NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

eeeehaw's avatar
eeeehaw
Aspirant
Mar 18, 2019

SSL Bad Certificate Format error blocking management interface

I ran into an unusual problem today on a new Win10Pro laptop where my Chromium engine based browser blocked access to my ReadyNAS Duo v1 (latest firmware 4.1.1.6) because of SSL certificate problem, ...
StephenB's avatar
StephenB
Guru - Experienced User
Jul 15, 2019
eeeehaw wrote:

... the root cause is that the digital certificate issued to Netgear by the top level Certificate Authority via their Registration Authority is no longer trusted in the wild. 

Not correct.  The ReadyNAS is using a self-signed certificate, so there is no CA certificate involved.  And in fact Netgear can't generate CA certs for the users of their products.  The CA cert certifes that Netgear owns/controls the specific ReadyNAS (or whatever) - and it doesn't.  My ReadyNAS are owned by me, and are under my control - not Netgear's.  

 

FWIW, I think you are conflating two different errors (with different causes).  NET::ERR_CERT_AUTHORITY_INVALID is the usual error, and you can get rid of that one because the the cert is self-signed.  You need to click through it..  ERR_SSL_SERVER_CERT_BAD_FORMAT is a different error, and regenerating the cert in the NAS might well fix it.  If your firmware is old, you might also want to update it to 6.10.1 before you regenerate the cert.

 

I am also running Chrome ver. 75.0.3770.100 at the moment, and have no problem getting to the admin ui of my ReadyNAS with  https.

 

 

schumaku's avatar
schumaku
Guru - Experienced User
Jul 16, 2019
eeeehaw wrote:

... the root cause is that the digital certificate issued to Netgear by the top level Certificate Authority via their Registration Authority is no longer trusted in the wild. 

While your post does basically sound right, you miss the point that most ReadyNAS customers don't run any kind of DNS on their internal networks, don't own a doamin name (let's keep the crap trust of Let's Encrypt away), ... there is no reasonable way to generate a generic valid trusted certificate, certainly not in the standard ways, certainly not in the way Netgear is using for the routerlogin.net, mywifiext.net, orbilogin.net, ...

 

StephenB wrote:

The ReadyNAS is using a self-signed certificate, so there is no CA certificate involved.  And in fact Netgear can't generate CA certs for the users of their products.  The CA cert certifes that Netgear owns/controls the specific ReadyNAS (or whatever) - and it doesn't.  My ReadyNAS are owned by me, and are under my control - not Netgear's.  

Perfectly correct!

 

StephenB wrote:

FWIW, I think you are conflating two different errors (with different causes).  NET::ERR_CERT_AUTHORITY_INVALID is the usual error, and you can get rid of that one because the the cert is self-signed.  You need to click through it..  ERR_SSL_SERVER_CERT_BAD_FORMAT is a different error, and regenerating the cert in the NAS might well fix it.  If your firmware is old, you might also want to update it to 6.10.1 before you regenerate the cert.

Yes, as I've tried to pin point above - two complete different problems.

 

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More