| Name | mikrotik-certbot JSON |
| Version |
1.0.0
JSON |
| download |
| home_page | None |
| Summary | Certbot deploy hook script to upload renewed Let's Encrypt certificates to a MikroTik RouterOS device via the REST API. |
| upload_time | 2025-10-19 03:50:10 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.11 |
| license | MIT License
Copyright (c) 2025 Jonathan Karras
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. |
| keywords |
automation
certbot
certificate
letsencrypt
mikrotik
routeros
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# mikrotik-certbot
A Certbot deploy-hook tool that uploads renewed Let’s Encrypt certificates to MikroTik RouterOS devices and applies them to services. It is idempotent and non‑destructive: imports under a versioned name, applies to targets, then prunes older unreferenced certificates.
Why not just use the built in ACME support?
- EAB authentication is broken in ROS 7.20 and lower.
- Router may not have access to the Internet
- Renewal of services like hotspot not supported by the built in ACME service.
## Contents
- [mikrotik-certbot](#mikrotik-certbot)
- [Contents](#contents)
- [Highlights](#highlights)
- [Prerequisites](#prerequisites)
- [Initial Setup (Certbot deploy hook)](#initial-setup-certbot-deploy-hook)
- [Application Flow](#application-flow)
- [More Documentation](#more-documentation)
- [Developer Workflows](#developer-workflows)
- [License \& Authors](#license--authors)
## Highlights
- Versioned, collision‑safe certificate naming (UTC `YYYYMMDDThhmm`, `_SEQ` suffix when needed)
- REST upload on RouterOS ≥ 7.17; SFTP fallback otherwise, then REST import
- Applies to `www-ssl`, `api-ssl`, and optional Hotspot profiles
- Strict gating (`MIKROTIK_DOMAIN` must be in `RENEWED_DOMAINS`), `DRY_RUN` support
## Prerequisites
- Python `3.11+` and `uv` installed
- Certbot on the host that renews the certificate
- MikroTik RouterOS reachable over HTTPS (REST); SFTP enabled only if supporting fallback
- A RouterOS user with access to files/certificates/services
## Initial Setup (Certbot deploy hook)
1) Install `uv` if needed: `curl -LsSf https://astral.sh/uv/install.sh | sh`
2) Download the hook directly (no repository clone required). Replace the example URL with the raw file URL for this repo:
No repository clone required — download the hook directly:
```sh
sudo curl -fsSL "https://raw.githubusercontent.com/karrots/mikrotik-certbot/refs/heads/main/deploy-hook.sh" -o /etc/letsencrypt/renewal-hooks/deploy/mikrotik-certbot.sh
```
- `MIKROTIK_DOMAIN`: your FQDN (must appear in `RENEWED_DOMAINS`)
- `ROUTER_HOST`: e.g., `router.example.net:8443`
- `ROUTER_USER` / `ROUTER_PASS`: least‑privilege credentials
4) Verify with a dry‑run: `sudo certbot renew --dry-run --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/mikrotik-certbot.sh`
5) If multiple hosts need certificates duplicate the `deploy-hook.sh` as needed.
See `docs/config.md` for all configuration options and behavior toggles.
## Application Flow
The hook exits early unless `MIKROTIK_DOMAIN` is present in `RENEWED_DOMAINS`. It derives a versioned, collision‑safe certificate name and detects RouterOS capabilities to pick REST upload or SFTP fallback. The combined PEM (privkey + fullchain) is uploaded, then imported without removing any existing same‑name certificate first. The new certificate is applied to `www-ssl`, `api-ssl`, and any configured Hotspot profiles. After a real import completes, older unreferenced certificates are pruned, keeping the newest two.
## More Documentation
- Configuration: `docs/config.md`
- Usage: `docs/usage.md`
- RouterOS Permissions: `docs/permissions.md`
## Developer Workflows
- Sync dev deps: `uv sync --group dev`
- Run: `uv run mikrotik-certbot`
- Lint: `uv run --group dev ruff check .`
- Types: `uv run --group dev mypy .`
- Tests: `uv run --group dev pytest`
- Build: `uv build`
## License & Authors
- License: MIT (see `LICENSE`)
- Author: Jonathan Karras
Raw data
{
"_id": null,
"home_page": null,
"name": "mikrotik-certbot",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.11",
"maintainer_email": null,
"keywords": "automation, certbot, certificate, letsencrypt, mikrotik, routeros",
"author": null,
"author_email": "Jonathan Karras <6307688+karrots@users.noreply.github.com>",
"download_url": "https://files.pythonhosted.org/packages/1e/9d/1ba554f00482264185a67e63669b138a9e2c80000956051e68587ff0a8a7/mikrotik_certbot-1.0.0.tar.gz",
"platform": null,
"description": "# mikrotik-certbot\n\nA Certbot deploy-hook tool that uploads renewed Let\u2019s Encrypt certificates to MikroTik RouterOS devices and applies them to services. It is idempotent and non\u2011destructive: imports under a versioned name, applies to targets, then prunes older unreferenced certificates.\n\nWhy not just use the built in ACME support?\n- EAB authentication is broken in ROS 7.20 and lower.