient.. as I see in the log, queries to port 80 were sent from a bunch of different addresses during enable-ssl-certificate.. where was no one matching with the dynamic list records.. So far this is useless.
@mikrotik
25 күн бұрын
Letsencrypt issues an SSL certificate for the DNS name you speficy. It has no need and does not care for your IP addresses at all.
Пікірлер: 52