Hotspot MikroTik HTTPS Login Trusted dengan Let’s Encrypt

Setup Hotspot MikroTik over HTTP mungkin sudah jadi hal yang biasa dan sangat mudah anda setup. Namun, bagaimana kalau kebutuhanya perlu atau disuruh membuat hotspot url over HTTPs?

Tentu anda tertantang bukan? Tidak hanya itu, setelah anda dapat membuat hotspot url anda over HTTPs, apakah certificate ssl nya trusted? atau mungkin hanya self-signed?

Sama-sama HTTPs, namun anda harus berfikir 2x jika hotspot url anda memakai certificate ssl self-signed karena tamu atau user hotspot perlu konfirmasi warning ssl self-signed pada browser.

Kalau dipakai untuk anda sendiri tentu tidak masalah, tapi kalo diterapkan di office atau area public ? 😀 Coba aja…

Tutorial Hotspot HTTPS Login sudah banyak yang share guys, namun rata-rata masih menggunakan ssl buatan dari Linux pakai OpenSSL atau dari fiture certificate mikrotik. Berikut tutorialnya: (1) Membuat Hotspot HTTPS Login dengan SSL Buatan (2) MikroTik.ID – HTTPS Login

Langkah-langkah Membuat Hotspot MikroTik HTTPS Login Trusted CA

Ada beberapa hal yang perlu anda persiapkan sebelum melakukan Lab Hotspot Login HTTPS – Trusted CA, diantaranya:

  1. IP Public (Recommended Static)
  2. Ubuntu Server 16.04 / 18.04 (VM/Container)
  3. Domain yang terdaftar di Registrar
Ilustrasi Sederhana

Step 1: IP Public & Konfigurasi Router

Kita perlu alamat IP Public untuk mengarahkan Domain yang kita miliki. IP Public Dynamic bisa anda coba, namun pengalaman sukses saya, pakai IP Public Static.

Saya anggap router anda sudah menerima IP Public dan sudah anda konfigurasi standart / siap di setup hotspot.

“Jika hotspot sudah disetup, anda tinggal melanjutkan setting import certificate dan setting https login saja.”

LukmanLAB
#IP-Addressing
/ip address
add address=111.51.106.6/29 interface=ether1 network=111.51.106.0
add address=192.168.198.1/24 interface=ether2-PC network=192.168.198.0
add address=192.168.4.1/24 interface=ether3-Hotspot network=192.168.4.0

#Set DNS
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

#Set Gateway Router
/ip route
add distance=1 gateway=111.51.106.1

#Set NAT Gateway for Client
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Lanjutkan dengan setup hotspot, referensi: MikroTik.ID: Setting Dasar Hotspot MikroTik

Step 2: Ubuntu Server [Issue SSL Let’s Encrypt]

Siapkan Ubuntu Server, bisa menggunakan virtual machine atau container. Pastikan server dapat ping / akses internet. Soalnya nanti kita akan install paket-paket yang dibutuhkan untuk request ssl dari Let’s Encrypt.

1. Login ke Ubuntu Server via SSH

Bisa pakai software Putty atau Terminal ( jika pakai linux ).

