In this article I’m exploring how to get certificates from Let’s Encrypt via certmanager in a Kubernetes cluster and afterwards upload it to a Mikrotik router.
Let’s encrypt
We can list the current configuration and the certificate that is in use.
[admin@router] /ip/service> print
Flags: X, I - INVALID
Columns: NAME, PORT, ADDRESS, CERTIFICATE, VRF
# NAME PORT ADDRESS CERTIFICATE VRF
0 telnet 23 192.168.88.0/24 main
1 ftp 21 192.168.88.0/24
2 www 80 192.168.88.0/24 main
3 ssh 22 192.168.88.0/24 main
4 www-ssl 4430 192.168.88.0/24 selfsigned.crt main
5 X api 8728 192.168.88.0/24 main
6 winbox 8291 192.168.88.0/24 main
7 api-ssl 8729 192.168.88.0/24 selfsigned.crt. main
Upload the certificate
scp wildcard.domain.tld.crt user@router:
scp wildcard.domain.tld.key user@router:
Import the certificate
/certificate/import file-name=wildcard.domain.tld.crt
/certificate/import file-name=wildcard.domain.tld.key
Activating the certificate
set www-ssl certificate=wildcard.domain.tld.crt_0 disabled=no
set api-ssl certificate=wildcard.domain.tld.crt_0
Validating the certificate
[admin@router] /ip/service> print
Flags: X, I - INVALID
Columns: NAME, PORT, ADDRESS, CERTIFICATE, VRF
# NAME PORT ADDRESS CERTIFICATE VRF
0 telnet 23 192.168.88.0/24 main
1 ftp 21 192.168.88.0/24
2 www 80 192.168.88.0/24 main
3 ssh 22 192.168.88.0/24 main
4 www-ssl 4430 192.168.88.0/24 wildcard.domain.tld.crt_0 main
5 X api 8728 192.168.88.0/24 main
6 winbox 8291 192.168.88.0/24 main
7 api-ssl 8729 192.168.88.0/24 wildcard.domain.tld.crt_0 main
Automating
It would now be possible to extract the certificate and the key and upload them to for example a Mikrotik Router.
kubectl get secret wildcard.domain.tld-tls -o json | jq -r '.data."tls.crt"' | base64 -d > wildcard.domain-tld.crt
kubectl get secret wildcard.domain.tld-tls -o json | jq -r '.data."tls.key"' | base64 -d > wildcard.domain.tld.key
TODO: Provide an example of scripting the upload of the certificate and key to the router.
