Cambium Networks

Wireless That Just Works

Field Service Bulletin

Some devices fail to onboard to cnMaestro Cloud due to failure in server certificate check.

Download PDF Version

Document Number:

FSB9096

Revision:

001v000

Application:

Global

Effective Date:

May 23, 2025

Expiry Date:

N/A

Bulletin Type:

Warranty Service
Informational
Customer Specific

Severity Recommendation:

High – Perform immediately
 
Medium – Perform at next scheduled maintenance
 
Low – Perform when system exhibits symptoms
Subject:

Some devices fail to onboard to cnMaestro Cloud due to failure in server certificate check.

Model / System Affected:
  • PMP
  • Enterprise Wi-Fi
    • cnPilot E Series
    • XV and XE Series
  • cnWave 60 GHz
  • cnWave 5G Fixed (BTS only. CPE does not connect to cnMaestro directly)
  • cnRanger
  • cnMatrix TX/EX Series
  • ePMP
  • cnVision
  • PON (Cambium Fiber)
Reason for Bulletin:

This bulletin addresses a device onboarding failure that happens due to a strong security check followed by many Cambium devices. When devices have a stale time reference – because they were in warehouse for too long, or they don’t have access to NTP – they fail to validate cnMaestro Cloud’s server certificate. Specifically, the validity field contains a “notBefore” value, which may be in the future for a device which has a very old date reference. This causes the device to reject the secure TLS connection with cnMaestro, resulting in the device failing to onboard.

Symptom:

Impacted devices, when initially powered up and connected to the network, will attempt to connect to cnMaestro Cloud, but will fail to onboard. Device logs will typically indicate a certificate check failure. See PDF for symptom per product family.

Current Status of Investigation:

Impacted products are identified, root cause is confirmed across all impacted products, workarounds are documented for each product and long-term mitigation is planned where applicable. See PDF for more information per product family.

Resolution:

Resolution varies with devices and is described in the PDF for each product family. In most cases it involves providing either access to an NTP server or upgrading firmware to a newer version. The recommended NTP server is “time.google.com”. Ensure that the device has connectivity to the NTP server.

Some devices may refuse to connect to cnMaestro if they have been offline for long duration, as they may come up with a very old time reference. To avoid this, It is recommended to always configure a NTP server from cnMaestro Cloud for all managed devices.

Factory reset may also cause devices to refuse to connect to cnMaestro Cloud. In this case, follow the resolution described in the PDF for each product family.

If you have questions or concerns, please contact Cambium Technical Support at the following: https://www.cambiumnetworks.com/support/contact-support/

For more details download the PDF version    |     Back to all Field Service Bulletins    |    Unsubscribe from FSB Notifications

Contact