$ ssh lukman@192.168.198.2
$ ssh lukman@192.168.1982 -p 2222 

2. Install Acme

Hasil instalasi di /root/.acme.sh/

$ sudo apt install curl
$ sudo -i
# curl https://get.acme.sh | sh

3. Issue DNS Hotspot

# cd /root/.acme.sh
# acme.sh --issue -d login.lukmanlab.com --dns \
--yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Mar  6 10:02:21 UTC 2019] Single domain='login.lukmanlab.com'
[Wed Mar  6 10:02:21 UTC 2019] Getting domain auth token for each domain
[Wed Mar  6 10:02:21 UTC 2019] Getting webroot for domain='login.lukmanlab.com'
[Wed Mar  6 10:02:21 UTC 2019] Getting new-authz for domain='login.lukmanlab.com'
[Wed Mar  6 10:02:22 UTC 2019] The new-authz request is ok.
[Wed Mar  6 10:02:23 UTC 2019] Add the following TXT record:
[Wed Mar  6 10:02:23 UTC 2019] Domain: '_acme-challenge.login.lukmanlab.com'
[Wed Mar  6 10:02:23 UTC 2019] TXT value: 'GE1ojzTr47m5N4BEnLOdExkw7vV5tM2ZnUB8Avn-XpE'
[Wed Mar  6 10:02:23 UTC 2019] Please be aware that you prepend _acme-challenge. before your domain
[Wed Mar  6 10:02:23 UTC 2019] so the resulting subdomain will be: _acme-challenge.login.lukmanlab.com
[Wed Mar  6 10:02:23 UTC 2019] Please add the TXT records to the domains, and re-run with --renew.
[Wed Mar  6 10:02:23 UTC 2019] Please add '--debug' or '--log' to check more details.
[Wed Mar  6 10:02:23 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Mar  6 10:02:23 UTC 2019] Removing DNS records.
[Wed Mar  6 10:02:23 UTC 2019] Not Found domain api file:

Perthatikan hasil issue dns manual anda, bagian “domain” dan “txt value“. Nah, itu yang nanti kita tambahkan ke record DNS.

Step 3: Domain

Anda setidaknya memiliki minimal 1 Domain yang terdaftar di registrar, dan pastikan sudah dapat diakses dari mana saja. Silahkan gunakan network tools online untuk testing lookup domain anda. Bisa gunakan: DNS Stuff, Network-Tools.

Tambahkan A Record

Tambahkan Record TXT yang tadi direquest kedalam Registrar Domain.

4. Renew DNS

# acme.sh --renew -d login.lukmanlab.com \
  --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Wed Mar  6 10:23:33 UTC 2019] Renew: 'login.lukmanlab.com'
[Wed Mar  6 10:23:34 UTC 2019] Single domain='login.lukmanlab.com'
[Wed Mar  6 10:23:34 UTC 2019] Getting domain auth token for each domain
[Wed Mar  6 10:23:34 UTC 2019] Verifying: login.lukmanlab.com
[Wed Mar  6 10:23:38 UTC 2019] Success
[Wed Mar  6 10:23:38 UTC 2019] Verify finished, start to sign.
[Wed Mar  6 10:23:41 UTC 2019] Cert success.
...
...
[Wed Mar  6 10:23:41 UTC 2019] Your cert is in  /root/.acme.sh/login.lukmanlab.com/login.lukmanlab.com.cer
[Wed Mar  6 10:23:41 UTC 2019] Your cert key is in  /root/.acme.sh/login.lukmanlab.com/login.lukmanlab.com.key
[Wed Mar  6 10:23:42 UTC 2019] The intermediate CA cert is in  /root/.acme.sh/login.lukmanlab.com/ca.cer
[Wed Mar  6 10:23:42 UTC 2019] And the full chain certs is there:  /root/.acme.sh/login.lukmanlab.com/fullchain.cer

Output Renew Certificate terletak pada: /root/.acme.sh/login.lukmanlab.com/ | Silahkan download file login.lukmanlab.com.cer, login.lukmanlab.com.key, ca.cer

5. Upload Certificate, Key dan CA ke router mikrotik dan lakukan Import Certificate.

Upload ke tiga file tersebut ke router, bisa menggunakan ftp, ssh (FileZilla/WinSCP) kemduian import certificate-nya.

/certificate import file-name=login.lukmanlab.com.cer passphrase=""
/certificate import file-name=login.lukmanlab.com.key passphrase=""
/certificate import file-name=ca.cer  passphrase="

6. Setting Hotspot – HTTPS Login

Silahkan test login dengan HTTPS, atau anda cukup ketik google.com akan otomatis redirect ke login.

About Ahmad Lukman Hakim 61 Articles
Admin LUKMANLAB, Network Engineer, System Administrator.