×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

CrimpOn
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@abqttu wrote:

The certificate expiration also breaks Orbi's built-in VPN.  When I attempt to VPN into Orbi - from a site external from my home network - I receive warnings in both Chrome and Firefox of potential security issues.

notAfter=Aug 2 16:51:57 2019 GMT                  


I think what you are seeing is not the VPN being broken, but the same phenomenon we all notice.  When the user connects a web browser to a "secure site" (https) and the web site certificate is not valid, the browser complains and urges the user not to proceed.  The VPN still did its job by making the connection.  The option to "go ahead anyway" is not obvious, and (I believe) some browsers will not permit the user to access a site with an invalid certificate.  (Edge, for example)

Message 51 of 85
abqttu
Aspirant

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

I agree the problem I am seeing is the same as what you all are seeing.  It is not a client/server connectivity issue. However, VPN is effectively broken since chrome will not allow connections to remote destinations. And although Firefox will let you click through the security warnings its functionality is erratic at best.

Message 52 of 85
CrimpOn
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@abqttu wrote:

 VPN is effectively broken since chrome will not allow connections to remote destinations. And although Firefox will let you click through the security warnings its functionality is erratic at best.


Is Chrome clicking through the security warning not the same as Firefox?  (I don't have a 'remote' VPN available right now.  Is it 'different'?)

Ignore.PNG

 

Message 53 of 85
Wire1852
Apprentice

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

This really sucks!!!

 

Netgear has update the Orbi firmware (v2.5.0.38) and the security certificate has still not been updated.

Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 54 of 85
Wire1852
Apprentice

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@Wire1852 wrote:

This really sucks!!!

 

Netgear has update the Orbi firmware (v2.5.0.38) and the security certificate has still not been updated.


I got the firmware by logging into router & checking for update. The new firmware doesn't show on Netgear support webpage.

Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 55 of 85
schumaku
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@Wire1852 wrote:

Netgear has update the Orbi firmware (v2.5.0.38) and the security certificate has still not been updated.


Oh Netgear did it again ... @ChristineT why I don't wonder one second?

Message 56 of 85
FURRYe38
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Message 57 of 85
Wire1852
Apprentice

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@FURRYe38 wrote:

https://kb.netgear.com/000061393/RBR50-RBS50-Firmware-Version-2-5-0-40-Hot-Fix



Are you insane? You're pointing people to a hot fix that is on top of 2.5.0.38 that people have been experiencing issues with for the last 2 weeks. Netgear indicate the hot fix only fixes the security certificate issue. All the other issues in 2.5.0.38 are still in this hot fix.
Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 58 of 85
schumaku
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@Wire1852 wrote:

@FURRYe38 wrote:

https://kb.netgear.com/000061393/RBR50-RBS50-Firmware-Version-2-5-0-40-Hot-Fix



Are you insane?

It's your choice what is more important - a valid certificate or a random older firmware you prefer for whatever reason. Unlikely Netgear will release older firmware(s) with the new factory certificate.

Message 59 of 85
Wire1852
Apprentice

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@schumaku wrote:
 

It's your choice what is more important - a valid certificate or a random older firmware you prefer for whatever reason. Unlikely Netgear will release older firmware(s) with the new factory certificate.

 

----------------------

But they will release the valid security certificate in future releases that are actually stable. Assuming Netgear get it's act together.


 

Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 60 of 85
FURRYe38
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Users need to factory reset there systems after loading v38 or v40. There is a known problem with v38 with device naming. This doesn't effect overall operation. I saw no issues with over all operation with v38 after a manual FW load and factory rest I'll be doing the same again to check v40. Users will have to wait for NG to fix the device naming problem or revert back and wait till the fix comes from NG. Up to users to use it or not. Complaining doesn't solve anything. 


