0

From RouterOS's webfig CLI I attempted to create a LetsEncrypt cert:

certificate/enable-ssl-certificate dns-name=my.domain.com

But it returned the error:

progress: [error] http challenge validation failed, please make sure www service is enabled and your device is accessible by letsencrypt.org servers

I checked that both TCP/80 & TCP/443 on the router's Input chain, but the error was clear these were closed.

What other dependencies are required to create the correct connectivity to successfully install the LetsEncrypt cert?!?!?

Improve this question

1 Answer 1

Reset to default
1

I was installing a LetsEncrypt cert on a MikroTik using only an IPv6 Global Unicast address which had me investigating IPv6 configuration. But this was a red-herring, and the issue I had could happen equally with an IPv4 address:

In addition to opening TCP/80 & TCP/443 in the FW for LetsEncrypt to reach the router, I had to also add "allow" addresses in ip/service for www(TCP/80) & www-ssl (TCP/443) which LetsEncrypt could reach to complete the cert registration process. Once I did this, the error cleared.

MikroTik does this to stop users from cutting their own heads off by mistakenly cracking-open TCP/80 and/or TCP/443 on the input chain and unwittingly exposing a management interface to an unintended audience. So you have to make an express decision to allow this connectivity. Same is also true for SSH connectivity

Note that although ip/services lives in the IPv4 part of the interface, you add IPv6 addresses here also to allow IPv6 HTTP/S connectivity.

Hopefully this will save other a lot of wasted time... D'Oh!

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.