NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Session closed with error when uploading CA certificate
Hello,
I have a FVS318N, firmware version 4.3.4-2.
I'm trying to upload a CA certificate in the VPN/Certificates, but this fails.
The session is suddenly closed with simply the following message:
While loading the page critical error encountered.
Then the following message (the cookie/hash replaced with ****, no idea were this TeamF1Login is coming from):
Set-Cookie: TeamF1Login=*******************************************; expires=Wednesday, 31-Dec-1969 23:59:59 GMT
I have tried with the following self signed cert (sha1/ RSA, 2048 bits) :
-----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgIJALaO3EfrAtYCMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV BAYTAlhYMQ8wDQYDVQQIDAZDb3Ntb3MxDzANBgNVBAcMBk1pZGRsZTEMMAoGA1UE CgwDQk9PMRIwEAYDVQQLDAlCT08gQWRtaW4xFzAVBgNVBAMMDkNvc21vcyBSb290 IENBMB4XDTE3MDEyMDAwMjAwM1oXDTM3MDExNTAwMjAwM1owajELMAkGA1UEBhMC WFgxDzANBgNVBAgMBkNvc21vczEPMA0GA1UEBwwGTWlkZGxlMQwwCgYDVQQKDANC T08xEjAQBgNVBAsMCUJPTyBBZG1pbjEXMBUGA1UEAwwOQ29zbW9zIFJvb3QgQ0Ew ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0zw4yUoFcygkU7FFipxJK gGUG6pSl9m3s7B8JppxhDxsFW8DmibvUpF/sUufSFUFl9VUBPZrJmGaogiKI8HTX GS616k2XPJgklX+QvMYiZAeK6Z7JpYwxY9Jgyc5XnoSZJ4PfIHZX10YpIIUkFNdi SooZtefDCOQAtajT5J/+Wrezf3pq+zQh7055T/3v3qpYeI2QySIJUMNzVsAQaToP L/PXeQrD9fc51296B5HFQ4oYd2JHDB0djbBT6aC/2+r2BLjNMcm3VX9lbjft7XNk WsqWk6/hb/Z3WkZR8AHLdWt5jkroJ6q77Jn84o0d7iL3zKv+Rq0Qc78jSAhpzmXF AgMBAAGjYzBhMB0GA1UdDgQWBBQqhR1u+hQvDzarUog7ZMQ3T5NAjjAfBgNVHSME GDAWgBQqhR1u+hQvDzarUog7ZMQ3T5NAjjAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAQEAxNSA2tf+UjK/fBqEg20rkRuo oMN2HIQOCPG/6NswS+fOyD2oRr1Eyjloi19kUYL11dyAsINV9ioOpjQOJNmcEjvk LNM/g0w3me0QxfMKMumF+WoJE/NTivWljHXsSeIIJd6CFU5Cr+GDL9wLfMzpowNV 0O01fQx/bvd0iGSlsOT0KJbKT/gOqjs+azNlX1xatjAeFcPF1VSQ0ZFAtiUdQMTq jkBOd39YaAbjrInOumvl7w9LXlTQUAR/HgcGh7PC6MHoCjNIj/dbvt1xgyg2MvtA hl6OLZ4MDjIfWvaI4Amo02OyX3ZMoPbSNpz4/sm/rxjitXFdil1jxn98ZRUV8w== -----END CERTIFICATE-----
I've also tried some "official" CA certificates (versisign) - sha1 or sha256 won't make any difference, I'm thrown out the sesion.
When the session is closed the page looks strange, on the same page there's the error message up, then a line about the cookie and in the lowest part there's the login dialogue:
No message about the certificate being invalid whatsoever.
Anyone seen this?
9 Replies
dumb stuff, but is the time/date set on the FVS?
also, the CA cert has to be in .PEM (text-readable) format (it probably already is, if you can copy/pase the raw data from it into the forum here)
- Time is set via ntp. It looks ok.
The certificate is ascii encoded - I pasted above the full content of the file, you should be able to check its content with openssl for instance.
I would add that the router is new (after rma due to a firmware update failure). It was first upgraded to 4.3.4-2 and only then configured by hand, screen by screen ( not from the config backup file). Nothing fancy, but I don't feel like resetting it and start over :-/weird. As is often the case with these routers, you may have to factory reset after the firmware upgrade, as annoying as that process is.
FWIW i eventually was able to get a self-signed CA/CSR/cert generated/installed on the FVS318G device, which is very similar to the 318N. Both that device and an FVS336G are on the same firmware version 4.3.4-2. I used openssl on a Linux machine to generate the CA/certs. I have heard from Netgear that the device does not support SHA-2 family certs, and have encountered other limitations in the cert implementation that prevented me from using any FVS devices in production.
- reset after upgrade:done that (I just didn't mention that step)
I had seen your thread before posting. I had first sha256 / 4096b CA certificates. After reading your post, I switched to (deprecated) sha1 +shorter rsa2048 keys. Same problem. Then thought it might be due to openssl and tried to upload VeriSign one(sha1). No go.
Rather disappointing all this, lots of time wasted. I do think this is a bug, but no way to report it elsewhere.
I think I had my part with netgear - two RMAs for bricked router during upgrade, bugs in firnware, deprecated protocols ...
I'll wait a couple of days too see if anyone from netgear looks into this before eventually looking for a replacement. - train_wreck: do you happen to have one of the routers handy, available for testing, running the same firmware level - in addition of some time to waste?
if yes, can you please try to add the CA certificate from my first post in the VPN/certificate/CA certificate ? Mainly to see if that shuts the session in your face.
Thanks anyway for your time!Fund out that adding certificates ONLY works if connected with "admin" user.
Connected with another user (type=Administrator, obviously) and get the above error.
I prefer disabling "admin" user logins and use other administrator users with names not unveiling their purpose ("admin" user name can't be changed)
I hope netgears reads and fixes this, it's a a shame.
Thanks train_wreck for breaking a bit the silence in my thread :)
ugh, what a stupid bug.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