@Wire1852 wrote:

@FURRYe38 wrote:

https://kb.netgear.com/000061393/RBR50-RBS50-Firmware-Version-2-5-0-40-Hot-Fix



Are you insane? You're pointing people to a hot fix that is on top of 2.5.0.38 that people have been experiencing issues with for the last 2 weeks. Netgear indicate the hot fix only fixes the security certificate issue. All the other issues in 2.5.0.38 are still in this hot fix.

 

 

Message 61 of 85
Retired_Member
Not applicable

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@FURRYe38 wrote:

Users need to factory reset there systems after loading v38 or v40.

 

factory reset is for lost passwords

 


 

Message 62 of 85
tomschmidt
Virtuoso

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

NG recently released hot fix v2.3.5.34 to attempt to update the expired https certificate. However, they replaced it with a self-signed certificate instead of one issued by a certificate authority (CA).  This still causes browsers to not trust the https URL for the router.

 

Here is the certifcate error shown on Firefox 70.0.1 for the v2.3.5.34 firmware:

 

     orbilogin.net uses an invalid security certificate.

     The certificate is not trusted because it is self-signed.

     Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

 

I do not have v2.5.0.40 hot fix installed due to the major bug in device naming that it introduced.  So I do not know if it likewise has a self-signed certificate instead of a valid CA issued certificate.  If someone is running v2.5.0.40, can you check the certificate and report back?  And open a ticket with NG if it likewise is self-signed.

Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 63 of 85
FURRYe38
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

I knew I forgot to do something last nite. I check today after work if someone doesn't responde back sooner. 

Message 64 of 85
schumaku
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Amazing, Netgear right hand does apparently not know whet the left hand is doing. I already wondered and queried half a year ago what the plan is considering they have a properly Entrust CA signed certificate for the [www.]routerlogin.[net|com] DNS names however the Orbi specific DNS names have not been added - here on an Nighthawk R9000:

 

routerlogin certificate signed by Entrust CA.JPG

 

FWIW @tomschmidt the certificate can never be valid as long as you are accessing the router by an IP address. But of course, the self-sign is utterly useless anyway. [Edit: Just spotted that the text result comes from an access with the right DNS name:      orbilogin.net uses an invalid security certificate.]
 

Message 65 of 85
CrimpOn
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Thanks for the observation regarding certificates linked to DNS names rather than IP.  One of the implications is that when an Orbi is set up to allow Remote Management, the remote web browser will always complain about the Cert, even when it is issued by Entrust.

 

This is because Remote Management can only be done by https to the Orbi public IP.  None of the Entrust DNS names will resolve to the Orbi public IP.  Since Orbi is resolving DNS internally, it maps those DNS names to its own internal IP when a user want to access the Orbi web interface from a local client.

 

Maybe that's a reason Netgear wasn't diligent with renewing the Cert.  Internal access can use http, so the Cert doesn't matter.  External access cannot use the DNS names, so the Cert will always be rejected.

Message 66 of 85
schumaku
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Well @CrimpOn - everybody does want to see https, it's obsolete (sigh), security "audit" tools with average policies (see Netgear Armor) complain if there is still http in the network. And nobody does care about the bigger picture - even if enabling https at any cost will put up even more nag messages than what plain http would.

Message 67 of 85
FURRYe38
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Well this is all I get when using routerlogin.net with FF with v40 loaded on the RBR50:

FFRBR50v40WebSiteID.png

 

I cleared all caches and previously used login PWs and information out of the browser. Exited the browser and re-started it. Saw nothing of warninng page given by FF about a security risk. Only see that the link to the routerlogin.net or 192.168.0.1 IP address gives information that it's not secure, i.e. HTTP vs HTTPS. 


@tomschmidt wrote:

NG recently released hot fix v2.3.5.34 to attempt to update the expired https certificate. However, they replaced it with a self-signed certificate instead of one issued by a certificate authority (CA).  This still causes browsers to not trust the https URL for the router.

 

Here is the certifcate error shown on Firefox 70.0.1 for the v2.3.5.34 firmware:

 

     orbilogin.net uses an invalid security certificate.

     The certificate is not trusted because it is self-signed.

     Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

 

I do not have v2.5.0.40 hot fix installed due to the major bug in device naming that it introduced.  So I do not know if it likewise has a self-signed certificate instead of a valid CA issued certificate.  If someone is running v2.5.0.40, can you check the certificate and report back?  And open a ticket with NG if it likewise is self-signed.


 

Message 68 of 85
SergioRZ
Aspirant

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Same (?) problem here... now I get a red triangle "not secure" warning on Chrome... what is this? Can it be fixed? (no remote management, just using local LAN address)

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 69 of 85
tomschmidt
Virtuoso

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Sorry my previous screengrab used the IP address instead of the DNS name.  Here is an updated image using https://orbilogin.net/ with Firefox, including the "View Certificate" popup window.

 

Capture V2.3.5.34 certificate error, Firefox 70.0.1.PNG


@schumaku wrote:

Amazing, Netgear right hand does apparently not know whet the left hand is doing. I already wondered and queried half a year ago what the plan is considering they have a properly Entrust CA signed certificate for the [www.]routerlogin.[net|com] DNS names however the Orbi specific DNS names have not been added - here on an Nighthawk R9000:

 

routerlogin certificate signed by Entrust CA.JPG

 

FWIW @tomschmidt the certificate can never be valid as long as you are accessing the router by an IP address. But of course, the self-sign is utterly useless anyway. [Edit: Just spotted that the text result comes from an access with the right DNS name:      orbilogin.net uses an invalid security certificate.]
 


 

Model: RBK53|Orbi AC3000 Tri-band WiFi System
Message 70 of 85
schumaku
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@FURRYe38 wrote:

Well this is all I get when using routerlogin.net with FF with v40 loaded on the RBR50:

...

Saw nothing of warninng page given by FF about a security risk. Only see that the link to the routerlogin.net or 192.168.0.1 IP address gives information that it's not secure, i.e. HTTP vs HTTPS. 


That's because you called the router by http instead of https - see the header of the FF security status info. There is (much) less alarm noise whe using http vs. using https with a self-signed certificate or a non-DNS-name-matching URL. And luckily, there is no forced redirect tp https.

Message 71 of 85
schumaku
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)


@SergioRZ wrote:

Same (?) problem here... now I get a red triangle "not secure" warning on Chrome... what is this?


Click on that "Not secure" bar and use the "Learn more". ....

 

Chrome https not secure - learn more.JPG

 


@SergioRZ wrote:

Can it be fixed? (no remote management, just using local LAN address)


Not really, and not fully. For a typical home network what we can consider reasonably secure, you can still use http instead of https.

 

Netgear should add a "correct" signed certificate (and private key) for the documented domain names like orbilogin.net or routerlogin.com - ideally here should be the ability to create a CSR (certificate signature request) to be signed by a CA and the ability to upload user supplied certificates.

Here again, the trust chain is broken when using an IP address -  certificate is always linked to a DNS name, like orbilogin.net - even with the best valid certificate, when using IP, the browser will complain.

 

 

Message 72 of 85
PhillipPino
Aspirant

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Just installed my Orbi with one satellite last night. And getting the very warning on my phone for my exchange server. Was the overall cert issue resolved? Why is it even trying to hijack my session to places that aren’t routerlogin.net?
Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 73 of 85
CrimpOn
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Can you post a picture of the message?

Which firmware version is on this Orbi?

What modem (brand/model) is the Orbi connected to?

 

I run Exchange Email on my Androd, and get no certificate errors.

Message 74 of 85
FURRYe38
Guru

Re: Netgear Orbi RBK50 - Web certificate expired yesterday (Aug 2, 2019)

Update to v2.5.1.8...


@PhillipPino wrote:
Just installed my Orbi with one satellite last night. And getting the very warning on my phone for my exchange server. Was the overall cert issue resolved? Why is it even trying to hijack my session to places that aren’t routerlogin.net?

 

Message 75 of 85
Top Contributors
Discussion stats
Announcements

Orbi WiFi 7