Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 3 answers
  • Subscribers 27 subscribers
  • Views 14553 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to upload a .pfx certificate for my web servers after updating to the latest firmware.

PatrikAhlin

I renewed my SSL Certificate and exported the .pfx with extended information and with the private key.  When I try to upload to XG, it claims that the private key is missing or my password is incorrect.  Both are just fine as I can import this cert into any other IIS server without issue.  This worked fine in 15.x but now I have the latest version of 16 and no go.

My sites are now throwing errors regarding security.



This thread was automatically locked due to age.
Parents
  • +1

    I have the exact same problem.  I even opened up a support case a week ago (Case # 6753688) and support has not been very helpful, having me do things like regenerate the appliance certificate (which did nothing) and giving me incomplete instructions for sending them logs (said they need log files and that I will try uploading the certificate during the procedure to capture the error in the logs but in the steps never had me upload anything).  Very frustrating.

     

    15.* worked fine, 16.* doesn't work at all.  Can't upload Certificate Authorities either.  All generate errors.  Tried using OpenSSL to pull out the PEM and private key.  Different error, same issue.

     

    Uploading my .pfx give this:  "Certificate could not be uploaded due to invalid private key or passphrase. Choose a proper key".  However same passphrase works for importing into IIS or other appliances.

     

    Uploading the PEM and private key give this:  "Certificate could not be generated"

     

     

    This has to be affecting other people or maybe not a lot have upgraded to 16.* yet.  Same as @PatrikAhlin support said they were able to upload my .pfx without a issue but I can't.  This is affecting both a XG125W and a XG310, both running 16.01.02.  Both worked running 15.*

     

    -Allan

  • 0 in reply to AllanD

    Yep, I did exactly the same thing using OpenSSL, extracted the key and PEM.

    I thought this may have been due to just doing upgrades since 15.x, but I installed a fresh version on vmWare ESXi using 16.01.2 and even with a fresh install, it does not work.  I can't publish any sites with ssl as I can't even setup a server to respond on 443 without first having a certificate installed!

  • 0 in reply to PatrikAhlin

    I am using a certificate through GoDaddy.  Part of the troubleshooting with Sophos support was they told me that I needed to upload the intermediate certificates.  GoDaddy is already listed in the CA list so that didn't make sense but I unfortunately listened to support and deleted the two GoDaddy entries (root and intermediate) and now I can't re-upload them either.  I asked if there was a way to "reset" the CA list and got no answer.  So now on one of my two XG appliances I don't have the GoDaddy CA listed either with no apparent way to put them back in. 

     

    -Allan

  • 0 in reply to PatrikAhlin

    I just got mine to work.

     

    My XG appliance is on a different subnet then my computer and I tried downgrading the firmware to 15.* and got a error message that it didn't work.  I then tried reapplying the 16.01.02 and that failed too which I thought was weird.  So I started wondering if the new 16 firmware is just having a issue uploading files.  So I tried using Google Chrome from a PC on the same subnet and the certificate uploaded.

     

    Not sure if this will help you but it's worth trying.

     

    -Allan

  • 0 in reply to AllanD

    Confirmed.  Chrome works!  Just got off the phone with support.

  • 0 in reply to AllanD

    Great! Now Sophos should investigate and report back if the problem is with the Browser or with the v16.

    can you take note of this issue and report back here ASAP?

    Thanks

  • 0 in reply to lferrara

    So this appears to be a FILE upload/download bug in v16, not just a certificate issue.  With Firefox and IE I could not upload the certificate but I could with Chrome.  So I then just generated a Certificate Signing Request and tried downloading it with FireFox.  It saved a 0 byte file form the XG.  Tried downloading the same CSR with Chrome and I got the full 5Kb .tz file.

     

    I would think its a issue with the 16.* XG firmware over a bug in both IE 11 and FireFox 50.*

     

    -Allan

  • 0 in reply to lferrara

    Hi All,

    The issue seems to be related with the POST request from firefox. When you try to upload a certificate from FF, the POST request contains a '/' before the file name: 
    Content-Disposition: form-data; name="certfile"; filename="/wildcard.qa.astaro.de+intermediate.p12

    Using Chrome, the POST request looks like:
    Content-Disposition: form-data; name="certfile"; filename="wildcard.qa.astaro.de+intermediate.p12"

    This is known and reported in JIRA NC-15025.

    Thanks

  • 0 in reply to sachingurung

    Thanks Sachin.

    I really appreciate you when you come back on community and report the JIRA number.

    We need another step improvement (on Astaro.org it was working like this): report when it will be fixed.....

    The JIRA-15025 will be fixed into release 16.01.x or whatever so users know when it will be fixed and on which firmware.

    Hope you can report that back to developers and your group and update the community.

    Thanks

Reply
  • 0 in reply to sachingurung

    Thanks Sachin.

    I really appreciate you when you come back on community and report the JIRA number.

    We need another step improvement (on Astaro.org it was working like this): report when it will be fixed.....

    The JIRA-15025 will be fixed into release 16.01.x or whatever so users know when it will be fixed and on which firmware.

    Hope you can report that back to developers and your group and update the community.

    Thanks

Children