This Docker container automatically renews certificates from Let's Encrypt, copies them to a MikroTik device running RouterOS, and activates them in the web server, API and OpenVPN server.
There are two approaches:
- Run the container directly in the MikroTik router (if the feature is available)
- Run the container elsewhere
Docker Hub: schwitzd/routeros-letsencrypt
- Follow the Mikortik documentation to enable the container feature, in the repository IaC-HomeRouter I did it with Terraform
- Map a SSH private key file for login into RouterOS
- Map a volume/folder to store persistent authorization information between container restarts
- Configure environment variables to control the automation process
| Name | Default | Description |
|---|---|---|
ROUTEROS_USER |
(none) | User with policies ssh, write, ftp, read |
ROUTEROS_HOST |
(none) | RouterOS IP or Hostname |
ROUTEROS_SSH_PORT |
22 |
RouterOS SSH Port |
ROUTEROS_PRIVATE_KEY |
(none) | Private Key file to connect to RouterOS (set permissions to 0400!) |
ROUTEROS_DOMAIN |
(none) | Domainname for catch up certs from LEGO Client. Usually the first Domain you set in the LEGO_DOMAINS variable |
LEGO_STAGING |
1 |
Whether to use production or staging LetsEncrypt endpoint. 0 for production, 1 for staging |
LEGO_KEY_TYPE |
ec384 |
Type of key |
LEGO_DOMAINS |
(none) | Domains (delimited by ';' ) |
LEGO_EMAIL_ADDRESS |
(none) | Email used for registration and recovery contact. |
LEGO_PROVIDER |
(none) | DNS Provider. Valid values are: acme-dns, alidns, allinkl, arvancloud, auroradns, autodns, azure, azuredns, bindman, bluecat, brandit, bunny, checkdomain, civo, cloudflare, clouddns, cloudns, cloudru, cloudxns, conoha, constellix, cpanel, derak, desec, designate, digitalocean, directadmin, dnshomede, dnsmadeeasy, dnsimple, dnspod, dode, domeneshop, dreamhost, duckdns, dyn, dynu, easydns, efficientip, epik, exec, exoscale, freemyip, gandi, gandiv5, gcore, gcloud, glesys, godaddy, googledomains, hetzner, hostingde, hosttech, hurricane, hyperone, httpreq, httpnet, ibmcloud, iidpf, iij, infoblox, infomaniak, internetbs, inwx, ionos, ipv64, iwantmyname, joker, liara, linode, liquidweb, lightsail, loopia, luadns, mailinabox, manual, metaname, mydnsjp, mythicbeasts, namecheap, namedotcom, namesilo, nearlyfreespeech, netcup, netlify, nicmanager, nifcloud, njalla, nodion, ns1, oraclecloud, otc, ovh, pdns, plesk, porkbun, rackspace, rcodezero, regru, rfc2136, rimuhosting, route53, safedns, sakuracloud, scaleway, selectel, selectelv2, servercow, shellrent, simply, sonic, stackpath, tencentcloud, transip, ultradns, variomedia, vegadns, vercel, versio, vinyldns, vkcloud, vscale, vultr, webnames, websupport, wedos, yandex, yandex360, yandexcloud, zoneee, zonomi |
LEGO_DNS_TIMEOUT |
10 |
Set the DNS timeout value to a specific value in seconds |
LEGO_ARGS |
(none) | Send arguments directly to lego, e.g. "--dns.disable-cp" or "--dns.resolvers 1.1.1.1" |
<KEY/TOKEN_FROM_PROVIDER> |
(none) | See Configuration of DNS Providers |
SET_ON_WEB |
true | Set the new certificate on the WebServer |
SET_ON_API |
true | Set the new certificate on the API |
SET_ON_OVPN |
false | Set the new certificate on the OpenVPN Server |
SET_ON_HOTSPOT |
false | Set the new certificate for the HotSpot/CaptivePortal |
HOTSPOT_PROFILE_NAME |
(none) | HotSpot/CaptivePortal profile name |
- Generate SSH key pair
- Upload public key to RouterOS
- Add User/Group and import public SSH key
- Pass private key into the container store
# Add environment variables
/container/envs/add name=lego_envs key=LEGO_STAGING value="0"
/container/envs/add name=lego_envs key=LEGO_PROVIDER value="cloudflare"
/container/envs/add name=lego_envs key=LEGO_DOMAINS value="mydomain.tld"
/container/envs/add name=lego_envs key=LEGO_EMAIL_ADDRESS value="[email protected]"
/container/envs/add name=lego_envs key=CLOUDFLARE_DNS_API_TOKEN value="<TOKEN>"
/container/envs/add name=lego_envs key=ROUTEROS_USER value="letsencrypt"
/container/envs/add name=lego_envs key=ROUTEROS_HOST value="router.mydomain.tld"
/container/envs/add name=lego_envs key=ROUTEROS_PRIVATE_KEY value="/ssh/id_ed25519"
/container/envs/add name=lego_envs key=ROUTEROS_DOMAIN value="mydomain.tld"
# Create mount points
/container/mounts/add name=lego-ssh src=/usb1/containers/lego/ssh dst=/ssh
/container/mounts/add name=lego-letsencrypt src=/usb1/containers/lego/data dst=/letsencrypt
# Create container
/container/add remote-image=schwitzd/routeros-letsencrypt:latest interface=veth1 root-dir=usb1/containers/lego/root mounts=lego-ssh,lego-letsencrypt envlist=lego_envs dns=<dns_server> logging=yes start-on-boot=yesservices:
app:
image: foorschtbar/routeros-letsencrypt
environment:
- LEGO_STAGING=0
- LEGO_PROVIDER=cloudflare
- LEGO_DOMAINS=mydomain.tld # or *.mydomain.tld for a wildcard cert.
- [email protected]
- CLOUDFLARE_DNS_API_TOKEN=<TOKEN>
- ROUTEROS_USER=letsencrypt
- ROUTEROS_HOST=router.mydomain.tld
- ROUTEROS_PRIVATE_KEY=/ssh/id_ed25519
- ROUTEROS_DOMAIN=mydomain.tld # or *.mydomain.tld for a wildcard cert.
volumes:
- ./data:/letsencrypt # To store Let's Encrypt authorization
- ./ssh/ssh # To store RouterOS ssh private key
restart: unless-stoppedTO DO: use docker compose secrets
Inspired & forked from routeros-letsencrypt-docker