Legacy Open Mesh: An Expired Certificate Prevents Access Points and Switches From Checking Into CloudTrax

Issue

Access points and switches cannot check into CloudTrax

Environment

Datto Access Points
Datto Switches

Cause

As of August 21, 2018, access points that are not running the firmware releases listed below may not be able to check into CloudTrax due to having expired HTTPS certificates.

6.1.4
6.2.13
6.3.16
6.4.11

Resolution

A resolution for 100% of affected devices is pending.

Update 3:

Switches running firmware releases before 1.0.7 will not be able to check into CloudTrax until their firmware is upgraded. You can try to manually update the firmware on your switch, or open a support request if you are unable to do so.

Update 2:

We're aware of issues with APs reporting as offline incorrectly due to this certificate change.

Some APs cannot get proper time from 0.openwrt.pool.ntp.org cannot use the new certificate properly. This looks to be due to how 0.openwrt.pool.ntp.org is being resolved. We'd suggest rebooting your local network router, and rebooting the APs to see if this clears out any DNS cache info for 0.openwrt.pool.ntp.org. Additionally try setting your router's DNS servers to 1.1.1.1 or 8.8.8.8.

We're still investigating a server-side fix for this issue.

Update

On August 26, 2018, we were able to make server-side changes that allowed us to utilize a secondary certificate on the affected access points. This should allow affected access points to check in again for the time being. The new certificate will expire in July 2019. Please upgrade these access points to 6.1.4, 6.3.16 or 6.4.11 as soon as possible.

Notice

Attempts were made over the last year to push out new certificates to access points running other firmware releases, but these access points may not have been able to download the update script, or the firmware release had bugs or design limitations that prevent the certificate update from working as designed.

Most issues have been seen with networks running firmware 590 and firmware 6.1.2. These firmware releases are quite old, and not recommended. We always recommend running the latest possible firmware releases to avoid these kinds of problems.

To get the access points checking in again, a manual firmware flash to a more recent firmware release will be needed. Keep in mind there are certain firmware restrictions for some models.

Model	Flash Firmware
OM2P 32MB	481*
OM2Pv1	6.1.4
Other models	6.3.16

*481 firmware requires that you run CloudTrax in legacy mode, which has a limited feature set. The OM2P 32MB model hit End of Life in 2016, we would suggest you replace the access point with a newer model instead of reverting to 481 firmware and legacy mode.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.