Cisco connection failure: 60, peer certificate cannot be authenticated with given ca certificates

1.0 out of 5 stars Cisco needs to improve QA and Testing efforts
By E. Hayes on June 5, 2021

TLDR: This product has satisfactory hardware, but the Cisco software ecosystem and setup process contain numerous bugs, annoyances, and frustrations.

**For some context, I'm not a network engineer by profession, but I'm quite computer savvy. I have a PFSense router, two APs, and numerous network devices. I'm quite comfortable with networking. This review is of the process of setting up the AP for the first time to replace one of my existing APs.**

The device does not come with power adapter/injector. Which is ok, and this does not effect my review. I already have a POE switch.

A label on the device said to visit cisco.com to download latest firmware.
Took me over 5 min to find it. Searched for “CBW140” which was the model number on the label and did not find anything. But after browsing, looks like it’s a “140AC”. I saved the page so I was ready with the files needed to update software. I hoped there would be a “auto update” feature.

I monitored my routers DHCP leases as I plugged in the AP. Appears it pulled an IP address on the local network after connecting, but I could not connect in browser when entering that IP address.

Directions in quick start said to find the network “CiscoBusiness-Setup” so I gave that a try. Appears that network is hidden (not broadcast) so I had to manually add. That should probably be specifically stated in the directions. Manual says to use a passphrase to use to connect, and does not list security type. Guessed WPA2; It connected.

I had to reset the password. It does not allow word “cisco” in the new password. But does allow Password123 to be set. Interesting choices of security measures.

It will NOT allow you to use spaces in the initial SSID.

After initial setup, I still could not connect via IP on wired network. I looked at my available wireless networks on my computer, and saw my new one, but then it went away. I power cycled the AP. Kept on trying to connect to it without success, it didn’t show in list of networks. After maybe 10 glances and 2 power cycles of the AP, I finally saw it and connected to it. Maybe I was impatient? I’m used to 1 or 2 min AP boot times. Seems this is 6+ min.

When connecting to ciscobusiness.cisco a second time, says “Your connection is not private.” So there’s a disappointing certificate error there.

Once logging in, it’s quite slow at bringing up data. There’s ridiculous animations for the charts, and menu navigation. Some text is very hard to read it’s so light. It seems like most of the features are disabled. Attached photo.

There’s an icon on the top that says a software update is available. As per label on the product, I thought, great! Let’s get this updated! I went to update firmware. Clicking “Check now” showed an error "Connection failure: 60, Peer certificate cannot be authenticated with given CA certificates."

Searching for error on internet shows I need a Cisco.com (CCO) account, and SMARTNet contract. That didn’t make much sense.

I finally got to a place to make an account, so I did that. I verified my email address, and now I’m getting an error: Your identity is being provisioned to all required systems. Ugh, this is incredibly annoying.

So I went to download the new firmware on cisco’s webpage (which I had found earlier). Clicking download on firmware, got: “Thank you for registering with Cisco.com. In order to consume software or services we require your full address. Please follow this link to return to profile manager to complete your profile.” If that is so important, why would it not be required/requested when registering?

Following said link gave me a 401 Unauthorized error. Show’s I’m already logged in.

I logged out, and went to download the file again. It allowed me to download the file without being logged in. WTF is going on? Has this process never been tested?

The firmware file is a ZIP with multiple encapsulated files. Not sure which one I need to upload to the firmware update page. Does not indicate on update page which file extension is desired. I selected the largest file in the folder, and its going! It said I have to clear my cookies and cache after upgrading. *groan*

Seems like this update process would update mesh/chiled APs at the same time, which is interesting.

There’s quite a bit of details about status of downloading of the firmware file, but not of actually installing it. The user is left to assume it’s doing something else. It says 100% downloaded, but never states when/if the image will actually be installed. About 5 min after 100% downloaded it says it’s complete, the AP restarted.

After a while I was able to log in. However additional bugs make themselves apparent at the login page where it doesn’t bring up correct labels/text.

Refreshing the page will fix the fields. No need to clear the cache… I saw this behavior multiple times.

List of WLANs and RLANs takes seconds to populate. Strange and irritating.

Apparently there’s two levels of saving. Saving temporary, and saving to flash. Saving to flash persists on power cycle/reset. I found this out the hard way after a few days. My network stoped working after a power cycle. Took me some time to troubleshoot. But I finally figured it out. There’s no warning saying that the first save is only temporary. to Cisco’s credit, the disk icon on the top does turn red after temporary save. But seriously, that’s not enough.

I tried again to connect to the router via the hardwire connection. I found out the AP connected to the LAN with two mac addresses. The one listed on the device and label, and another “00:00:5e:00:01:01”.

I created a static DHCP lease for the Mac address listed on the product/label. The AP does not listen on that address. I was able to connect to the IP address DHCP assigned to this apparently fake MAC address, and I got into the AP management. This seems very strange to me. I’m sure there’s a reason, but for people not used to this, this is irritating. And it doesn’t list in the quick start that this happens. I’m sorry, I have no interest in having an always available CiscoBusiness-Setup network.

Nice that the same network configuration operates both the 5 and 2.4ghz radios. some APs require discrete configurations for each radio.

Conclusion:
The hardware for this AP seems to work fine. But the software ecosystem around the hardware is disappointing. Initial configuration was a pain, Cisco’s website is hard to navigate through and contains numerous bugs, AP administration is painful and frustrating. I feel nobody tested setup as a new user to this product. There’s just so many bugs.

I want to rate it better, I know poor reviews have the ability to destroy a product. But I have to be honest. This device and ecosystem are not ready for the market. I had a terrible experience setting this device up.

My message to Cisco: You need to start testing your products and end-user processes. Give your products to users unfamiliar with your company/hardware, watch as they navigate the setup process.

*** Update ***
Firmware update could not download an update from Cisco.com. Did not give any details about the error.

I continue to be completely underwhelmed with the quality of the User Interface of the device, and cisco.com website. I'd be embarrassed if I worked for the company. It's like they hired JR or bottom of the class college level developers to build everything. And then pushed unfinished software into production when it was 70% complete. It's seriously as terrible as I'm making it sound. The fit/finish of $40 competitor devices is better than $150 Cisco devices.