Hotspot MikroTik HTTPS Login Trusted dengan Let's Encrypt

Setup Hotspot MikroTik over HTTP mungkin sudah jadi hal yang biasa dan sangat mudah anda setup. Namun, bagaimana kalau kebutuhanya perlu atau disuruh membuat hotspot url over HTTPs?

Tentu anda tertantang bukan? Tidak hanya itu, setelah anda dapat membuat hotspot url anda over HTTPs, apakah certificate ssl nya trusted? atau mungkin hanya self-signed?

Sama-sama HTTPs, namun anda harus berfikir 2x jika hotspot url anda memakai certificate ssl self-signed karena tamu atau user hotspot perlu konfirmasi warning ssl self-signed pada browser.

Kalau dipakai untuk anda sendiri tentu tidak masalah, tapi kalo diterapkan di office atau area public ? 😀 Coba aja…

Tutorial Hotspot HTTPS Login sudah banyak yang share guys, namun rata-rata masih menggunakan ssl buatan dari Linux pakai OpenSSL atau dari fiture certificate mikrotik. Berikut tutorialnya: (1) Membuat Hotspot HTTPS Login dengan SSL Buatan (2) MikroTik.ID – HTTPS Login

Langkah-langkah Membuat Hotspot MikroTik HTTPS Login Trusted CA

Ada beberapa hal yang perlu anda persiapkan sebelum melakukan Lab Hotspot Login HTTPS – Trusted CA, diantaranya:

IP Public (Recommended Static)
Ubuntu Server 16.04 / 18.04 (VM/Container)
Domain yang terdaftar di Registrar

Step 1: IP Public & Konfigurasi Router

Kita perlu alamat IP Public untuk mengarahkan Domain yang kita miliki. IP Public Dynamic bisa anda coba, namun pengalaman sukses saya, pakai IP Public Static.

Saya anggap router anda sudah menerima IP Public dan sudah anda konfigurasi standart / siap di setup hotspot.

“Jika hotspot sudah disetup, anda tinggal melanjutkan setting import certificate dan setting https login saja.”
LukmanLAB

#IP-Addressing
/ip address
add address=111.51.106.6/29 interface=ether1 network=111.51.106.0
add address=192.168.198.1/24 interface=ether2-PC network=192.168.198.0
add address=192.168.4.1/24 interface=ether3-Hotspot network=192.168.4.0

#Set DNS
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

#Set Gateway Router
/ip route
add distance=1 gateway=111.51.106.1

#Set NAT Gateway for Client
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Lanjutkan dengan setup hotspot, referensi: MikroTik.ID: Setting Dasar Hotspot MikroTik

Step 2: Ubuntu Server [Issue SSL Let’s Encrypt]

Siapkan Ubuntu Server, bisa menggunakan virtual machine atau container. Pastikan server dapat ping / akses internet. Soalnya nanti kita akan install paket-paket yang dibutuhkan untuk request ssl dari Let’s Encrypt.

1. Login ke Ubuntu Server via SSH

Bisa pakai software Putty atau Terminal ( jika pakai linux ).

$ ssh [email protected]
$ ssh [email protected] -p 2222

2. Install Acme

Hasil instalasi di /root/.acme.sh/

$ sudo apt install curl
$ sudo -i
# curl https://get.acme.sh | sh

3. Issue DNS Hotspot

# cd /root/.acme.sh
# acme.sh --issue -d login.lukmanlab.com --dns \
--yes-I-know-dns-manual-mode-enough-go-ahead-please

[Wed Mar  6 10:02:21 UTC 2019] Single domain='login.lukmanlab.com'
[Wed Mar  6 10:02:21 UTC 2019] Getting domain auth token for each domain
[Wed Mar  6 10:02:21 UTC 2019] Getting webroot for domain='login.lukmanlab.com'
[Wed Mar  6 10:02:21 UTC 2019] Getting new-authz for domain='login.lukmanlab.com'
[Wed Mar  6 10:02:22 UTC 2019] The new-authz request is ok.
[Wed Mar  6 10:02:23 UTC 2019] Add the following TXT record:
[Wed Mar  6 10:02:23 UTC 2019] Domain: '_acme-challenge.login.lukmanlab.com'
[Wed Mar  6 10:02:23 UTC 2019] TXT value: 'GE1ojzTr47m5N4BEnLOdExkw7vV5tM2ZnUB8Avn-XpE'
[Wed Mar  6 10:02:23 UTC 2019] Please be aware that you prepend _acme-challenge. before your domain
[Wed Mar  6 10:02:23 UTC 2019] so the resulting subdomain will be: _acme-challenge.login.lukmanlab.com
[Wed Mar  6 10:02:23 UTC 2019] Please add the TXT records to the domains, and re-run with --renew.
[Wed Mar  6 10:02:23 UTC 2019] Please add '--debug' or '--log' to check more details.
[Wed Mar  6 10:02:23 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Mar  6 10:02:23 UTC 2019] Removing DNS records.
[Wed Mar  6 10:02:23 UTC 2019] Not Found domain api file:

Perthatikan hasil issue dns manual anda, bagian “domain” dan “txt value“. Nah, itu yang nanti kita tambahkan ke record DNS.

