So, just for the sake of clarity - let me outline a few different scenarios, as it will depend on how your specific environment is configured.
The following assumes that you are not running the "Secure Bus" or "S" version of the hub/robot in your environment (e.g. "23.4.6.S") I will address that further at the end of this post, but for most customers who are running the standard hub and robot, the following considerations apply:
Scenario 1: Your Primary Hub is also a Tunnel Server, which has one or more clients connected to it.
In this scenario, you should deploy the CU7 upgrade along with the 23.4.7.1 hotfix in the following order:
- make the configuration change for "enable_cert_compatibility = yes" in the <tunnel> section of hub.cfg on all hubs with tunnels, but do not upgrade anything yet. This means - any tunnel client and any tunnel server, not just the primary; make the configuration change to all hubs with tunnels ahead of time.
- deploy the hub 23.4.7.1 hotfix to the tunnel clients only. If desired, you can skip secondary hubs and clients for now, and do them later - but any clients which connect to the primary hub itself must be upgraded to 23.4.7.1 at this point. They will reconnect successfully to the primary hub/tunnel server. If you do want to upgrade all the hubs at once, always do the tunnel clients first before the servers. If you have multiple "tiers" of hubs, where some are acting as both client and server, upgrade the farthest-away or "edge" clients first. Upgrade tunnel servers only after all of the clients have been upgraded, otherwise you risk losing connectivity to the clients.
- deploy the CU7 upgrade to the primary hub by running the installer. This will upgrade the primary hub to 23.4.7 and the tunnel clients will drop off, as the tunnel server portion of the hub will not start until upgraded to 23.4.7.1.
- After the CU7 upgrade completes, redeploy hub 23.4.7.1 to the primary hub and the "enable_cert_compatibility" key which you already added will take effect, and the tunnel clients will be able to reconnect successfully.
Scenario 2: Your Primary Hub is a Tunnel Client connecting to one or more tunnel servers
In this scenario, use the following order:
- make the configuration change for "enable_cert_compatibility = yes" in the <tunnel> section of hub.cfg on all hubs with tunnels, but do not upgrade anything yet. This means - any tunnel client and any tunnel server, not just the primary; make the configuration change to all hubs with tunnels ahead of time.
- deploy the hub 23.4.7.1 hotfix to the "other" tunnel clients first; not the primary hub, but any other clients which connect to the same tunnel servers that the primary connects to. They will reconnect successfully to their respective tunnel servers. If desired, you can skip secondary hubs and clients for now, and do them later - but any servers which the primary hub itself is a client to must be upgraded to 23.4.7.1 and before you do that, you must also upgrade all the other clients which connect to those same tunnel servers.
- after deploying the 23.4.7.1 hotfix to the "other" tunnel clients, deploy it to the tunnel servers. At this point your primary hub/client should still be running a pre-23.4.7 hub, so it should reconnect successfully to those tunnel servers after they are upgraded.
- deploy the CU7 upgrade to the primary hub by running the installer. This will upgrade the primary hub to 23.4.7 and it will then fail to reconnect to the tunnel server(s) that it is a client to.
- now deploy hub 23.4.7.1 to the primary hub and the "enable_cert_compatibility" key which you already added will take effect, and it will connect to the tunnel server(s) successfully.
Scenario 3: Your Primary Hub is Both a Tunnel Server and a Client to Other Tunnel Servers
In this scenario, use the following order:
- make the configuration change for "enable_cert_compatibility = yes" in the <tunnel> section of hub.cfg on all hubs with tunnels, but do not upgrade anything yet. This means - any tunnel client and any tunnel server, not just the primary; make the configuration change to all hubs with tunnels ahead of time.
- deploy the hub 23.4.7.1 hotfix to "other" tunnel clients first; not the primary hub, but any other clients which connect to the same tunnel servers that the primary connects to. They will reconnect successfully to their respective tunnel servers.
- Also deploy the 23.4.7.1 hotfix to any hub that is a client of the primary hub.
- If desired, you can skip secondary hubs and clients for now, and do them later - but any servers which the primary hub itself is a client to must be upgraded to 23.4.7.1 and before you do that, you must also upgrade all the other clients which connect to those same tunnel servers. Any server that is a client directly to the primary hub should also be upgraded at this time.
