USG FLEX 200H - Import Certificates is broken. ( Error code: 11 )
USG FLEX 200H, firmware V1.21(ABWV.0)ITS-24WK35-m5760
When I try to import certificate the following error occurs:
This error message happens for all accepted formats I tried to import.
PEM (Base-64) encoded X.509
Binary PKCS#7
PEM (Base-64) encoded PKCS#7
Binary PKCS#12
Did not try Binary X.509…
Accepted Solution
-
Update:
The issue happened because the USG FLEX H is the same as the USG FLEX/ATP series, the user needs to import the root, intermediate, and entity certificates separately.
Zyxel Melen0
All Replies
-
Hi @bbp,
Could you share the certificate with me? We will check what is going wrong. I will DM you for the request file.
Zyxel Melen0 -
From PKI logs after trying every possible cert I got hands on. Can't decode certificates to import.
Decode imported certificate "xxxxxxxxxxxxx.pem" failed
Decode imported certificate "xxxxxxxxxxxxx.pfx" failed
etc, etc…
0 -
Can't backup private keys either, nor restore for that matter. Permissions set to 0600.
Uploaded keys get deleted immediately.
So if you have a wildcard cert signed by legit CA and private key and you combine them into Binary PKCS#12 cert you can't install it. No import like on other Zyxel devices. I mean you can install them on just about anything, but not on H series.
The only way it works on Flex H series is to create CSR, get cert just for that device and install it. With big dogs pushing 90 days certificates that'll be a big pain in the rearend.
Also big problem if you reset device. It removes all certificates, including those used for VPN. Since no CSR exists, you have to create another one to reinstall certificate, which means you have to purchase a new one.
I swear I had it with this POS. Just one thing after another. If it craps on me one more time, it'll go into trash can where it belongs.
BTW, 200H with V1.21(ABWV.0)ITS-24WK35-m5760 firmware froze so hard even console became unresponsive. Disconnect power, but same thing, no WEB GUI, no SSH, no ping reply. Console worked though, so let's give it another reboot, but then I got that error:
ERROR: Failed to send the NETCONF RPC.
ERROR: NETCONF session is not running.
ERROR: NETCONF command(1): netconf connect.It did reboot, but it was same as before, No Web GUI, no ping reply. So lets's go and hit reset (7-14 seconds). Well that didn't help either because it yanked the certs but for some reason it did not revert the config to default. After another reset it finally came up. Upload and apply backup conf. Nope. Because there were pointers to certs which didn't exist anymore.
Conf Edit time! Going through 2000 lines of config, editing and of course making typos. Took four tries before it half way worked.
And Zyxel, you managed to break IPSec_VPN in this version.
generating IKE_AUTH response 6 [ AUTH N(INT_ADDR_FAIL) ]
0 -
Update:
The issue happened because the USG FLEX H is the same as the USG FLEX/ATP series, the user needs to import the root, intermediate, and entity certificates separately.
Zyxel Melen0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight