Generating private keys, creating certificate signing requests (CSR), converting the certificate format, inserting that certificate from the certificate authority into the Peplink is all a lot of hassle. Especially because the certificate renewal process has to be repeated every 1 to 3 years.
It’s also not so convenient to have the default captive-portal.peplink.com certificate installed that doesn’t match the actual host name on the customers Peplink Balance device.
The whole certificate process hassle should be fully automated and as easy as possible. Especially now that there is a free alternative using letsencrypt.org short (1 month currently) lived certs. The whole process from creating, validation, renewal and revoking can be fully automated, especially because the Peplink devices already contain a built-in webserver and dns server which can be used for validation. And the letsencrypt certificates are even free to use.
I’ll second this. It would be nice to have an easy, automated way to add and renew LetsEncrypt SSL certs to Peplink/Pepwave routers. (Old thread, I know, but this seems to be the only result when searching for LetsEncrypt.)
To cover as many use cases as possible, we should be able to create a CSR on Balance/MAX/MediaFast/Surf routers for use on the router, as well as being able to add/manage additional domains/subdomains for APs & other downstream devices. APs should have the ability to create/manage their own CSR independently of a controller (Balance or IC2) if necessary. Finally, CSRs could also be created/managed in IC2 and pushed out to all or some devices.
Is this feature now available somehow? Today when I logged into incontrol there was a pop-up that I think discussed using letsencrypt.org . But I didn’t pay attention figuring that I can find it again after I do other things. But now I can not find any documentation except this thread. So was this just a dream, or really there is a simple way to use letsencrypt.org? (I have a Balance One Core if it matters)
The Let’sencrypt functionnality does not seem to be compatible with ICVA and private domains. Anything we can do in our config to push it? Seems to be by default linked to peplink.com domains.
The letsencrypt feature ties to the Find My Peplink service. IC2/ICA could only request letsencrypt to sign domains that are managed by the Find My Peplink service (i.e. something.mypep.link for IC2).
In ICA 2.4.2-1, the letsencrypt functionality is not totally ready. It shall be fixed in the coming IC 2.5.2. But even so, you have to make sure the Find My Peplink DDNS service is well configured. Devices’ DDNS host names are resolvable from the Internet. Otherwise, the system still cannot acquire a signed cert from letsencrypt.
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jan 21 22:00:08 2018 GMT
Not After : Apr 21 22:00:08 2018 GMT
Subject: CN=homehub.mypep.link
Thats my certificate currently in my Peplink Balance One on April 22… so as you can assume it clearly expired and has not renewed with a ugly red https… My incontrol2 account is fully active and working fine so no clue why its not renewing… Help Me… i am missing my green https.
edit: Manage Web Admin SSL Certificate is selected also so no clue whats happening.
Hi tiqster, the issue has been resolved. But unfortunately the letsencrypt system refuses to sign a cert for homehub.mypep.link until May 1. You will have to wait until May 1, or change your Find My Peplink address to something else.
]
