Common testing issues with TR-069 and SSL

Published: Sep 30, 2013
Tags: ssl TR-069 tls

Here are solutions to a few common TR-069 SSL-related issues.

The CPE does not have a time source

Some CPE devices will not validate a SSL/TLS certificate from the ACS until a time source is established. TR-069 states that devices should skip date validation of certificates if a time source is not established. However, in practice some CPE devices simple end the SSL connection. A common symptom of this problem are DNS requests to an NTP server which is not configured. To alleviate this problem, simply configure the NTP server that is being requested by the CPE:

testvar  ntpServer1  3.3.3.6
testvar  ntpServerName1  myNTPserver.com

Note that you may configure additional NTP servers if needed.

CPE is configured with IP address of ACS instead of domain name

Typically in SSL based configurations the CPE should be configured with an ACS URL using a domain name instead of an IP address. This allows the CPE to validate that the ACS URL matches the common name in the SSL ceritifcate for the ACS.

By default, the SSL certificate for CDRouter’s ACS uses the common name acs.qacafe.com. In addition, CDRouter automatically maps the domain name acs.qacafe.com to the acsIp address (6.0.0.1 by default). If the CPE is using strict validation then the common name in the certificate from the ACS must match the ACS URL configured on the CPE. If the CPE is using a hard coded IP address (6.0.0.1) instead of a domain name (acs.qacafe.com) for the ACS URL, this check will fail. A symptom of this problem is the lack of DNS lookups for acs.qacafe.com in the log files which indicates that the CPE is using a hard coded IP address. The solution to this problem is to configure the ACS URL on the CPE to acs.qacafe.com (or another domain name).

Note that if a domain name other acs.qacafe.com is configured on the CPE, a DNS entry MUST also be added to the CDRouter configuration file:

testvar  dnsHostname1  acs.mydomainname.com
testvar  dnsIp1  6.0.0.1

The root CA is not installed on the CPE

In order for the CPE to validate the ACS SSL certificate, the root CA for the CDRouter ACS must be installed on the CPE. If the root CA is not installed, the CPE will reject the SSL connection. The solution to this problem is to install the root CA or disable certificate verification. Information about the root CA can be found here:

What root certificate must be installed to verify acs.qacafe.com.pem?

Note that you may also use your own server certificates using the following testvars:

testvar acsCertPath /usr/share/doc/cdrouter/acs.qacafe.com.pem
testvar acsCaCertPath /usr/share/doc/cdrouter/acs.qacafe.com-ca.pem