Issue with certificate from www.captive-portal.peplink.com

I have an issue with a deployed Pepwave BR1.

Essentially, our system as deployed has a Pepwave BR1 and an embedded controller. This controller has an alias set up for the Pepwave’s LAN gateway IP, and several on-board services use that alias. For example, “router” is set to “192.168.1.1”. Normally, I can access the Pepwave admin page by going to “http://router/” in a browser on the embedded controller. On this particular system, it complains that “this server could not prove that it is router, its security certificate is from captive-portal.peplink.com”. I have a copy of this set-up, with the same Pepwave firmware (8.0.2), and the same controller, and it works fine. Our application doesn’t actually use a browser, but this appears to be the root cause of why our services are failing. The date and time are correctly set on the embedded controller. Any clues appreciated!

Thanks.

Just some more details - the set-up that works actually has a few differences. The Pepwave there is a MAX-BR1-MK2-LTE, Firmware 8.0.2 build 1480. The setup that does not has a MAX-BR1-MINI-LTEA-W, Firmware 8.0.2 build 3612.

The difference is that your onboard BR1 has its web interface set to https and the certificate it uses for that is a cert that is used for captive portal presentation. On your test bench, if you don’t see the ssl warning then your BR1 is using http for the web admin instead.

1 Like

Hi Martin, thanks for the response.

Is it possible to change whether the web interface uses http or https?

How do I visit the pepwave admin page over https without getting the warning? For example, on my bench unit, if I visit “https://192.168.1.1”, I get that same error, but visiting “192.168.1.1” just takes me to the un-secured version of the admin page (without any warnings).

Yes of course. On the device itself you can navigate to System > System | Admin Security and change the drop down to http only:
image

Or if you are using IC2 you can set it in Device System Management under your group settings:


Which takes you to this section

2 Likes

Thanks for the tip, that solved my issue (at least for now).

I’m now looking at changing our application to use the https version of the Pepwave interface, and can’t find a way to access it without triggering this certificate warning. I’ve set the Pepwave interface to http/https, and set “redirect http->https”. However, whenever I visit the Pepwave admin page (either from a web browser on the embedded device, or a laptop), I get the same error as originally:

"Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for 192.168.20.1. The certificate is only valid for the following names: captive-portal.peplink.com, www.captive-portal.peplink.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN"

Am I visiting the wrong URL? (“captive-portal.peplink.com” doesn’t work at all) Or is there something wrong with my Pepwave config?

Thanks in advance!

This is expected. You are accessing the router on its IP address which naturally doesn’t match https://captive-portal.peplink.com . Add a dns entry on the BR1 in Network > Lan | Network settings with captive-portal.peplink.com as the host name and the LAN IP as the IP Address.

Then you’ll be able to access the BR1 using that hostname in your browser / app without the error. Or add your own cert, or use the IC2 mypep.link in built dynamic DNS (based on letsencrypt) - but whichever way you do it, add a local DNS entry for the hostname to point to the LAN IP so the error goes away…

4 Likes

Makes sense - I did assume that something similar was pre-configured. Thanks again!

1 Like

This was nice for quickly creating a certificate on my Balance 305.

Choose web server and enter the common name with router ips, the dns name as router ips, and the ip as the router ips.

You then load that in the web https/ssl certificate in the peplink and have to install the certificate on your machine (s).

3 Likes

Looks great, thanks!

1 Like