Step 3: Domain

Anda setidaknya memiliki minimal 1 Domain yang terdaftar di registrar, dan pastikan sudah dapat diakses dari mana saja. Silahkan gunakan network tools online untuk testing lookup domain anda. Bisa gunakan: DNS Stuff, Network-Tools.

Tambahkan A Record

Tambahkan Record TXT yang tadi direquest kedalam Registrar Domain.

4. Renew DNS

# acme.sh --renew -d login.lukmanlab.com \
  --yes-I-know-dns-manual-mode-enough-go-ahead-please

[Wed Mar  6 10:23:33 UTC 2019] Renew: 'login.lukmanlab.com'
[Wed Mar  6 10:23:34 UTC 2019] Single domain='login.lukmanlab.com'
[Wed Mar  6 10:23:34 UTC 2019] Getting domain auth token for each domain
[Wed Mar  6 10:23:34 UTC 2019] Verifying: login.lukmanlab.com
[Wed Mar  6 10:23:38 UTC 2019] Success
[Wed Mar  6 10:23:38 UTC 2019] Verify finished, start to sign.
[Wed Mar  6 10:23:41 UTC 2019] Cert success.
...
...
[Wed Mar  6 10:23:41 UTC 2019] Your cert is in  /root/.acme.sh/login.lukmanlab.com/login.lukmanlab.com.cer
[Wed Mar  6 10:23:41 UTC 2019] Your cert key is in  /root/.acme.sh/login.lukmanlab.com/login.lukmanlab.com.key
[Wed Mar  6 10:23:42 UTC 2019] The intermediate CA cert is in  /root/.acme.sh/login.lukmanlab.com/ca.cer
[Wed Mar  6 10:23:42 UTC 2019] And the full chain certs is there:  /root/.acme.sh/login.lukmanlab.com/fullchain.cer

Output Renew Certificate terletak pada: /root/.acme.sh/login.lukmanlab.com/ | Silahkan download file login.lukmanlab.com.cer, login.lukmanlab.com.key, ca.cer

5. Upload Certificate, Key dan CA ke router mikrotik dan lakukan Import Certificate.

Upload ke tiga file tersebut ke router, bisa menggunakan ftp, ssh (FileZilla/WinSCP) kemduian import certificate-nya.

/certificate import file-name=login.lukmanlab.com.cer passphrase=""
/certificate import file-name=login.lukmanlab.com.key passphrase=""
/certificate import file-name=ca.cer  passphrase="

6. Setting Hotspot – HTTPS Login

Silahkan test login dengan HTTPS, atau anda cukup ketik google.com akan otomatis redirect ke login.

Ahmad Lukman Hakim

Admin LUKMANLAB, DevOps Engineer, Site Reliability Engineer, System Administrator.

www.lukmanlab.com

12 thoughts on “Hotspot MikroTik HTTPS Login Trusted dengan Let’s Encrypt”

Pingback: Setting Load Balancing PCC 2 ISP + Fail Over Menggunakan MikroTik
kartun ch

November 29, 2019 at 1:21 am

kalo sudah expired gimana om? apakah harus diulang lagi langkahnya dr awal ?
- Ahmad Lukman Hakim
  
  November 30, 2019 at 2:37 am
  
  Cukup ulangi bagian req certificate aja. Nanti Fullchainya dicopy ke MikroTik.
  - kartun ch
    
    November 30, 2019 at 3:12 am
    
    Yg bagian mana itu om.. langkah ke berapa?
    - Ahmad Lukman Hakim
      
      November 30, 2019 at 10:25 am
      
      Step 2 – No. 3 sampai selesai.
      - kartun ch
        
        November 30, 2019 at 10:25 am
        
        Berarti certificatenya ganti file baru ya om?
      - Ahmad Lukman Hakim
        
        November 30, 2019 at 6:31 pm
        
        Betul
Muhammad Irfan Van Scorpy

February 19, 2022 at 10:36 am

kalo Force http ke https nya gan apakah bisa ?
- Ahmad Lukman Hakim
  
  February 19, 2022 at 8:49 pm
  
  Bikin rule di firewall gan utk redirect http ke https
محمد نر رمدحن نجاداب

February 27, 2022 at 10:05 am

kalau cara install lets ecrypt di server xampp windows..cranaya g mn om ??
- Ahmad Lukman Hakim
  
  March 6, 2022 at 11:27 am
  
  saya saranin, generate manual aja pakai tools di linux mas. terus hasil generate certificate pasang di xampp.
- Ahmad Lukman Hakim
  
  August 12, 2023 at 4:48 pm
  
  belum pernah kak