Skip to main content

MIKRO003 - MikroTik TLS/SSL Certificate Error

Agent error code #MIKRO003 indicates that the TLS handshake to the MikroTik REST API failed because the certificate could not be verified.

Common causes include:

  • RouterOS is presenting a self-signed certificate that the agent host does not trust
  • The certificate's CN/SAN does not match the hostname configured on the Knocknoc backend
  • The certificate has expired
  • The certificate is signed by a private CA that is not in the agent host's trust store

Steps to Resolve

Option 1: Trust the Certificate

The cleanest fix is to give RouterOS a certificate that the agent host already trusts.

  1. Generate or import a certificate signed by a CA the agent trusts (a public CA, or your internal CA)
  2. In RouterOS, install the certificate under System > Certificates
  3. Bind it to www-ssl under IP > Services
  4. Confirm the RouterOS URL in Knocknoc uses the hostname that matches the certificate's CN or SAN

Option 2: Tick the Insecure Box

If you are using a self-signed certificate and accept the risk, tick the Insecure checkbox on the Knocknoc backend. The agent will then skip certificate verification.

This is acceptable for lab environments but not recommended for production because it allows man-in-the-middle attacks between the agent and the router.

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top