Common testing issues with TR-069 and SSL

Here are solutions to a few common TR-069 SSL-related issues:

The ACS certificate is not in the correct format

The ACS certificate file specified by the acsCertPath testvar must contain both the certificate and corresponding private key in order for CDRouter’s ACS to use it to establish SSL connections with the CPE. Note that the certificate must be in PEM format and the private key must not be encrypted. For more details on the proper certificate file format, please see the following Knowledge Base article: “How do I use my own (self-signed) certificates with CDRouter’s ACS?”

The CPE does not have a time source

Some CPE devices will not validate a SSL certificate from the ACS until a time source is established. TR-069 states that devices should skip date validation of certificates if a time source is not established. However, in practice some CPE devices simple end the SSL connection. A common symptom of this problem are DNS requests to an NTP server which is not configured. To alleviate this problem, simply configure the NTP server that is being requested by the CPE:

testvar  ntpServer1  3.3.3.6
testvar  ntpServerName1  myNTPserver.com

Note that you may configure additional NTP servers if needed.

CPE is configured with IP address of ACS instead of domain name

Typically in SSL based configurations the CPE should be configured with an ACS URL using a domain name instead of an IP address. This allows the CPE to validate that the ACS URL matches the common name in the SSL certificate for the ACS.

By default, the SSL certificate for CDRouter’s ACS uses the common name acs.cdroutertest.com. In addition, CDRouter automatically maps the domain name acs.cdroutertest.com to the acsIp address (6.0.0.1 by default). If the CPE is using strict validation then the common name in the certificate from the ACS must match the ACS URL configured on the CPE. If the CPE is using a hard coded IP address (http://6.0.0.1) instead of a domain name (http://acs.cdroutertest.com) for the ACS URL, this check will fail. A symptom of this problem is the lack of DNS lookups for acs.cdroutertest.com in the log files which indicates that the CPE is using a hard coded IP address. The solution to this problem is to configure the ACS URL on the CPE to http://acs.cdroutertest.com (or another domain name).

Note that if a domain name other than http://acs.cdroutertest.com is configured on the CPE, a DNS entry MUST also be added to the CDRouter configuration file:

testvar  dnsHostname1  acs.mydomainname.com
testvar  dnsIp1  6.0.0.1

The CPE requires all Intermediate CA certificates to validate ACS certificate

CDRouter’s ACS server certificate is signed by an Intermediate CA (Certificate Authority), creating a validation chain ending with the Root CA that is known and trusted by the CPE. By default, CDRouter’s ACS only sends its own server certificate to the CPE when negotiating an SSL/TLS connection with the CPE.

In most cases, the CPE should already have any Intermediate CA certificates needed to validate the ACS, but some CPE’s require the ACS to send them explicitly. In this case, uncommenting the acsCaCertPath testvar will tell CDRouter to transmit all Intermediate CA certificates during the SSL/TLS handshake process.

When using alternate or self-signed certificates, acsCertPath should specify a file containing the ACS server certificate and its corresponding private key (unencrypted) Any Intermediate CA certificates needed to validate the server certificate should all be placed together in a file specified by the acsCaCertPath testvar.

The root CA is not installed on the CPE

In order for the CPE to validate the ACS SSL certificate, the root CA for the CDRouter ACS must be installed on the CPE. If the root CA is not installed, the CPE will reject the SSL connection. The solution to this problem is to install the root CA or disable certificate verification. Information about the root CA can be found here:

What root certificate must be installed to verify acs.cdroutertest.com.pem?

Note that you may also use your own server certificates using the following testvars:

testvar acsCertPath /usr/cdrouter/tests/acs.cdroutertest.com.pem
testvar acsCaCertPath /usr/cdrouter/tests/acs.cdroutertest.com-ca.pem