NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
M4300-28G (GSM4328S) HTTPS Admin "ERR_SSL_PROTOCOL_ERROR"
Netgear support seems to be unable to figure this out, so I'm hoping someone in the community can. I'm trying to enable the HTTPS Admin Interface, but the switch seems to only give me protocol errors...
With atian's help, I have found the solution.
In addition to "pem format" and "include the private key with the server certificate", any chain CA certficates must be appended to the server certificate file, not the trusted root file, and the Trusted root pem file should only contain the root. Doing this has resulted in the switch properly serving HTTPS and a complete chain of trust to the root CA in my computer's trust store.
I want to be VERY clear here, though. Other than "PEM Formatted", no other guidance or information is offerred in any documentation I was able to find or anything offered by support. Nowhere does it say that the private key is to be prepended to the "Server Certificate PEM file", nor does it offer guidance on where to add or append or upload CA chain files (many systems I've used before use separate files for the server private key, the server certificate, and the CA chain certs). This REALLY needs to be documented, and would have saved me two and a half months struggling with support that doesn't have a clue about how this is supposed to work, either (I'm guessing the internal documentation doesn't mention this, either).
Just heard back from support. No answers yet, but they had me double check the switch-generated key/cert and also a zip archive of key/cert and dhparams they generated.
I'm seeing some things standing out:
- Self-signed certs (I'm using a cert signed by a signing CA that has an intermediary CA and then a root CA)
- SHA1 (I'm using SHA256. SHA1 is considered untrusted by modern browsers!)
- 1024-bit keys (I'm using 2048-bit keys. Seriously, who uses 1024-bit?)
Nowhere in any documentation I've found has it said anything about restrictions on CAs, signature algorithms, or key length. But, if I had to guess, I'd place money on the key length, but this really should be checked when the key/cert is uploaded to the switch (it already checks it for other errors). If I had to guess, it is probably truncating the key and causing issues when sending the cert.
I've replied back to support with this info, so we'll see what they say. I don't really feel like re-generating and signing new certs until I hear back if this is, in fact, the issue. If it is, it would be really REALLY nice if this was actually documented anywhere and save someone else hours of effort and months of waiting for support to figure it out.
With atian's help, I have found the solution.
In addition to "pem format" and "include the private key with the server certificate", any chain CA certficates must be appended to the server certificate file, not the trusted root file, and the Trusted root pem file should only contain the root. Doing this has resulted in the switch properly serving HTTPS and a complete chain of trust to the root CA in my computer's trust store.
I want to be VERY clear here, though. Other than "PEM Formatted", no other guidance or information is offerred in any documentation I was able to find or anything offered by support. Nowhere does it say that the private key is to be prepended to the "Server Certificate PEM file", nor does it offer guidance on where to add or append or upload CA chain files (many systems I've used before use separate files for the server private key, the server certificate, and the CA chain certs). This REALLY needs to be documented, and would have saved me two and a half months struggling with support that doesn't have a clue about how this is supposed to work, either (I'm guessing the internal documentation doesn't mention this, either).
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