\n- Router may not have access to the Internet\n- Renewal of services like hotspot not supported by the built in ACME service. \n\n## Contents\n- [mikrotik-certbot](#mikrotik-certbot)\n - [Contents](#contents)\n - [Highlights](#highlights)\n - [Prerequisites](#prerequisites)\n - [Initial Setup (Certbot deploy hook)](#initial-setup-certbot-deploy-hook)\n - [Application Flow](#application-flow)\n - [More Documentation](#more-documentation)\n - [Developer Workflows](#developer-workflows)\n - [License \\& Authors](#license--authors)\n\n## Highlights\n- Versioned, collision\u2011safe certificate naming (UTC `YYYYMMDDThhmm`, `_SEQ` suffix when needed)\n- REST upload on RouterOS \u2265 7.17; SFTP fallback otherwise, then REST import\n- Applies to `www-ssl`, `api-ssl`, and optional Hotspot profiles\n- Strict gating (`MIKROTIK_DOMAIN` must be in `RENEWED_DOMAINS`), `DRY_RUN` support\n\n## Prerequisites\n- Python `3.11+` and `uv` installed\n- Certbot on the host that renews the certificate\n- MikroTik RouterOS reachable over HTTPS (REST); SFTP enabled only if supporting fallback\n- A RouterOS user with access to files/certificates/services\n\n## Initial Setup (Certbot deploy hook)\n1) Install `uv` if needed: `curl -LsSf https://astral.sh/uv/install.sh | sh`\n2) Download the hook directly (no repository clone required). Replace the example URL with the raw file URL for this repo:\n\nNo repository clone required \u2014 download the hook directly:\n\n```sh\nsudo curl -fsSL \"https://raw.githubusercontent.com/karrots/mikrotik-certbot/refs/heads/main/deploy-hook.sh\" -o /etc/letsencrypt/renewal-hooks/deploy/mikrotik-certbot.sh\n```\n - `MIKROTIK_DOMAIN`: your FQDN (must appear in `RENEWED_DOMAINS`)\n - `ROUTER_HOST`: e.g., `router.example.net:8443`\n - `ROUTER_USER` / `ROUTER_PASS`: least\u2011privilege credentials\n4) Verify with a dry\u2011run: `sudo certbot renew --dry-run --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/mikrotik-certbot.sh`\n5) If multiple hosts need certificates duplicate the `deploy-hook.sh` as needed.\n\nSee `docs/config.md` for all configuration options and behavior toggles.\n\n## Application Flow\nThe hook exits early unless `MIKROTIK_DOMAIN` is present in `RENEWED_DOMAINS`. It derives a versioned, collision\u2011safe certificate name and detects RouterOS capabilities to pick REST upload or SFTP fallback. The combined PEM (privkey + fullchain) is uploaded, then imported without removing any existing same\u2011name certificate first. The new certificate is applied to `www-ssl`, `api-ssl`, and any configured Hotspot profiles. After a real import completes, older unreferenced certificates are pruned, keeping the newest two.\n\n## More Documentation\n- Configuration: `docs/config.md`\n- Usage: `docs/usage.md`\n- RouterOS Permissions: `docs/permissions.md`\n\n## Developer Workflows\n- Sync dev deps: `uv sync --group dev`\n- Run: `uv run mikrotik-certbot`\n- Lint: `uv run --group dev ruff check .`\n- Types: `uv run --group dev mypy .`\n- Tests: `uv run --group dev pytest`\n- Build: `uv build`\n\n## License & Authors\n- License: MIT (see `LICENSE`)\n- Author: Jonathan Karras\n",
"bugtrack_url": null,
"license": "MIT License\n \n Copyright (c) 2025 Jonathan Karras\n \n Permission is hereby granted, free of charge, to any person obtaining a copy\n of this software and associated documentation files (the \"Software\"), to deal\n in the Software without restriction, including without limitation the rights\n to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n copies of the Software, and to permit persons to whom the Software is\n furnished to do so, subject to the following conditions:\n \n The above copyright notice and this permission notice shall be included in all\n copies or substantial portions of the Software.\n \n THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n SOFTWARE.",
"summary": "Certbot deploy hook script to upload renewed Let's Encrypt certificates to a MikroTik RouterOS device via the REST API.",
"version": "1.0.0",
"project_urls": {
"Homepage": "https://github.com/karrots/mikrotik-certbot",
"Issues": "https://github.com/karrots/mikrotik-certbot/issues",
"Repository": "https://github.com/karrots/mikrotik-certbot"
},
"split_keywords": [
"automation",
" certbot",
" certificate",
" letsencrypt",
" mikrotik",
" routeros"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "d5d717ac973265de58d07a070caa5d7e9d4244e35f16c36b061c141392797264",
"md5": "f1b430e7b4678a2d81e507532a866d14",
"sha256": "e47d501386c9ae6632a7d888837439c6a9ced739a9f06de5d2b07fbd441f0cc0"
},
"downloads": -1,
"filename": "mikrotik_certbot-1.0.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "f1b430e7b4678a2d81e507532a866d14",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11",
"size": 18029,
"upload_time": "2025-10-19T03:50:08",
"upload_time_iso_8601": "2025-10-19T03:50:08.947307Z",
"url": "https://files.pythonhosted.org/packages/d5/d7/17ac973265de58d07a070caa5d7e9d4244e35f16c36b061c141392797264/mikrotik_certbot-1.0.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "1e9d1ba554f00482264185a67e63669b138a9e2c80000956051e68587ff0a8a7",
"md5": "16cef61c523604891fa624e4dc2affd4",
"sha256": "e3ad683626c51a25c505530068acb15e6910b658e806af4b75f65a457bca08ef"
},
"downloads": -1,
"filename": "mikrotik_certbot-1.0.0.tar.gz",
"has_sig": false,
"md5_digest": "16cef61c523604891fa624e4dc2affd4",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11",
"size": 62986,
"upload_time": "2025-10-19T03:50:10",
"upload_time_iso_8601": "2025-10-19T03:50:10.373101Z",
"url": "https://files.pythonhosted.org/packages/1e/9d/1ba554f00482264185a67e63669b138a9e2c80000956051e68587ff0a8a7/mikrotik_certbot-1.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-10-19 03:50:10",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "karrots",
"github_project": "mikrotik-certbot",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "mikrotik-certbot"
}
