topic Re: add server-certificates failed (API and mgmt_cli) in API / CLI Discussion

add server-certificates failed (API and mgmt_cli)

pepj — Fri, 04 Feb 2022 16:12:25 GMT

Hello
R81, API 1.7.1
add server-certificates for HPPTS-Inspection failed when using API , mgmt_cli or Web Service.
It functions only manually using the dashboard.
( on console not possible because the certificate p12 in base64 is too big for the console)

I always receive "Failed to create HTTPS inbound certificate with error -1"

as basic command used ( also with other user mgmt_cli --user .... )
mgmt_cli -r true add server-certificate name "NameCertificate" base64-certificate "MIIQEAIB...5489characters....ggA" base64-password "password_format_base64" comments "TESTING CERTIFICATE IMPORT"

What I did for converting and testing the formatted base64 certificate
converted to base64 using #base64 ...file.p12 > certificate_p12_formatbase64
tested way back using "base64 -d " and "openssl pkcs12"

What could be the issue ? do have someone else this issue ?
the --debug option do not give any further information

Thank you for your help
Jean-Michel

-----------------------------------------

#LOGIN
mgmt_cli --user "MYuser" -p *** login
uid: "9a4..MYuser..926"
sid: "W9ZG.MYuser.-RNw"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1643972043061
iso-8601: "2022-02-04T11:54+0100"
api-server-version: "1.7.1"
user-name: "MYuser"
user-uid: "f1c..MYuser..e4"

#ADD certificate
mgmt_cli --session-id W9Z..MYuser..-RNw add server-certificate name "CertificateXX base64-certificate "MIIQ....ggA" base64-password "Qi...K=" comments "TESTING CERTIFICATE IMPORT"
code: "err_server_certificate_operation_failed"
message: "Failed to create HTTPS inbound certificate with error '-1'"

#LOGOUT
mgmt_cli --session-id "W9Z..MYuser..-RNw" logout

Re: add server-certificates failed (API and mgmt_cli)

HeikoAnkenbrand — Fri, 04 Feb 2022 19:13:22 GMT

I also had the problem and saw with tcpdump that fewer bytes were transferred than the length of the certificate. Unfortunately, this is only a guess, as you cannot see the real bytes in the https session. I would open a TAC Case.

Does the same work on the CLI in expert mode?

# mgmt_cli add server-certificate name "CertificateXX base64-certificate "MIIQ....ggA" base64-password "Qi...K=" comments "TESTING CERTIFICATE IMPORT" --format json

Re: add server-certificates failed (API and mgmt_cli)

Art_Zalenekas — Fri, 04 Feb 2022 20:26:14 GMT

I recall there was a problem with the API call and either the base64 cert or password was truncated. What JHF are you running? Must be at or above Take34. Best case here is to open a TAC ticket.

Re: add server-certificates failed (API and mgmt_cli)

pepj — Mon, 07 Feb 2022 09:18:52 GMT

Hello

we have HOTFIX_R81_JUMBO_HF_MAIN Take: 44

I tried with REST-API, with curl, with shell mgmt_cli and show console. Alsways error =-1

( the badest was with show console were the certificate cannot be inserted ... seems too big for the console.

PS: I opened a case to my vendor

Thank you for your feedback

Jean-Michel

Re: add server-certificates failed (API and mgmt_cli)

pepj — Fri, 11 Feb 2022 08:41:04 GMT

solved

in our enviroment the session-name and session description are a must ( otherwise command aborted )

options "session-name" , "session-description"

and have rights to publish certificate ( otherwise the changes stay in the session indefinitly or aborted )

Thank you for your help

Re: add server-certificates failed (API and mgmt_cli)

JensBauernfeind — Tue, 13 Dec 2022 07:58:17 GMT

Hi pepj, can you explain this a little further please?

I currently have the same problem and already specified a session name and description via "set session", still receiving the error.

Thank you

Re: add server-certificates failed (API and mgmt_cli)

pepj — Thu, 15 Dec 2022 12:35:56 GMT

I filled "session-name" and "session-description" as defined by our security

and

created a special role only for only managing certificates and some needs:

desactivated all out of:

access control

- access control and objects settings: write

- application control and url filtering : checked

threat prevention

- permission setting: write

other:

- common objects write

- checkpoint point userdatabase default write

- https inspection : write

- client certificate : checked

monitor and logging

- https inspection log : checked

management

- management API : checked

endpoint

- allow executing pushing operation

I hope this help

Re: add server-certificates failed (API and mgmt_cli)

Zolo — Thu, 29 May 2025 10:40:23 GMT

My problem was simpler.
The password was incorrect with the same error message "Failed to create HTTPS certificate with error '-1'"

But I didn't notice it at first, it took me almost 2 hours to find it.
In the API docimentation the used password is: "bXlfcGFzc3dvcmQ="
$ echo bXlfcGFzc3dvcmQ= | base64 -d
my_password
$
$ echo "my_password" | base64
bXlfcGFzc3dvcmQK
$

$ echo bXlfcGFzc3dvcmQK | base64 -d
my_password

$
What happenning? After 2 hours I realized that there is an another <enter> after the password
$ echo bXlfcGFzc3dvcmQ= | base64 -d | hexdump -C
00000000 6d 79 5f 70 61 73 73 77 6f 72 64 |my_password|
0000000b
$
$ echo bXlfcGFzc3dvcmQK | base64 -d | hexdump -C
00000000 6d 79 5f 70 61 73 73 77 6f 72 64 0a |my_password.|
0000000c
$
There is a "0a" at the end.
So I had to remove the "0a"
$ echo -n "my_password" | base64
bXlfcGFzc3dvcmQ=
$
"bXlfcGFzc3dvcmQ=" same as in the documentation.

This could’ve been it: 'Hey, dummy, wrong password!'😁

Br,
Zolo