With the release for KEEP, the default behavior changed a bit regarding certificate handling.
During initial setup the device tries to retrieve a certificate from Let's Encrypt with the domain name (FQDN) set to the default domain name for the device, something like 'mydevice.mykeep.net'. After the setup has been completed and the device name chosen, a new certificate matching the new name will be requested from Let's Encrypt.
In order for this to work, the servers from Let's Encrypt needs to be able to reach your device on the FQDN provided when requesting the certificate so that they know that the unit requesting the certificate is "in charge" of that domain. For this to happen the Let's Encrypt servers need to be able to reach your device both port 80 (non-encrypted web traffic) and port 443 (encrypted web traffic).
If this is not possible the certificate will not be issued and your device will currently fall back to using a certificate that is generated and signed by OpenProducts. However, the certificate from OpenProducts is not recognized as a "trusted" certificate by the browsers, so you will be prompted to make security exceptions.
To make the OpenProducts certificate trusted, it can be installed in our browser as described here.
/PA