- after deploying the 23.4.7.1 hotfix to the "other" tunnel clients, deploy it to the tunnel servers. At this point your primary hub/client should still be running a pre-23.4.7 hub, so it should reconnect successfully to those tunnel servers after they are upgraded.
- now deploy the 23.4.7.1 hotfix to the tunnel clients that are connecting directly to the primary hub; again, they should successfully reconnect to the primary hub after the deployment.
- finally, deploy the CU7 upgrade to the primary hub by running the installer. This will upgrade the primary hub to 23.4.7 and it will then fail to reconnect to the tunnel server(s) that it is a client to, and all direct clients will fail to reconnect to it.
- now deploy hub 23.4.7.1 to the primary hub and the "enable_cert_compatibility" key which you already added will take effect, and it will connect to the tunnel server(s) successfully.
Scenario 4: Your Primary Hub Is Not A Tunnel Server or Client, but you have secondary hubs which are, and Name Services entries connecting some of them to the Primary Hub
This is the easiest scenario to deal with, here are the steps:
- make the configuration change for "enable_cert_compatibility = yes" in the <tunnel> section of hub.cfg on all hubs with tunnels, but do not upgrade anything yet. This means - any tunnel client and any tunnel server; make the configuration change to all hubs with tunnels ahead of time.
- deploy the 23.4.7.1 hotfix to all tunnel clients first; if you are in a "multi-tier" environment with some hubs acting as both server and client, upgrade the "farthest-away" or edge clients first, then work your way in toward the primary hub.
- once all the tunnel clients are upgraded, upgrade the tunnel servers.
- This can be done either before or after the upgrade to CU7 is run on the primary hub, and it will not be necessary to apply the 23.4.7.1 hotfix to the primary hub if there are no tunnels present.
For Secure Hub/Robot Installations:
Unfortunately there's no easy way to deal with this; Garin Walsh has outlined the steps he took in his environment, and those are essentially the necessary steps to take. If you have a Secure Bus environment, my best advice at this point would be to wait for CU8 (tentatively due around July 2026 approximately), because the installer itself will include a hub_secure build that supports the enable_cert_compatibility key, and there will be a companion build for the robot_secure build as well, so it will only be necessary to make the configuration change and then run the installer.
That being said, if you are running the Secure Bus and cannot wait that long to upgrade to CU8 and require CU7, please open a support ticket and we can help guide you through the process.
-------------------------------------------
Original Message:
Sent: Apr 24, 2026 03:18 AM
From: Marius Nitu
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
Hello,
So the upgrade to 23.4.7 on the primary hub should be done after the 3 steps you mentioned or before?
Thanks,
Marius
Original Message:
Sent: Apr 23, 2026 09:43 AM
From: Jason Allen
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
Note for those customers who have not yet upgraded; you will have the best experience by following the below steps:
- import the hub 23.4.7.1 to your archive, but don't deploy it yet
- On each tunnel hub, edit hub.cfg and in the <tunnel> section, add enable_cert_compatibility = yes as described in the solution document.
- Now deploy hub 23.4.7.1 to these hubs and they will successfully upgrade and reconnect.
If you deploy the hub before adding the config key, the tunnels will fail and you will need to SSH/RDP to the target system and edit the config file locally, so it's a good idea to add the key prior to deployment so that it will be there on startup.
Original Message:
Sent: Apr 23, 2026 06:49 AM
From: Ravishu Arora
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
The CU7 release solution document has been updated with a hotfix for the hub to address this issue about support for old SHA1 certificates.
------------------------------
Principal Product Manager
Broadcom Software
Original Message:
Sent: Apr 09, 2026 12:12 PM
From: Jason Allen
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
We are currently exploring the feasibility of a patch for the hub which would allow the old certificates to be used at least temporarily until new ones can be generated. It is not yet 100% clear whether this will be possible to do without introducing other security concerns, but we are investigating it.
Original Message:
Sent: Apr 07, 2026 07:14 AM
From: Olaf Pape
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
Are there any plans to update the installation files of CU7?
