I bought yet another switch (this time a MikroTik CRS305-1G-4S+) for my homelab, both for data transfers but also to learn how to automate it with Ansible. One of my first discoveries with this device was it’s native ACME support, even for internal CAs!

Overview #

The process was something like this:

1. Set a password for the default admin user
2. Use FTP to transfer my certificate authority to the switch
3. Import CA as a trusted authority
4. Enable automatic certificate renewals using ACME

I’m using an internal certificate authority for all of this, but with some minor changes I think you can use this with letsencrypt.org certificates, even though it is a bad idea to expose your switchs management interface on the Internet!

FTP transfer #

Save your CA as PEM, upload to the MikroTik device:

$ lftp ansible@crs305.example.com
Password:
lftp ansible@crs305.example.com:~> put ca.crt
1547 bytes transferred

Importing CA as a trusted authority #

/certificate/import name=ca-example-com file-name=ca.crt
/certificate/print

Automatic certificate renewal #

Adjust values according to your local setup¹

/certificate/enable-ssl-certificate directory-url=https://ca.example.com/acme/directory dns-name=crs305.example.com

If that goes well, your web interface will now be served with TLS!

$ curl -u ansible:your-password-here https://crs305.example.com/rest/system/resource
{"architecture-name":"arm","board-name":"CRS305-1G-4S+","build-time":"2024-07-24 10:39:01","cpu":"ARM","cpu-count":"2","cpu-frequency":"800","cpu-load":"2","factory-software":"6.46.8","free-hdd-space":"3764224","free-memory":"470945792","platform":"MikroTik","total-hdd-space":"16515072","total-memory":"536870912","uptime":"11h34m19s","version":"7.15.3 (stable)","write-sect-since-reboot":"315","write-sect-total":"464"}

Resources:

• https://help.mikrotik.com/docs/display/ROS/Certificates
• https://help.mikrotik.com/docs/display/ROS/REST+API