cancel
Showing results for 
Search instead for 
Did you mean: 

Can't access unleashed web interface page - Certificate problem

unglipegino
New Contributor

Hi.

I've messed up my web access to the unleashed interface page by installing the wrong certificate (Cloudflare) in the administration area, now I'm not able to access my R600 AP by browser anymore (Unleashed ver. 200.7.10.202 build 127).

When I try to access http://unleashed.ruckuswireless.com/ or http://10.110.0.1/admin/login.jsp I get redirected to the "Not secure" site http://cloudflare/tohttps.jsp and then https://cloudflare/ 

  • I've tried to set up my "hosts" file on windows to "10.110.0.1 cloudflare" so I could maybe access the interface again,
  • I've turned off the "Warn about certificate address mismatch*" in the Advanced - Internet Option
  • I've installed the same certificate to the "Trusted root cert auth."
  • ... to no avail

I even went through all the Unleashed CLI documentation  and found nothing on

  • resetting the default certificate or
  • manually setting "https:/unleashed/" for the path of the web interface instead of "http://unleashed.ruckuswireless.com/"

Can anything still save me from resetting the whole AP to factory defaults?

Any help would be strongly appreciated. 

Best regards to all!

1 ACCEPTED SOLUTION

unglipegino
New Contributor

Hey guys thanx for the effort. I just came across this weird browser "Pale Moon" which let me bypass this certificate issue that the modern browser today just won't let go. So I've managed to log in and reset the old Ruckus certificate. Everything works again.

Well if I'm curious how things work I give it a try and often break things along the way. I just love a challenge like that from time to time 😄 Sorry for the nuisance.

Best regards again. 

View solution in original post

6 REPLIES 6

eizens_putnins
Valued Contributor II

It's difficult to imagine why you wanted to replace the certificate. AP management interface should be never available from internet, and public certificate   doesn't make sense on private addresses, as it doesn't mean anything than. Also it seems that you messed more than just certificate in the configuration.

 

I suspect that it will be much faster and safer to reset configuration and reconfigure it from scratch.  

ms264556
Contributor III

I've accidentally done this before.

Trying to use http will always redirect you, but hitting https instead (e.g. https://10.110.0.1) should just give you the warning and let you proceed.

It is a shame there seems to be no cli for certificate management. I wrote a script to apply certs using curl (at https://ms264556.github.io/Hackery/pages/PfSenseLetsEncryptToRuckus.html) which you could use to choose a better domain for the redirect.

I came here looking for an automated way to update the AP's cert; your script looks like it would do the trick--thanks for the work on that.  It leaves me with a couple of questions, though:

  • The workflow expected by the Unleashed firmware, at least, seems to be that you generate a CSR on-device, get that signed, and upload the resulting certificate.  And it looks like that's what your script expects too, as it doesn't appear to upload a private key.  Is that correct?
  • When you upload the cert, do you upload just the leaf cert, or also the intermediate certs?  IOW, in certbot terminology, do you use cert.pem or fullchain.pem?
  • Why on earth would the entire access point need to reboot just to implement a new cert?  That seems like strikingly poor design.

  • No you don't need the to run through any process on your Unleashed or ZoneDirector. If you have a close look at the script you can see I do two uploads - first the public certificate, then the private key.
  • The .crt and .key have always been sufficient for me. When you're uploading certificates there is the option to also upload intermediates. If you find this is necessary for your particular case then I can update the script.
  • I don't know why the reboot. Honestly though, it happens only a few times each year, and the pfSense ACME package schedules the refresh at 3am, so I don't mind at all.