USG FLEX 200H - Import Certificates is broken. ( Error code: 11 )

bbp
bbp Posts: 66  Ally Member
First Answer First Comment Friend Collector Fifth Anniversary

USG FLEX 200H, firmware V1.21(ABWV.0)ITS-24WK35-m5760

When I try to import certificate the following error occurs:

This error message happens for all accepted formats I tried to import.

PEM (Base-64) encoded X.509
Binary PKCS#7
PEM (Base-64) encoded PKCS#7
Binary PKCS#12

Did not try Binary X.509…

Accepted Solution

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,567  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Update:

    The issue happened because the USG FLEX H is the same as the USG FLEX/ATP series, the user needs to import the root, intermediate, and entity certificates separately.

    Zyxel Melen


All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,567  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @bbp,

    Could you share the certificate with me? We will check what is going wrong. I will DM you for the request file.

    Zyxel Melen


  • bbp
    bbp Posts: 66  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary

    From PKI logs after trying every possible cert I got hands on. Can't decode certificates to import.

    Decode imported certificate "xxxxxxxxxxxxx.pem" failed

    Decode imported certificate "xxxxxxxxxxxxx.pfx" failed

    etc, etc…

  • bbp
    bbp Posts: 66  Ally Member
    First Answer First Comment Friend Collector Fifth Anniversary

    Can't backup private keys either, nor restore for that matter. Permissions set to 0600.

    Uploaded keys get deleted immediately.

    So if you have a wildcard cert signed by legit CA and private key and you combine them into Binary PKCS#12 cert you can't install it. No import like on other Zyxel devices. I mean you can install them on just about anything, but not on H series.

    The only way it works on Flex H series is to create CSR, get cert just for that device and install it. With big dogs pushing 90 days certificates that'll be a big pain in the rearend.

    Also big problem if you reset device. It removes all certificates, including those used for VPN. Since no CSR exists, you have to create another one to reinstall certificate, which means you have to purchase a new one.

    I swear I had it with this POS. Just one thing after another. If it craps on me one more time, it'll go into trash can where it belongs.

    BTW, 200H with V1.21(ABWV.0)ITS-24WK35-m5760 firmware froze so hard even console became unresponsive. Disconnect power, but same thing, no WEB GUI, no SSH, no ping reply. Console worked though, so let's give it another reboot, but then I got that error:

    ERROR: Failed to send the NETCONF RPC.
    ERROR: NETCONF session is not running.
    ERROR: NETCONF command(1): netconf connect.

    It did reboot, but it was same as before, No Web GUI, no ping reply. So lets's go and hit reset (7-14 seconds). Well that didn't help either because it yanked the certs but for some reason it did not revert the config to default. After another reset it finally came up. Upload and apply backup conf. Nope. Because there were pointers to certs which didn't exist anymore.

    Conf Edit time! Going through 2000 lines of config, editing and of course making typos. Took four tries before it half way worked.

    And Zyxel, you managed to break IPSec_VPN in this version.

    generating IKE_AUTH response 6 [ AUTH N(INT_ADDR_FAIL) ]

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,567  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Update:

    The issue happened because the USG FLEX H is the same as the USG FLEX/ATP series, the user needs to import the root, intermediate, and entity certificates separately.

    Zyxel Melen