Ability to manage SSL Certificates

[Russell-IO]

It would be very cool to help add support for let's encrypt by combining with the acme provider, things needed for this:

Lifecycle of certificate
Assign to services, api, www, ikev2

[OJFord]

It's now built-in (ROS v7) for the 'www-ssl' service: https://help.mikrotik.com/docs/display/ROS/Certificates#Certificates-Let'sEncryptcertificates

It'd be good to support that so that if enabled manually in order to give this provider access, that configuration (though necessarily already done manually) could at least be recorded, something like:

resource "routeros_ip_cloud" "router" {
    ddns_enabled = true
}

resource "routeros_certificate" "router" {
    enable_ssl_certificate = true
}

// firewall rules

I might be able to look into it some time in the next few days.

---

Just editing to add I had the briefest of looks already - seems the way it works is you POST /rest/certificate/enable-ssl-certificate (optionally with the DNS name else it uses DDNS from /ip/cloud) and then it gets created in certificates along with any others manually created. So there isn't a separate LE resource even conceptually really, for read/refresh we'd need to filter the full list for it, but it either exists or it doesn't, so then we could populate Boolean enabled on that basis.

Given that though it probably does make more sense for it to be its own tf resource, so rather than above it would be like:

resource "routeros_certificate_lets_encrypt" "router" {
    enabled = true
}

perhaps.

Since a certificate resource we might want multiple of, but it doesn't make sense to enable the LE one or not on each one, it's a separate one-shot action.

I'll hopefully get around to a PR Friday or Sunday.

[OJFord]

Sorry I didn't get to this because I realised I can't use it (or hence test it) personally since I'm behind CGNAT, and the built-in support doesn't allow for DNS challenge.

I think the acme_certificate integration you suggest would be good, but really that belongs as a separate Terraform module, using both this & the acme provider.

Support for the built-in Let's Encrypt cert would be good too (in this provider) but that's tied to the www-ssl service and not quite what you were asking for.

[vaerh]

I have not taken on this task precisely because I have no way to test or debug the process of obtaining a LE certificate. I don't have a solution yet.

[OJFord]

I'm intending to play around with the tailscale container, I suppose once I have that running it would make it feasible for me to test it (and also obviate any point of it really) but I'm a way off that yet.