Errors when uploading signed certificate

ShaRose · ‎07-20-2017

I'm not totally sure if this is the right board (I debated between this and Printer Software and Drivers, but since this is to do with the web server I picked here), but here we go.

I've been trying to see if I can set up a signed ssl certificate for my DeskJet 2655 for the past few days, but I seem to be running into problems on a regular basis. I've had to do resets a few times (I almost contacted support for how to do a factory reset, but it turns out that a wireless reset via wireless and cancel actually wipes out everything). Specifically, here are my steps. from just joining the wireless network.

Connect to the printer's web server.
Go to the IP settings (Network, Wireless, Network Address) and set the correct static IP addresses for both IPv4 and IPv6.
Move to Certificate Settings (Advanced, Certificates), and configure.

Now, I've tried two options: 'Create a Certificate Request' + 'Install a Certificate' and 'Import a Certificate and Private Key'. Both fail in slightly different ways. I'll explain what goes wrong with both in order.

For the certificate request path, it actually works well up until I have to actually install the certificate: At this time, after I hit finish it gives me the following error message: 'pgCertificates-Internal error: a unknown error has occurred; system may be temporarily out of resources'. Note this is repeatable, and happens both if you just try and import again OR if you generate a whole new request.

For importing, the problem is that when I upload the pfx file (assuming I put in the right password: it errors saying it's not valid if it's wrong) the printer crashes. Web server dies, it drops off the network, and the lights start flashing on the control panel. Image below.

This flashes until I restart the printer: after this, the printer generates a new self-signed certificate and works again. This is also repeatable (Although I don't have to keep re-doing certificates this way thankfully). Note this happens if I include the chain or not: I've also tested to see if having special characters in the pfx file causes the problem (It doesn't).

Right now, I'm using an internal CA (Offline root generated by openssl, online intermediate powered by active directory certificate services) because I use Let's Encrypt for most things and there doesn't seem to be an api or anything I can use to programmattically do this. In case there's something odd with the certificate itself (Maybe it doesn't support some extensions?), here's the somewhat censored output of openssl x509 -in printer.crt -text -noout:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2b:00:00:00:0d:0f:2f:d7:cc:7e:48:0d:ac:00:00:00:00:00:0d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: --HIDDEN--, CN=ROSENET-CONCORDIA-CA
        Validity
            Not Before: Jul 21 01:42:47 2017 GMT
            Not After : Jul 21 01:42:47 2019 GMT
        Subject: --HIDDEN--
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:f6:36:2b:5b:cd:3e:f1:1a:9b:7d:56:6d:87:
                    ff:6f:c2:95:d0:61:3f:49:29:c4:90:2a:d8:30:32:
                    78:78:8a:1e:5c:31:3f:f4:1f:38:8c:84:7b:d3:fe:
                    94:18:6c:14:c8:98:8d:a2:18:d8:fc:f4:59:fd:41:
                    08:e9:a3:a6:69:1c:02:a2:97:58:e3:4b:80:eb:5a:
                    f7:93:2a:09:0f:61:30:51:0e:ad:dc:4a:e8:22:56:
                    08:27:ff:79:00:85:aa:58:ce:00:b2:a4:a3:be:80:
                    ff:62:42:5e:75:ac:ce:2b:4e:20:d8:b8:b6:c9:b7:
                    96:23:75:6d:3f:2a:68:68:36:d6:c9:13:7b:28:05:
                    f8:36:f1:c8:65:05:48:ea:e2:d3:a2:44:eb:56:44:
                    8d:c5:7f:78:04:d7:ae:45:4d:25:be:27:87:2d:b2:
                    88:31:07:3a:28:25:9d:ea:07:30:1c:bf:f3:f9:fe:
                    fa:c2:b2:ae:b7:ae:ee:06:b8:8c:17:7b:a5:d8:6c:
                    6c:a7:a9:c7:66:0f:09:86:80:d2:0d:26:8c:56:a2:
                    61:95:36:ee:c7:28:e7:21:31:43:5c:28:28:9b:40:
                    f7:ef:95:58:b2:ee:08:ea:99:2c:fa:a0:46:1d:08:
                    1a:b4:20:85:1f:a1:f0:c6:25:4d:04:0e:d0:21:d0:
                    2a:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                4F:00:3F:DB:1C:53:11:08:0B:DF:63:BC:57:46:7A:07:70:8E:85:BE
            X509v3 Authority Key Identifier:
                keyid:DB:4A:56:D8:19:C0:69:F8:A4:76:4A:2D:94:D2:64:5C:E5:C1:DC:2B

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap:///CN=ROSENET-CONCORDIA-CA,CN=concordia,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,--HIDDEN--?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=ROSENET-CONCORDIA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,--HIDDEN--?cACertificate?base?objectClass=certificationAuthority

