topic Re: Problem adding server certificate for inbound HTTPS Inspection via API in API / CLI Discussion

Problem adding server certificate for inbound HTTPS Inspection via API

Pedro_Espindola — Mon, 17 Aug 2020 23:19:57 GMT

Hey guys,

I am getting errors when adding my server certificate for inbound inspection using the R80.40 API. Here is the output:

{
"code" : "err_server_certificate_operation_failed",
"message" : "Certificate import failed. Make sure the encoded certificate is valid and the password matches that of the certificate."
}

I created a simple shell script to test. Here is what I'm using:

PASS='Ctm2AEhEvYh359+9DJKw4-r7' #Not my real pass, just a random one. Also tried without symbols, no luck
PASSBASE64=$(echo $PASS | base64)

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile fullchain.pem -out server.p12 -passout pass:${PASS}

#I also tried with -certfile chain.pem and without -certfile. No luck

CERTBASE64=$(base64 -w 0 server.p12) # -w 0 to disable line wrapping

curl -k -X POST https://10.0.0.200/web_api/add-server-certificate -H 'Content-Type: application/json' -H "X-chkp-sid: ${SID}" -d "{ \"name\":\"myserver202008\", \"base64-certificate\":\"${CERTBASE64}\",\"base64-password\":\"${PASSBASE64}\" }"
#Not my real IP

I did the reverse process to the certificate in the documentation example and it seems to be correct, but when I try to add the certificate to my managemente, I get a different error:

{
"code" : "generic_error",
"message" : "Runtime error: An internal error has occurred."
}

Does anybody see what is going wrong?

Is it correct to convert the P12 cert using base64 command or should I encode the file using "openssl base64" command?

Re: Problem adding server certificate for inbound HTTPS Inspection via API

_Val_ — Tue, 18 Aug 2020 08:30:44 GMT

To troubleshoot, try adding certificate and password through copy/paste and not as variables/files. If it still not working, might be the password is corrupt when extracted

Re: Problem adding server certificate for inbound HTTPS Inspection via API

Pedro_Espindola — Tue, 18 Aug 2020 22:17:20 GMT

Yeah. I tried posting just the text, no variables, same result.

The weird thing is that if I decode password and file I can open it without problems.

Re: Problem adding server certificate for inbound HTTPS Inspection via API

Pedro_Espindola — Thu, 12 Nov 2020 19:50:21 GMT

I had given up on this sometime ago and came back to this issue now.

Found that the issue is with the line end of the echo command:

echo "my_password" | base64
bXlfcGFzc3dvcmQK

echo -n "my_password" | base64
bXlfcGFzc3dvcmQ= ##This is the correct string as seen in the API example