Help enabling HTTPS on admin interface


#1

Hi, I’m attempting to set up a Surf SOHO. Since the expert advice is to only use https for the admin interface I changed that first thing before trying to move on and change the username/password. Well, I can’t log into the router now after I applied the https change. Duh, after thinking about it, certs can’t be issued for private address ranges right? How does one correctly deploy https? Thanks for your help! Also, you may have an expired cert - here’s what I got from FF when I embarrassingly tried to use https on the private address:
192.168.50.1 uses an invalid security certificate. The certificate is only valid for the following names: captive-portal.peplink.com, www.captive-portal.peplink.com The certificate expired on Tuesday, March 22, 2016 5:07 AM. The current time is Friday, March 25, 2016 1:20 AM. Error code: SSL_ERROR_BAD_CERT_DOMAIN


Newbie issue changing web admin to HTTPS for SOHO Surf
Browser showing connection not private can't login on surf soho
Generall Questions About Setup (VLANs, Content Filtering and Certificates)
#2

Hi,

By default, self sign cert is used for Surf SOHO admin interface (WebAdmin HTTPS). Thus, when you browse to the WebAdmin page, you will received the warning message . You can bypassing the warning by accepting the self sign cert. For more information on how to bypassing the warning, please refer to the URL below:

https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message

If you having security concern regarding to the default self sign cert, you are allow to sign your own certificate and import into the Surf SOHO.


Regarding to the certificate expired date, please make sure you always upgrade the device using the latest firmware and this will give you the latest self sign certificate. You can download the latest device firmware by using the URL below :

http://www.peplink.com/support/downloads/firmware-6-3-1-and-user-manual/

Thank You


HTTPS: Web Admin Access: Firefox Security Exception
#3

Thank you for such an informative response - I completely understand now!


#4

Hi again, I need something clarified that is confusing for me. I’m using the url: https//192.168.50.1 and I’m NOT getting an error for a self-signed cert which according to the FF link you provided would be:

Error code: sec_error_untrusted_issuer OR Error code: sec_error_ca_cert_invalid.

Instead I’m getting the same previous message minus the expired cert notification since I did update to the most current firmware (6.3.1):

Your connection is not secure
The owner of 192.168.50.1 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
192.168.50.1 uses an invalid security certificate. The certificate is only valid for the following names: captive-portal.peplink.com, www.captive-portal.peplink.com Error code: SSL_ERROR_BAD_CERT_DOMAIN

When I go to add this exception and click on “get certificate” the cert is issued from from a CA (Comodo). Is this correct? I just wanted to make sure before I added this exception. I checked the certificate manager and the only one I have listed is for the web admin and the default is in use. Also, I prefer to change the default subnet can I still use the default self-signed cert?


#5

What you are experiencing is perfectly normal. You would get the same type of error with a NAS device that also offered HTTPS access.

Yes, you can still use HTTPS to access the router even after changing the default subnet. Been doing so for years. While you are at it, you can also change the port number, another great security feature that Peplink offers. And, the router does not have to be computer 1 on the subnet. Thus you could end up with something like

https://10.10.10.5:9999  

for router access. As secure as this gets.


#6

Hi,

Michael is right :cool:. This is perfectly normal.

SOHO firmware version 6.3.1 should have the latest self-signed certificate. For more information, please refer to the attached screenshot.


Regarding to the error message that you get:

192.168.50.1 uses an invalid security certificate. The certificate is only valid for the following names: captive-portal.peplink.com, www.captive-portal.peplink.com Error code: SSL_ERROR_BAD_CERT_DOMAIN

This is because the self-signed cert is signed using domain name “captive-portal.peplink.com”. Thus when you browse using IP address, you will get the similar error message. Again this is only the warning message from the browser, seem you know/identified this is the correct Web Admin page for SOHO so this is completely fine.

Thank You


#7

Thanks guys! Ok then, I will “get” that certificate and make an exception. I’ve never run into a self-signed cert before and the reference to the captive portal in the error message didn’t help either :slight_smile: The screenshot is perfect - completely helped me. The reason I had not updated the firmware is that I was following good advice to change the passwords & SSID offline before going online to update the firmware. I just thought well, while I was at it I would select HTTPS…so, I got a little learning experience about jumping ahead too quickly.

Michael234, if you could be so kind as to answer another question…after changing the port from 443 to whatever I choose, do I have to login as your example - subnet with the colon and port number?


#8

Hi,

Yes :slight_smile:

You need to add the port number for the web admin HTTPS connection.

Please refer to the attached screenshot.


Thank You


#9

Perfect screenshot sitloongs. Thanks, I’m totally getting everything now!