The https certificate in the 8.2.1 firmware (MAX BR1 Pro 5G in my case, but likely all devices) has expired. The cert expired on November 29th, 2022. Yesterday. Hopefully 8.3.0 will have a new cert whenever it gets released. In the mean time, the router utility is rendered inoperative.
We can confirm this issue and wish to emphasize to Peplink management the urgency of an immediate resolution and to ensure this does not reoccur.
We hope this does not portend the end of development of Router Utility – an exceedingly valuable (and free!) product and resource.
For 8.2.1 GA firmware the “default” SSL cert is expired. It’s the industry standard all generated SSL certs will only valid to 12 months (Reference Industry standard)
Firmware 8.3.0 is in beta 2 now , when you upgrade the device using Firmware 8.3.0, it will have the new SSL cert.
In the firmware 8.3.0, we have implemented a new feature that will auto update the SSL certificate from IC2 :
Group Level → Device System management:
With this option enabled, Balance/MAX and AP devices running firmware 8.3.0 and 3.9.3 or above respectively will receive the most up-to-date captive portal default SSL certificate from Peplink automatically without needing to update their firmware in the future."
IC2 Release notes reference :
TU @sitloongs . That’s a nice improvement. Thank you. The one year limitation is understood but we still see older devices for which maintenance releases have not been issued. Many/most of these will never be used with IC2 either.
Thanks!
Indeed, we have a lot of HW1 AP One AC Mini units out there with expired certificates, as an example.
For such case, you can import the self-sign for CA cert here :
Balance/MAX:
AP :
Yes, true, @sitloongs! But two comments. (1) Does this not conflict with Peplink’s stated policy of providing maintenance updates as/when necessary? And, (2) I’d point out that this is well above the competency of most owners/users.
Broken features devalue the product.
I have discussed with Engineering team . For AP One AC Mini HW1 , if you want to have the latest default cert for the device, you can use the following firmware :
Firmware 3.6.3s05:
Can we please have captive-portal.peplink.com added as a local dns to the router default ip added into the router.
captive-portal.peplink.com 192.168.1.1
or
captive-portal.peplink.com 192.168.50.1
are there any other default ip’s?
I’d like this built into the router via firmware so you can address it by name to access the router.
@michaelchan
Can this also be added to ic2 for deployment that way as well.
I am looking for the same thing. Contacted support via ticket. Was given the 8.3.0 beta. The certificate is not signed by an accepted CA according to the external scan so I can’t certify my PCI integrity. Support said that all SSL certificates are self signed by PW. Is this correct? I had no problem before the certificate expired.
The certificate in the beta is legitimate, from a recognized CA, and not expired. That said, if you require a certificate in your router for PCI compliance, you may need to create a DNS name for that router, and buy a certificate from a recognized CA and install it in the certificate manager.
Browsers will complain about the Peplink certificate if you access the router when you access by IP address or by any name that does not match the certificate. That complaint is a name mismatch, which, in your situation, may be sufficient to be problematic for PCI.
I appreciate your reply. One of the support team told me all PW certs were self signed. I found that to be maybe not accurate. I think there is a flaw in the beta firmware they told me to try as it has already been replaced. I will roll back to the previous stable firmware and give this more time.
I do not think I need to get a cert myself as in the past it will pass PCI as long at the captive portal SSL is current and signed by a proper CA.
Thank you.
I’m on 8.3.0 build 5189 and when I look at the certificate details from my browser, I see an expiration in October 2023. So yes, if there’s a newer version of the beta, give that a try.
So, my router is already on 8.3.0, I come to InControl and check the option to auto update the captive portal cert (although what’s really causing my heartburn is the web admin cert) - at what point does InControl actually “push” the new certs? I’ve bounced the router a few times to see if it would “pull” them from InControl.
I guess the question is, what event OTHER than a firmware update is going to send updated certs to my router?
Hello:
I am trying what you suggested, however the (i) next to Auto Update says it requires firmware 8.4.1 which is not available for HW1 units. Is this incorrect in the text? Will the Auto Update SSL Certificate work with firmware 8.3.0 (fw-max_br1_br2-8.3.0-build5256.bin) as you mentioned in this older post?
I was asking if it needed 8.4.1 like it says in InContrlol on the screenshot I showed above or if 8.3 will suffice because all out HW1 routers can not be upgraded to 8.4
What about us poor Surf Soho owners? My certificate has expired as well. I set up InControl, (which was a nightmare because I didn’t understand any of it) but the option to update the SSL cert appears to only work for Balance/Max and AP One according to the help pop up.
e-mail support ask for a special fw update that has an updated cert , post the link here when you get it.