SSL Bad Certificate Format error blocking management interface

---

@eeeehaw wrote:

How do I resolve this issue in ReadyNAS?

---

First, the security issue is that the certificate is self-signed - so there is no trusted third party that can authenticate the server.  The security risk is that a man-in-the-middle attack could be undetected.  It's a big deal if you were (for example) connecting to your bank to access your account.  But it's not a significant threat for a NAS on your home network.  Also, even though the duo can't be authenticated, the connection is still encrypted.  

There is no simple way to get and install a validated certificate on the Duo.  

The simplest solution is to just click through the security warning - which is certainly possible with Chrome, Edge, and IE.  You could alternatively use FireFox and store a security exception for the NAS.

BTW, you will also find that Chrome won't populate the SMART status when you click on the SMART+ controls on the health page.  They will be populated in other browsers.

The latest Chrome version has disabled click-through for the ERR_SSL_SERVER_CERT_BAD_FORMAT issue...

My work-around was to first access my admin page from Edge or IE (Firefox did not work for me) and after clicking-through the warnings, goto to settings>http and enable "Enable HTTP Admin" (screeshot attached will help to find it) .... after doing this using even Chrome over http works (remove the "s" from the https address)... launching from RAIDar NAS Control also works great

I appreciate this is not as secure but then again neither is a certificate with an untrusted issuing authority.

Screenshot attached of where to change setting....

---

@CplMulder wrote:

The latest Chrome version has disabled click-through for the ERR_SSL_SERVER_CERT_BAD_FORMAT issue...

Whatever Chrome version that is ... no problems here with Chrome 76, Chrome 77, and Chrome Canary 77.

@CplMulder wrote:

I appreciate this is not as secure but then again neither is a certificate with an untrusted issuing authority.

While there is a warning on connecting by https ....

===

Your connection is not private

Attackers might be trying to steal your information from rnXXXX (for example, passwords, messages or credit cards). Learn more

Interesting...

I am on the same version of chrome..... however my chrome has no "continue" option (screenshot)... perhaps this is due to some settings within chrome, restrictions imposed by security software or even group policy applied by an employer....

My http link is the only option right now for me that works (on a very protected network tho)

Mulder

London

... and chrome version..... 

Buddy, the problem is not the browser - the problem is that the certificate on your ReadyNAS is bullocks why ever and needs to be re-created.

No amount of user recreation of the SSL certifcate will solve this problem, as the root cause is that the digital certificate issued to Netgear by the top level Certificate Authority via their Registration Authority is no longer trusted in the wild.  Modern browsers either refer to a downloaded list of currently trusted top and subordinate CAs used to perform their validation checks, or by sending the public key of the questioned certificate to a Validation Authority.  When it becomes known that a subordinate CA or VA has become breached and theft of a private key has occurred for a particular subordinate CA, such as Netgear, then the PKI system is notified along with the browser developer, such as Chrome, etc, and they mark that signature certificate as invalid, producing the error we're seeing.  To solve the problem, Netgear needs to perform a product update that includes a new digital certificate issued by a trusted top-level CA that is trusted by the browser and other SSL applications.

Meanwhile, with the existing Netgear digital certificate in the product used for creating PKI keys for sessions with the product, there is a distinct possibility of a variety of malicious security attacks possible.  Beyond the hassle of over-riding the errors produced by the browser, that can sometimes be band-aided by setting the browser to ignore the threat.  Scary stuff.  Us end users cannot "fix" this trust, as if we could then the entire Web Of Trust that PKI is based upon would collapse since a black hat could regularly do the same thing as we could.

This is a Netgear problem that only they can fix. They surely have already obtained a new top-level trusted CA-issued set of keys for their own subordinate CA to generate certificates for their products...they likely just haven't bothered to do that for this NAS product, at least I haven't yet seen a firmware update with it yet.

---

@eeeehaw wrote:

... the root cause is that the digital certificate issued to Netgear by the top level Certificate Authority via their Registration Authority is no longer trusted in the wild. 

---

Not correct.  The ReadyNAS is using a self-signed certificate, so there is no CA certificate involved.  And in fact Netgear can't generate CA certs for the users of their products.  The CA cert certifes that Netgear owns/controls the specific ReadyNAS (or whatever) - and it doesn't.  My ReadyNAS are owned by me, and are under my control - not Netgear's.  

FWIW, I think you are conflating two different errors (with different causes).  NET::ERR_CERT_AUTHORITY_INVALID is the usual error, and you can get rid of that one because the the cert is self-signed.  You need to click through it..  ERR_SSL_SERVER_CERT_BAD_FORMAT is a different error, and regenerating the cert in the NAS might well fix it.  If your firmware is old, you might also want to update it to 6.10.1 before you regenerate the cert.

I am also running Chrome ver. 75.0.3770.100 at the moment, and have no problem getting to the admin ui of my ReadyNAS with  https.

---

@eeeehaw wrote:

... the root cause is that the digital certificate issued to Netgear by the top level Certificate Authority via their Registration Authority is no longer trusted in the wild. 

---

While your post does basically sound right, you miss the point that most ReadyNAS customers don't run any kind of DNS on their internal networks, don't own a doamin name (let's keep the crap trust of Let's Encrypt away), ... there is no reasonable way to generate a generic valid trusted certificate, certainly not in the standard ways, certainly not in the way Netgear is using for the routerlogin.net, mywifiext.net, orbilogin.net, ...

---

@StephenB wrote:

The ReadyNAS is using a self-signed certificate, so there is no CA certificate involved.  And in fact Netgear can't generate CA certs for the users of their products.  The CA cert certifes that Netgear owns/controls the specific ReadyNAS (or whatever) - and it doesn't.  My ReadyNAS are owned by me, and are under my control - not Netgear's.  

---

Perfectly correct!

---

@StephenB wrote:

FWIW, I think you are conflating two different errors (with different causes).  NET::ERR_CERT_AUTHORITY_INVALID is the usual error, and you can get rid of that one because the the cert is self-signed.  You need to click through it..  ERR_SSL_SERVER_CERT_BAD_FORMAT is a different error, and regenerating the cert in the NAS might well fix it.  If your firmware is old, you might also want to update it to 6.10.1 before you regenerate the cert.

---

Yes, as I've tried to pin point above - two complete different problems.