I've been experiencing an issue with self-signed certificates since I upgraded my Orbi Router to the latest firmware (2.7.2.140) over a month ago. The problem that I'm running into is that I cannot get to the internet on some of my devices due to the certificate from the router being flagged because it's self signed. I'm aware that previous certificates with the proper CA's have expired and have not currently been renewed. I'm also aware that some of the recommendations are just to ignore the warnings and accept the risk of using the certificate. There are a couple reasons why accepting the certificate doesn't work for me:
1. Some of my smart devices (i.e. TV) do not have an interface which allows me to accept the risk of using the self-signed certificate.
2. On devices where I can accept risk of using the self-signed certificate and have done so, I am prompted with a page that says "Blocked by Access Control in the Router".
There are certain methods (temporarily connect some devices to the router for exchanges/authentications over ethernet) that I have been able to use to get past this issue temporarily, but the issue eventually returns within a day or two.
I understand the premise behind use of validated CA's and signed certitificates, but is there anything else that I can do to resolve this issue? Is there a way that I can update the certificate that the Orbi is issuing for wifi connections?
This is not the first time an issue similar to this has been posted. @FURRYe38 is correct that the self-signed certificate issue only affects sonnections to the Orbi router secure web interface, the https interface, not the http interface used for administration.
My hypothesis is that a connection attempt to an internet resource has been blocked and the browser redirected to the Orbi secure .interface to display an error message and the browser takes over and complains about the certificate. For example, this recent post talks about getting a certificate error and after ignoring the error getting a message from the Orbi system:
Notice the Firefox (browser) message that google.com requires a secure connection, but the certificate sown is for "routerlogin.net" (not google.com). Pressing on to ignore the certificate warning brings up a message from routerlogin.net. (Device Blocked) So my hypothesis is that the certificate problem only shows up because some other problem has triggered a connection to the secure web interface.
That post goes on to explore possible ways that devices could be blocked (or "paused" in terms of the Orbi "app").
I, myself, have had situations where I used the Orbi app for something innocuous and later found that the Orbi Access Control had been activated (I do not use access control - that's a different story.) and a device blocked. I believe my exact words were "What the F**K just happened?" This was before the recent change in web browsers which now enforces the HSTS protocol (see Wikipedia). All I got was no connection and it took me quite some time to track down the Access Control issue.
I see a couple of ways to proceed:
Determine that the Orbi is not actually blocking any devices. Perhaps ensure that Access Control is not enabled, reboot the Orbi, and verify that Access Control remains "un"abled. Then see if the problem persists.
If the problem persists, then something is wrong with the firmware. Either Factory Reset and configure the 2.7.2.104 firmware, or do a manual firmware upload to the previous firmware that came before 2.7.2.104 and configure it.
Every Orbi setup is unique. If there are bugs in the code, then the precise sequence of changes can have an effect on the configuration. Just because some Orbi's function well on 2.7.2.104 does not mean that all do. And, just because 2.7.2.104 is "broken" on some Orbi's does not mean that it is broken on all of them. (not broken "yet", and maybe never broken because the precise sequence of events may never happen.)
p.s. If I were able to replicate this problem on my Orbi, I would go into debug mode and collect the LAN/WAN packets involving this device. Does it get an IP via DHCP? Does it do a DNS search on the URL? Does it send an HTTP connect request? Does it get answers? Do any packets actually go to the web URL? At what point does it get an https response from the Orbi? etc. etc.
Thanks @FURRYe38 and @CrimpOn for the responses. It is true that the self-signed certificate isn't preventing connectivity to the RBR/RBS and management console/website (eventhough I need to use router IP vice orbilogin.com).
After reading @CrimpOn's reply, I checked Access Control for blocked devices. There were no blocked devices. Next, I tried toggling Access Control. After turning Access Control off, I was able browse the web on a laptop that was previously blocked by access control (after accepting the risk of using the self-signed certificate). I was also able to connect a smart speaker which had recently been disconnected. After I turned on Access Control, I saw that I was still able to browse the web on the laptop. However, the smart speaker appeared to lose the connection to the internet. Eventually, I started receiving the self-certificate/blocked by access control screens when attempting to browse the web on the laptop (my guess is that the connection timed-out after Access Control was enabled). I also checked the log on the management console/website (Advanced > Administration > Log), but I didn't see any messages indicating blocks or DoS for the laptop and smart speaker.
It seems that the issue is being caused by Access Control. It's strange that there is no inidication of the issue in the management console/website. My glaring questions are (1) why is access control blocking devices that have clearly been configured for access and (2) why does access control allow connectivity via ethernet to the router on the same laptop which was blocked by access control on a wireless connection? I haven't checked any packets yet, but I guess that's my next step if I want to find out what's really happening here.
I'd prefer to keep Access Control enabled, but I would like to keep some of the fixes in the current firmware. At this point, it sounds like I either need to disable Access Control or rollback the firmware.
I am quite happy without Access Control (Blissful ignorance?) This is the sort of irrational, "impossible" situation which defies analysis. The device is not "officially" blocked, so there are no messages in the log. (Maybe it is not the device which is blocked, but services that are blocked.) But there is some crazy mixup in the internal tables which intercepts web requests and redirects them to the secure web interface, which the browser then complains about.
As I find resetting the Orbi from scratch really tedious, my "baby step" would be to save a copy of the Orbi configuration, do a factory reset, and then during the setup take the option to restore that saved configuration. This takes me less than 30 minutes start to finish, whereas a complete setup is more like 2-3 hours.
Try setting IP address reservations for you devices that you want to have in the access control and manage with Access Controls. Then setup access controls.
