CDRouter Support

Common testing issues with TR-069 and SSL

knowledge-base version 12.13

Here are solutions to a few common TR-069 SSL-related issues:

The ACS certificate is not in the correct format

The ACS certificate file specified by the acsCertPath testvar must contain both the certificate and corresponding private key in order for CDRouter’s ACS to use it to establish SSL connections with the CPE. Note that the certificate must be in PEM format and the private key must not be encrypted. For more details on the proper certificate file format, please see the following Knowledge Base article: “How do I use my own (self-signed) certificates with CDRouter’s ACS?”

The CPE does not have a time source

Some CPE devices will not validate a SSL certificate from the ACS until a time source is established. TR-069 states that devices should skip date validation of certificates if a time source is not established. However, in practice some CPE devices simple end the SSL connection. A common symptom of this problem are DNS requests to an NTP server which is not configured. To alleviate this problem, simply configure the NTP server that is being requested by the CPE:

testvar  ntpServer1
testvar  ntpServerName1

Note that you may configure additional NTP servers if needed.

CPE is configured with IP address of ACS instead of domain name

Typically in SSL based configurations the CPE should be configured with an ACS URL using a domain name instead of an IP address. This allows the CPE to validate that the ACS URL matches the common name in the SSL ceritifcate for the ACS.

By default, the SSL certificate for CDRouter’s ACS uses the common name In addition, CDRouter automatically maps the domain name to the acsIp address ( by default). If the CPE is using strict validation then the common name in the certificate from the ACS must match the ACS URL configured on the CPE. If the CPE is using a hard coded IP address ( instead of a domain name ( for the ACS URL, this check will fail. A symptom of this problem is the lack of DNS lookups for in the log files which indicates that the CPE is using a hard coded IP address. The solution to this problem is to configure the ACS URL on the CPE to (or another domain name).

Note that if a domain name other than is configured on the CPE, a DNS entry MUST also be added to the CDRouter configuration file:

testvar  dnsHostname1
testvar  dnsIp1

The root CA is not installed on the CPE

In order for the CPE to validate the ACS SSL certificate, the root CA for the CDRouter ACS must be installed on the CPE. If the root CA is not installed, the CPE will reject the SSL connection. The solution to this problem is to install the root CA or disable certificate verification. Information about the root CA can be found here:

What root certificate must be installed to verify

Note that you may also use your own server certificates using the following testvars:

testvar acsCertPath /usr/cdrouter/tests/
testvar acsCaCertPath /usr/cdrouter/tests/



About CDRouter

CDRouter is made by QA Cafe, a technology company based in Portsmouth, NH.

Get in touch via our Contact page or by following us on your favorite service: