- 
					
						
						
					
					×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
 Windows 11 Support Center.
- 
							
- 
					
						
						
					
						×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
 Windows 11 Support Center.
- 
								
- HP Community
- Printers
- Printer Wireless, Networking & Internet
- Re: No more ssl certificate update possible

Create an account on the HP Community to personalize your profile and ask a question
10-20-2022 02:22 AM
Hi
I always used Let'sEncrypt-issued certificates with my printer.
But now printer refused to update renewed certificate, reporting "The format of the file is invalid" message.
Certificate itself is valid, with proper file format.
The printer have the most recent firmware update. Could it cause the issue? How to resolve it? Could it me, that now HP firmware has more strict requirements to the certificate? I.e. - wildcard certificates are not accepted anymore, or stuff like that
10-30-2022 04:57 PM
Same here, since last firmware upgrade the cert upload no longer works without any change on the tooling side.
Self-signed certs with the same key / created with the same tooling work, so it must be something related to the Letsencrypt chain specifically, or with CA signed certs in general.
I tried various variations of providing the full cert chain for the cert, none worked.
10-30-2022 09:27 PM - edited 10-31-2022 08:54 AM
After doing the following I can install certs again:
- Do a full system reset, restore settings
- Cert upload is not working (rejected with the "invalid format" error), this is what brought me here in the first place
- Downgrade to an older firmware (date code 20200603, without reset for settings)
- Install the cert, that works fine, so some indication the firmware may be the culprit
- Upgrade the firmware (as the old firmware has serious bugs). I did this in the system menu, not in the web interface, and I was upgraded to 20211221
- Networking->Network Identification: Set the correct host name and domain (this is a relatively new setting I think)
- This causes a new self-signed cert to be generated
- Re-upload my cert, this is working with firmware 20211221
The issue may be with firmware 20220729 that the printer had upgraded me to.
10-30-2022 09:37 PM - edited 10-30-2022 09:49 PM
I used this one (M283fdw)
https://drive.google.com/file/d/1Sm8J8fEbtG6tifJtuDvRFG0Kc71ED_dk/view?usp=sharing
(see the discussion here: https://www.reddit.com/r/printers/comments/nl4tf7/firmware_for_hp_m283fdw/)
Please see my edit above, I actually did NOT end up at the same firmware, not yet sure b/c of the upgrade via menu or because the firmware will only go forward so much. But I have some suspicion that a recent firmware upgrade caused some issues that led me to the full system reset in the first place, so I'll leave auto update off and see what happens.
Here is the description for downgrading with an rfu file: https://kevin.deldycke.com/2020/11/revert-hp-printer-ban-on-third-party-ink-cartridges/
10-31-2022 12:48 AM - edited 10-31-2022 12:50 AM
Here is a direct download link from HP to the latest firmware that I know that does not cause the issue (20211221): https://h19005.www1.hp.com/pub/laserjet/updates/bt/cljmfpM282fw_20211221.nativeofficefonts.rfu
12-20-2022 06:09 PM
I just wanted to chime in here to express how unacceptable I feel this is…
If devices are configured to print to an encrypted endpoint and I cannot update that endpoint's certificate, that's one thing. I'll just remove it and print over plaintext, I suppose.
Except that's not possible. What HP have delivered—during an update whose sole purpose was to increase their rent-seeking powers over the marketplace for third-party ink and toner—is an update which:
- Returns HTTP status code 200 OK despite rejecting the certificate
- Prohibits removal of the old certificate in any meaningful way
- Does not offer any setting, on any page, to just fall back to plaintext traffic
That first one is really egregious. I remember coming across some API in like 2010 which always returned 200 with some error code buried in a JSON response. It infuriated me then, but to see this, in 2022, returning a XML 1.0 tree with DOCTYPE HTML PUBLIC … 4.01//EN (what the hell?)? I am seething.
I don't like things being manual, so I wrote a plugin for acme.sh (Let's Encrypt client in shell) to install my printer cert for me. It wasn't easy! (Everyone hates pfx, p12, whatever. Just be normal for god's sake).
I relied on the fact that my script was written to accept only successful responses during every step, and would issue an push notification otherwise.
I relied on the fact that acme.sh schedules cert rotations well in advance of any expiration, so if anything goes wrong, there will be time to respond.
But your trash product, poisoned by garbage software pushed on us to prohibit toner cartridges I have never even used, failed so miserably that it lied to my script, claiming a 200 OK. I only found out yesterday, when I wanted to print Christmas music to play on the piano and sing with friends.
I spent at least two hours ensuring the file was the right format, that openssl hadn't changed something in a way that would break the printer, which stubbornly insisted "invalid format" over and over, despite the mounting evidence that nothing whatsoever was invalid. At long last, I stumbled upon this haven of sad wretches like me, people abandoned to do regression testing themselves on your effing products. It's sickening.
Someone needs to respond as to why it's acceptable to brick $500+ printers like this.
12-20-2022 06:15 PM
Also, kudos to Wteiken for writing up a test sequence and then verifying whether it works under each of the recent four firmwares.
This is of course, a crazy thing for an end-user to have to do, but I wanted to say thanks for the rigor you used in arriving at a workaround, since the dearth of specificity in the offending error message had me so gaslit I wasn't sure what to believe anymore.
Thanks.
			
    
	
		
		
		01-27-2023
	
		
		09:52 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 - last edited on 
    
	
		
		
		01-27-2023
	
		
		12:24 PM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 by 
				
		 MayS
		
			MayS
		
		
		
		
		
		
		
		
	
			
		
I'm not sure how this would work with Let's Encrypt, but I found when requesting certificates from my organization's internal CA that if the certificate file included the full certificate chain to the root certificate, I would get this error. The solution was to have the certificate file not include any root or intermediate certificates. I wrote about it here: [content removed]