When I read Jason Allen's comment in particular ("Yes, that's the actual fix - but it can be difficult at scale, because as soon as you create the new SHA384 cert on the server, the client certificates previously issued all become invalid, so unfortunately you still have to touch every client to replace the certs on the client side."), I cannot recommend an update to CU7 to my customers.
Original Message:
Sent: Mar 26, 2026 11:06 AM
From: Garin Walsh
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
I do not see the crash in either 23.4.6.S or 23.4.7.S
The certificate is just a human readable text file and the display of it in the GUI doesn't appear to care what the contents of the certificate file actually are.
I'd suggest that you start with looking at the certificate file on the server and verify that there are no special characters in it that might be tripping up the display. And not that it should matter, but also make sure that there's a carriage return following the final text line in the certificate.
Original Message:
Sent: Mar 25, 2026 10:57 AM
From: Joakim E
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
Thanks Jason.
Hmm, the IM hub gui crashes when trying to view the certificate. Is there a fix? We're on 23.4.6.
Original Message:
Sent: Mar 24, 2026 12:32 PM
From: Jason Allen
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
Yes, that's the actual fix - but it can be difficult at scale, because as soon as you create the new SHA384 cert on the server, the client certificates previously issued all become invalid, so unfortunately you still have to touch every client to replace the certs on the client side.
Original Message:
Sent: Mar 24, 2026 05:14 AM
From: Joakim E
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
Is it not possible to create a new SHA384 certificate on the hub tunnel server and simply replace the SHA1 certificate in the client config with the SHA384 certificate?
Original Message:
Sent: Mar 20, 2026 11:49 AM
From: Jason Allen
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
Thanks Garin for your inputs here - we really appreciate it!
We have been working through this internally as well and have published a couple of related KB's.
The long and short of it is that prior to hub 23.4.0, tunnel certificates were signed with the SHA1 algorithm and in hub 23.4.0 and forward, they are signed with SHA384.
Starting with hub 23.4.7, there's an OpenSSL upgrade and the new version doesn't accept SHA1 certificates.
This was unfortunately not caught during testing as all our test systems are using SHA384 already.
Tunnel servers and clients which started their lives as hub 23.4.0 or later will therefore not be impacted, but if your tunnels were originally set up under a prior version of the hub, the certificates will be SHA1 and upgrading the hub will cause the tunnels to fail.
Below are some links which should hopefully help - unfortunately this is not an easy problem to deal with, and even the prevention requires the re-issue of all tunnel CA's and certificates, which invalidates the existing client certificates and requires touching every tunnel client. You can (as described in one of the below KB's, and thanks again to Mr. Walsh for his inputs here) set up a secondary tunnel server and use that to push new certificates for the first one, but it's still quite a bit of work unfortunately.
If you have not yet upgraded to CU7/hub 23.4.7 the following KB will help you validate whether you need to re-issue the tunnel certificates:
For tunnel hubs refer to:
Hopefully this (along with the fantastic information provided by Garin above) will be helpful.
Original Message:
Sent: Mar 12, 2026 01:06 PM
From: Garin Walsh
Subject: Tried out CU7 but startup of controller fails with "error:0x0A00018E: SSL routines: func(167772558): ca md too weak"
Mar 11 09:17:10:673 [5060] 0 Controller: Loglevel = 0, Logfile = controller.log
Mar 11 09:17:11:462 [5060] 0 Controller: Running as user SYSTEM
Mar 11 09:17:11:462 [5060] 0 Controller: -----
Mar 11 09:17:11:462 [5060] 0 Controller: ssl_log_error - Could not read public key file., [1] error:0x0A00018E: SSL routines: func(167772558): ca md too weak
Mar 11 09:17:11:462 [5060] 0 Controller: (controller proxy ssl setup): Failed to initialize ssl context.
Mar 11 09:17:11:462 [5060] 0 Controller: proxy setup: Failed to setup ssl context
Mar 11 09:17:11:462 [5060] 0 Controller: Proxy initialization failed - rc=1 error
Central hub is running secure robot and hub and it appears that in the controller distributed with CU7, the minimum allowed security for the CA has been increased.
Any suggestions on a reasonable process to update the robot CA certificate to an appropriate security level and what that level might be?
The release notes seem to be void of any mention of this change Robot Release Notes
-------------------------------------------