NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
SSL Bad Certificate Format error blocking management interface
I ran into an unusual problem today on a new Win10Pro laptop where my Chromium engine based browser blocked access to my ReadyNAS Duo v1 (latest firmware 4.1.1.6) because of SSL certificate problem, ...
Interesting...
I am on the same version of chrome..... however my chrome has no "continue" option (screenshot)... perhaps this is due to some settings within chrome, restrictions imposed by security software or even group policy applied by an employer....
My http link is the only option right now for me that works (on a very protected network tho)
Mulder
London
Buddy, the problem is not the browser - the problem is that the certificate on your ReadyNAS is bullocks why ever and needs to be re-created.
No amount of user recreation of the SSL certifcate will solve this problem, as the root cause is that the digital certificate issued to Netgear by the top level Certificate Authority via their Registration Authority is no longer trusted in the wild. Modern browsers either refer to a downloaded list of currently trusted top and subordinate CAs used to perform their validation checks, or by sending the public key of the questioned certificate to a Validation Authority. When it becomes known that a subordinate CA or VA has become breached and theft of a private key has occurred for a particular subordinate CA, such as Netgear, then the PKI system is notified along with the browser developer, such as Chrome, etc, and they mark that signature certificate as invalid, producing the error we're seeing. To solve the problem, Netgear needs to perform a product update that includes a new digital certificate issued by a trusted top-level CA that is trusted by the browser and other SSL applications.
Meanwhile, with the existing Netgear digital certificate in the product used for creating PKI keys for sessions with the product, there is a distinct possibility of a variety of malicious security attacks possible. Beyond the hassle of over-riding the errors produced by the browser, that can sometimes be band-aided by setting the browser to ignore the threat. Scary stuff. Us end users cannot "fix" this trust, as if we could then the entire Web Of Trust that PKI is based upon would collapse since a black hat could regularly do the same thing as we could.
This is a Netgear problem that only they can fix. They surely have already obtained a new top-level trusted CA-issued set of keys for their own subordinate CA to generate certificates for their products...they likely just haven't bothered to do that for this NAS product, at least I haven't yet seen a firmware update with it yet.
eeeehaw wrote:
... the root cause is that the digital certificate issued to Netgear by the top level Certificate Authority via their Registration Authority is no longer trusted in the wild.
Not correct. The ReadyNAS is using a self-signed certificate, so there is no CA certificate involved. And in fact Netgear can't generate CA certs for the users of their products. The CA cert certifes that Netgear owns/controls the specific ReadyNAS (or whatever) - and it doesn't. My ReadyNAS are owned by me, and are under my control - not Netgear's.
FWIW, I think you are conflating two different errors (with different causes). NET::ERR_CERT_AUTHORITY_INVALID is the usual error, and you can get rid of that one because the the cert is self-signed. You need to click through it.. ERR_SSL_SERVER_CERT_BAD_FORMAT is a different error, and regenerating the cert in the NAS might well fix it. If your firmware is old, you might also want to update it to 6.10.1 before you regenerate the cert.
I am also running Chrome ver. 75.0.3770.100 at the moment, and have no problem getting to the admin ui of my ReadyNAS with https.
eeeehaw wrote:... the root cause is that the digital certificate issued to Netgear by the top level Certificate Authority via their Registration Authority is no longer trusted in the wild.
While your post does basically sound right, you miss the point that most ReadyNAS customers don't run any kind of DNS on their internal networks, don't own a doamin name (let's keep the crap trust of Let's Encrypt away), ... there is no reasonable way to generate a generic valid trusted certificate, certainly not in the standard ways, certainly not in the way Netgear is using for the routerlogin.net, mywifiext.net, orbilogin.net, ...
StephenB wrote:The ReadyNAS is using a self-signed certificate, so there is no CA certificate involved. And in fact Netgear can't generate CA certs for the users of their products. The CA cert certifes that Netgear owns/controls the specific ReadyNAS (or whatever) - and it doesn't. My ReadyNAS are owned by me, and are under my control - not Netgear's.
Perfectly correct!
StephenB wrote:FWIW, I think you are conflating two different errors (with different causes). NET::ERR_CERT_AUTHORITY_INVALID is the usual error, and you can get rid of that one because the the cert is self-signed. You need to click through it.. ERR_SSL_SERVER_CERT_BAD_FORMAT is a different error, and regenerating the cert in the NAS might well fix it. If your firmware is old, you might also want to update it to 6.10.1 before you regenerate the cert.
Yes, as I've tried to pin point above - two complete different problems.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
