Update the SSL certificate for a Pakedge RK-1 router?

[EricaK]

A few weeks ago, the Control4 SSL certificate on our Pakedge router renewed itself. We noticed some minor problems around that time but did not debug.

Today I finally dug into it, and realized that the certificate has an issue. When I tried to connect to the web ui, Edge and Chrome gave:

ERR_SSL_KEY_USAGE_INCOMPATIBLE

Apparently the cause is as follows:

Quote

Sites which fail with this error likely have a misconfigured certificate. Modern ECDHE_RSA cipher suites use the "digitalSignature" key usage option, while legacy RSA decryption cipher suites use the "keyEncipherment" key usage option. If unsure, adminstrators should include both in RSA certificates meant for HTTPS.

I was able to work around it on the web ui (on my desktop at least) with the solution here, though I don't love weakening the security that way. However, the VPN server still does not work, and the logs show that TLS negotiation is failing. I suspect this problem also plays a role in the wireless thermostat disconnects that started around the same time.

I would like to get the certificate fixed. I see no way to generate a new one. Does anyone have a suggestion? I am willing to use the CLI but have not found any instructions on that, either.
 

[msgreenf]

Control4 is aware of this and working on a fix

[EricaK]

Thank you!

I was able to get OpenVPN working at least, by changing the algorithm. But I will be glad to have the corrected certificate.

[Conroe-Kid]

I was not able to get the work around to work.  However, I was able to get in with my IPAD with Safari.  I saw the certificate was not out of date so there must be another problem with it.

Does anyone have an update on when the problem will be fixed?

Admin....  any update?

[msgreenf]

They are working on it. I have no eta

[Ed C]

I have two sites with RK-1's that are having Wireless Thermostat disconnections ond offsite connectivity issues, that came to our attention 3-4 weeks ago.

Tech Support has told me the SSL Certificate issue has no effect on performance, but I'm not sure I agree.  

[msgreenf]

23 minutes ago, Ed C said:

I have two sites with RK-1's that are having Wireless Thermostat disconnections ond offsite connectivity issues, that came to our attention 3-4 weeks ago.

Tech Support has told me the SSL Certificate issue has no effect on performance, but I'm not sure I agree.  

I agree. The cert is for login to the web ui. It won't cause any issues w devices connected to the Router

[msgreenf]

Just basics of how certs work... tech support is right. You are wrong 

[ekohn00]

10 hours ago, msgreenf said:

I agree. The cert is for login to the web ui. It won't cause any issues w devices connected to the Router

Just to add to Mitch's post. it's not your RK-1 that is connecting to the thermostat. Certs would be between the two endpoints of a session unless you have a proxy, which the RK-1 probably doesn't do.

[EricaK]

Yes but...I will say that I also noticed wireless thermostat disconnects, that is how I found the issue to begin with.

The router may be not be directly involved, but if either the gateway or the thermostat cannot reliably get IP and DHCP info, it could certainly contribute to the problem.

I hope this gets fixed soon.

[msgreenf]

no it doesn't contribute to the problem.  you are wrong...work on the true root cause analysis.  if its not getting an IP is your DHCP pool tool small?  Is your lease life too long?

 

The web HTTPS TLS cert has nothing to do with this

[NOc4Guru]

11 hours ago, msgreenf said:

I agree. The cert is for login to the web ui. It won't cause any issues w devices connected to the Router

So then it's just a coincidence that when the cert issue popped up we started having issues with off-site access and thermostats.....not trying to be smart but it's hard to believe 

[msgreenf]

Off-site access as in VPN?

[EricaK]

Look, I have no desire to start an argument. Main thing is we both agree the cert needs to be fixed -- web UI access is also very important no matter what! Regenerating a fixed certificate should be possible soon, I hope.

[ekohn00]

2 hours ago, EricaK said:

Yes but...I will say that I also noticed wireless thermostat disconnects, that is how I found the issue to begin with.

The router may be not be directly involved, but if either the gateway or the thermostat cannot reliably get IP and DHCP info, it could certainly contribute to the problem.

I hope this gets fixed soon.

there are no certs involved in the DHCP process, so this is not your problem

[lippavisual]

4 hours ago, EricaK said:

Look, I have no desire to start an argument. Main thing is we both agree the cert needs to be fixed -- web UI access is also very important no matter what! Regenerating a fixed certificate should be possible soon, I hope.

Most likely won't happen.  Again, it's not the cause of your problems.  I deal with many products that throw the same certificate warnings for local web access, that otherwise, function normally.

Better yet, ditch the RK1 and get something more current.

[EricaK]

Wait, are you saying the cert won't be fixed??

The web UI access absolutely is the fault of the cert. I had to weaken security on both my PC and VPN to allow it, and it won't work at all on my phone.

 

[msgreenf]

31 minutes ago, EricaK said:

Wait, are you saying the cert won't be fixed??

The web UI access absolutely is the fault of the cert. I had to weaken security on both my PC and VPN to allow it, and it won't work at all on my phone.

 

It is being fixed... Control4 has said its up soon to be fixed

[Cyknight]

Things are a bit heated here?

In the end the known certificate issue is beyond any doubt purely a browser vs device interface concern. It will not affect DHCP, wifi connections ore remote connections in acertificate issuesnd of itself. It simply cannot.

(Temporary) certificate issues like this are common enough, even among some of the most high-end enterprise level routers/gateways/firewalls. Watchguard, Cisco, you name it have had them, just takes a bit of time to get a new firmware created with a new updated certificate, and it's never super high priority because it's always just an interface concern that can be bypassed.

Not that it shouldn't (provided the device is still in support life) or doesn't happen, just not going to be up there for a 24 hour fix.

 

 

7 hours ago, NOc4Guru said:

So then it's just a coincidence that when the cert issue popped up we started having issues with off-site access and thermostats.....not trying to be smart but it's hard to believe 

Yes it is.

Correlation is not proof of causation. Indeed, you probably only noticed the existing certificate issue BECAUSE you're having other issues. One would assume you're not in your router interface regularly. If you are - well you shouldn't be.

 

[Cyknight]

To be clear: that isn't dismissing any other issues you're having.

 

But let's focus on those directly - please post a new thread on the issues.

 

Oh as a side note, if you're talking about Control4 wireless thermostats....those aren't WIFI thermostats at all, and don't even connect to or via the router to begin with, but directly to a C4 controller.

[Conroe-Kid]

Has the cert been fixed?  I haven't tried to access unit since Feb.

[didiasku]

so far the only solution I have found is to log into OVRC, find the router or WAP you're trying to connect to, hit the 3 dots and then select web connect.  I am able to access the GUIs that way

[Conroe-Kid]

Thanks.  How did you obtain OVRC, if I can ask, and where would I be able to obtain it?  Which version of OVRC are you using?

Thanks very much.

[thusrefer]

There is an update that has this fix listed in the notes, but it doesn't look like it actually worked... I am still getting the error in both Chrome and Edge. I am assuming that the certificate needs to be regenerated, but I don't see any place in the router to actually re-issue the certificate. I'm not sure if it didn't reissue mine because it still has a year left before expiry. Anyone else try the update yet?

On a Pakedge RT-3100.

[Cyknight]

In web browser, if it sates https at the top, try deleting the "s"