            1.3.6.1.4.1.311.20.2:
                ...W.e.b.S.e.r.v.e.r
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         68:cc:10:a2:d1:96:01:1c:7e:07:e5:1a:a5:01:4b:55:09:ec:
         bc:09:22:20:47:9a:0c:b8:eb:45:16:95:9a:4b:ba:58:7d:09:
         5a:57:f2:15:9e:38:91:1f:f9:2f:43:7c:0f:c7:82:a3:ea:e3:
         f5:18:1d:15:6c:49:fb:37:c3:68:b4:b4:14:f7:a2:c5:f0:64:
         75:59:ab:89:ea:56:9d:7d:3e:00:98:1b:33:fb:80:37:8e:07:
         6e:99:cc:f1:3f:3e:92:9d:fe:41:fc:ba:89:6d:84:47:aa:43:
         8b:44:5c:dd:67:ca:0a:5a:66:6d:dd:86:45:22:4f:0b:e6:b9:
         80:a0:c0:33:17:4b:5c:26:5f:4e:6f:f1:b3:3b:31:3f:a5:72:
         ff:08:1d:ed:aa:c1:3a:24:c2:10:19:ba:7d:28:5e:f9:23:9b:
         6e:37:ee:b9:d2:56:54:0d:f8:75:20:67:62:d1:99:eb:a6:84:
         a9:a6:0d:99:67:30:cb:b2:8a:86:09:6f:54:84:2c:d5:03:56:
         8f:ab:1e:28:46:71:0d:bf:ee:c1:47:be:1e:19:6f:3e:97:f8:
         c3:22:6c:16:82:29:fd:3b:a9:29:45:8e:cd:61:e2:0f:de:2c:
         45:51:3f:ce:f3:ac:51:e6:f7:a4:8f:be:62:39:2c:ef:74:07:
         c7:60:e0:3d

If anyone has any ideas to try, or information on how I can work around this, I'd love to know. Thanks.

Rainbow23 · ‎07-22-2017

Hi @ShaRose,

Welcome to HP Forums, this is a great place to get support, find answers and tips.

This issue may require one to one interaction with the HP Phone Support.

I suggest that you contact HP Phone Support for further assistance at the link: www.hp.com/contacthp

You have a good day ahead.

Rainbow23 - HP Support.

ShaRose · ‎07-23-2017

Alright, so after spending about half an hour on the phone, I ended end speaking to a total of 7 reps (one was a chat rep who actually went the furthest). Not a single one knew what a signed cert was, none of them seemed to really get what I was trying to do.

At one point I was given a number to a 'third party support team' who 'might' be able to help, but they might also charge. Called them up, it was a regular (But seemingly internal: oops!) laptop support queue who transferred me right back to the regular HP care line.

After a while, I started to specifically ask if they knew any second or third level support lines, or an email, or even just have them escalate the case, but no dice.

I'm going to keep looking at this. I found that the EWS does actually have a factory reset option (I know at least one person on the phones said this model doesn't have a factory reset option!), so I've been messing around with it. I've found a few other bugs so far like:

Generate a new self-signed certificate: The server won't reload the cert, causing internal system errors every time you try to load an https page until you either restart the printer OR turn the wireless off and back on again.

If you upload a valid pfx (pkcs #12 encoded file), but put the wrong password, it says it's invalid. If you put the RIGHT password, it decodes and deletes the self-signed keypair, but THEN decides to say it's invalid again. (You need to restart the printer to fix this one).

I managed to crash the firmware while doing a factory reset. (I have no idea either)

Either way if anyone knows how to contact second or third level support so this can be debugged, I'd love to know.

Rainbow23 · ‎07-24-2017

Hi @ShaRose,

Thank you for your reply, I have brought your issue to the attention of an appropriate team within HP.

They will likely request information from you in order to look up your case details or product serial number.
Please look for a private message from an identified HP contact.

Additionally, keep in mind not to publicly post personal information (serial numbers and case details).

Thank you for visiting the HP Support Forum

Rainbow23 - HP Support.

ShaRose · ‎08-26-2017

Just as an update in case anyone else ever happens to come across this problem: There is no fix. I was eventually able to get into direct contact with the HP Technical SME team, and they were able to confirm the problem, but after a few back and forth exchanges to try and resolve it they contacted the firmware development team but didn't get a response back. In addition, the newest available firmware (TJP1FN1729AR built on 2017-07-20) does NOT resolve the issue. I can only assume that a future firmware update 'may' resolve the issue, but it is unlikely considering how few users are likely to be affected.

pbulteel · ‎09-26-2018

I have the same problem. Hopefully they'll fix it.

Create an account on the HP Community to personalize your profile and ask a question