Create a SSTP server with a letsencrypt certificate
The letsencrypt certificate will require a DNS name to the public IP address and access to the web server on port 80, for letsencrypt to complete the certificate request.
If firewall in use, create a firewall entry and keep for later use:
/ip firewall filter
add action=accept chain=input comment=letsencrypt disabled=yes dst-port=80,443 protocol=tcp
This is temporary to allow access during the certificate request process.
Create the certificate:
/certificate enable-ssl-certificate dns-name=<host.domain>
Setup the SSTP server and select the generated certificate
Lastly the letsencrypt certificate needs to be updated every 90 days, use this update script with a scheduled task to do this.
## Update letsencrypt certificate
#/ip service enable www;
#/ip service enable www;
:local hostname "<myhost.domain>";
:local addressList [ip service/get [find name=www] address];
# open the www service up for letsencrypt
/ip service set [/ip service find name=www] address="";
/ip firewall filter enable [find comment=letsencrypt];
/ipv6 firewall filter enable [find comment=letsencrypt];
/log info message="Let's Encrypt certificate renewal started";
# Shouldn't need to remove the ccert updates but router still reports old expire
/certificate remove [find where common-name=hostname];
/certificate enable-ssl-certificate dns-name=hostname;
#/ip service disable www;
/ip firewall filter disable [find comment=letsencrypt];
/ipv6 firewall filter disable [find comment=letsencrypt];
# reset ip services security
/ip service set [/ip service find name=www] address=$addressList;
/log info message="Let's Encrypt certificate renewal completed";
####
####
The script will enable the www port and the previous filter rule to allow the renewal of the certificate and then disable the rule/service again.
Schedule to run in 88 days, so to renew before expiry.