routeros_ssl
upload, import, and configure Mikrotik RouterOS devices to use SSL / TLS certs (e.g., Let's Encrypt)
2.9K
This is a shell script to copy SSL / TLS certificates from one system, import them into the RouterOS certificate store, and configure HTTP-related services to use them.
While the initial intent and core focus was using certificates signed by Let's Encrypt, there's no dependency on Let's Encrypt, ACME, Certbot, or any particular certificate signing authority. The certificates can even be self-signed, if desired.
This shell script is written to support RouterOS devices produced by Mikrotik. It's extremely unlikely that it will work with any other platform.
Wes Dean is the author of the updates; he can be found on LinkedIn.
The source code for this tool is hosted on GitHub at wesley-dean/routeros_ssl.
This is a shell script written in Bash that uploads certificate and private key files, imports them into RouterOS's certificate store, and configures HTTP-related services to use them.
This script will not generate keys or certificates, not will it cryptographically sign anything. All of that it outside of the scope for this tool.
Version 7 of RouterOS, since roughly September of 2024, supports using Let's Encrypt services natively. However, it requires the use of the ACME HTTP-01 challenge format which requires port 80 of the device to be accessible from the Internet. There's no technical reason why one can't do this; however, exposing port 80 to the Internet on an edge device may have negative consequences with regards to one's risk profile. That is, it's entirely possible so long as one is prepared to accept the risk.
This tool makes use of OpenSSH which is developed and maintained by the makers of OpenBSD. The tool is essentially a Bash script, so it requires GNU Bash.
Because the tool uses SSH to interact with RouterOS-based devices, the SSH service must be enabled on the RouterOS device and an administrative user that will be used is able to connect using SSH. The port to which the SSH service is bound -- typically port 22 -- must be known and accessible via the network where this script will be run.
The tool uses key-based authentication for logging in to the RouterOS device
with SSH. Therefore, the public portion of the key must be previously
associated with the RouterOS user that will be used to upload the files,
import them, and configure services to use them. It's highly recommended that
the RouterOS device's host key be stored in the local user's .ssh/known_hosts
file prior to running the script.
Lastly, the tool requires a signed SSL / TLS certificate and its corresponding private key. The tool will default to the standard location where Let's Encrypt would locally store keys (privkey.pem) and signed certificates (cert.pem), namely:
/etc/letsencrypt/live/$DOMAIN/
These are requirements that need to exist before the script is run. Without them, the script will fail.
Again, this script will not generate nor sign certificates -- they need to exist first.
The tool can be configured by several mechanisms:
The tool will look for .env and letsencrypt-routeros.settings in the
current directory, in that order. If both files exist, the .env file is
read first, then the letsencrypt-routeros.settings file. Parameters in
.env file are overridden by everything else. It is recommended that only
one of the two files is present to simplify debugging.
Both of these files are sourced as Bash scripts. Therefore, the entirety of
the Bash scripting language is available for use. That said, it's likely for
the best to use structures typically found in a .env file:
# comment
PARAMETER="value"
The supported parameters include:
ROUTEROS_USER: the username for the account on the RouterOS device to use
to upload the files, import them, and configure services. This is likely
a user with administrative privileges. It's recommended for audit purposes
that this be a service account with minimally-scoped privileges.ROUTEROS_HOST: this is the hostname or IP address of the RouterOS device
that is being configured.ROUTEROS_SSH_PORT: this is the port on the RouterOS device where the SSH
service is bound listening for incoming connections. The standard port for
SSH is 22, but it may be different depending on the installation.ROUTEROS_PRIVATE_KEY: this is the location on the local system that has the
private portion of an SSH key used to authenticate to the RouterOS user that
was previously mentioned. The public portion of this key must be associated
with the RouterOS user account.DOMAIN: this is the domain that is being supported by this certificate. It
must be compatible with the domain name used with the certificate -- it can
be the exact hostname or the certificate can be a wildcard certificate that
includes this hostname. It is used to name the private key and certificate
in the RouterOS certificate store as well as the default location of the
private key and certificate on the local system.CERTIFICATE: this is the path and filename of the signed certificate,
typically found at /etc/letsencrypt/live/$DOMAIN/cert.pemKEY: this is the path and filename of the private key, typically found at
/etc/letsencrypt/live/$DOMAIN/privkey.pemROUTEROS_SSH_OPTIONS: these are any additional options to pass along to
ssh or scp (e.g., -o PubkeyAcceptedAlgorithms=ssh-rsa)Additionally, the script accepts several options at runtime as command line options:
CERTIFICATE]DOMAIN]ROUTEROS_HOST]KEY]$ROUTEROS_PRIVATE_KEY]$ROUTEROS_SSH_OPTIONS]$ROUTEROS_SSH_PORT]$ROUTEROS_USER]Lastly, options may be provided positionally:
ROUTEROS_USERROUTEROS_HOSTROUTEROS_SSH_PORTROUTEROS_PRIVATE_KEYDOMAINFor example:
$ letsencrypt-routeros.bash admin 192.168.1.1 22 ~/.ssh/id_rsa example.com
Assuming that the previously-mentioned requirements are met:
the script may be invoked the same was as most other Bash scripts. It may be invoked on an ad-hoc basis from the command line, via cron script, as a post-validation hook run by Certbot, as a containerized service, etc..
A containerized image is available to expedite installation and usage. The image is compatible with Docker, Podman, and more, is available on DockerHub and GitHub Container Registry:
The tool, a Bash script, uses OpenSSH to interact with RouterOS devices; it doesn't require additional network access, special tooling, capabilities, etc. access to hosting providers, etc..
The tool doesn't generate or sign certificates or private keys. It only
uploads, imports, and configures existing signed certificates (and their
private keys). Therefore, the directory where the certificates and their
private keys must be provided to the container. Typically certbot will use
symbolic links (symlinks) to reference the current version of a certificate and
its key; therefore, it's recommended to bind-mount the volume above the live
directory (e.g., /etc/letsencrypt).
It's also possible to mount specific files (the cert.pem and privkey.pem
files generated by certbot, for example) and update the CERTIFICATE and KEY
parameters, respectively.
It's also possible to avoid using bind mounts by creating a named volume and mounting that. The certificate and its private key would need to be managed by another process.
It's encouraged to use environment variables to configure the container at runtime. In the event that this would prove difficult to manage, one may also mount the directory where the configuration file is located and set the working directory for the container to where the configuration file would be exposed on the container's filesystem.
A container may be substantiated with:
docker run \
--rm \
-it \
-v "/etc/letsencrypt/:/etc/letsencrypt:ro" \
-v "${PWD}:/var/run/routeros-ssl/:ro" \
-w "/var/run/routeros-ssl/" \
docker.io/wesleydean/routeros_ssl:latest
The image is rebuilt when pull requests are merged into the repository's
main branch and are tagged edge. Images are tagged with latest when a
release is created. Therefore, latest is generally stable. There are also
images tagged on commits, major, major.minor, and major.minor.patch releases.
For reliability and repeatability, tagging to specific hashes is the
recommended approach (rather than latest)
The container runs as a non-privileged user (user 1000 aka user). By
default, /etc/letsencrypt is usually inaccessible by non-privileged users.
Therefore, one may either:
-u root) to the command)/etc/letsencrypt with either chown and/or chmodThere are risks associated with each approach. Please consider reviewing the certbot documentation on file locations and permissions for more information.
One may build the image locally without extraneous considerations:
docker build -t routeros_ssl .
This script was based on the file work by kiprox and GPL3-licensed code uploaded to the kiprox/mikrotik-ssl repo on GitHub.
Efforts were made to retain compatibility with the original script with minimal changing required. The logic used with the original script remains unchanged (with few small exceptions), so there is likely very little reason to change tools.
.env as a configuration file in addition to
letsencrypt-routeros.settings file that was previously supportedCERTIFICATE and KEY at runtime using
either a configuration file or the flag-based command line optionswww-ssl and api-ssl was added to the existing SSTP
supportContent type
Image
Digest
sha256:ec0135a22…
Size
6.1 MB
Last updated
2 months ago
docker pull wesleydean/routeros_ssl:sha-b80623487c161a0fef6502adc7af738c507fc848