Good morning/afternoon folks.
I am having an issue with an Olivetti MF554 (BH C558) that is taking me for a loop.
Main Issue:
I am deploying PaperCut to this device, and I am having huge problems configuring the PKI settings to allow SSL communication to the OpenAPI component.
The error on the Device Status page from PaperCut server is:
“Started (with errors) - OpenAPI SSL support not configured - Please check device settings.
Setup will be retried at 10:50:00 AM. To retry now, press "Apply" below.
Error: changeAuthenticationSetting: error=8, message=SSL”
The device is running GCF-Y1 FV4.2 with OpenAPI Function Level 5.1.
The device has a self-signed cert installed and applied to the OpenAPI Protocol (Security -> PKI Settings -> Protocol Settings -> OpenAPI SSL is checked)
Under Network -> OpenAPI Setting it is set to SSL
Client Cert – Do not request
Validity Period – Confirm
All others are set to Do Not Confirm
PKI General settings – External Verification is Off
SSL/TLS version – all options ticked
Encryption Strength – All 3 allowed
Cert – RSA-2048_SHA-256
Secondary problem after re issue and re installing certificate:
I can now only access the device through an ancient version of Internet Explorer that I had to spin up a VM for. Chrome, Firefox and Edge all throw certificate errors and refuse to connect.
Normally I would expect a “Self Signed Certificate Error” and then you can proceed as normal, this is not the case with this device.
I have tried changing the SSL Mode From User, User and Admin and None and connections from modern browsers still fail.
I have gone through the TIB for this FW and I can see there is a DipSw mod that prevents issues with SSL if the device name contains “_”character, the device does not contain this character in its device name.
I did try a new Device and HOST name then re-issuing the cert to make sure. I also did the DipSw modification to test, which made no difference.
So, I appear to have a huge issue with the self signed certificate that the device is generating for itself. It looks like there is mismatch in the CN name even though CN verification is off. Has anyone encountered this issue before and am I making some huge blunder here? I have completed this process many many times to allow scan to Gmail/O365 with no issues whatsoever, this device appears to be cursed or I am needing more coffee.....
Edit: Copier BIOS clock and System time are correct and pull from NTP.
I am having an issue with an Olivetti MF554 (BH C558) that is taking me for a loop.
Main Issue:
I am deploying PaperCut to this device, and I am having huge problems configuring the PKI settings to allow SSL communication to the OpenAPI component.
The error on the Device Status page from PaperCut server is:
“Started (with errors) - OpenAPI SSL support not configured - Please check device settings.
Setup will be retried at 10:50:00 AM. To retry now, press "Apply" below.
Error: changeAuthenticationSetting: error=8, message=SSL”
The device is running GCF-Y1 FV4.2 with OpenAPI Function Level 5.1.
The device has a self-signed cert installed and applied to the OpenAPI Protocol (Security -> PKI Settings -> Protocol Settings -> OpenAPI SSL is checked)
Under Network -> OpenAPI Setting it is set to SSL
Client Cert – Do not request
Validity Period – Confirm
All others are set to Do Not Confirm
PKI General settings – External Verification is Off
SSL/TLS version – all options ticked
Encryption Strength – All 3 allowed
Cert – RSA-2048_SHA-256
Secondary problem after re issue and re installing certificate:
I can now only access the device through an ancient version of Internet Explorer that I had to spin up a VM for. Chrome, Firefox and Edge all throw certificate errors and refuse to connect.
Normally I would expect a “Self Signed Certificate Error” and then you can proceed as normal, this is not the case with this device.
I have tried changing the SSL Mode From User, User and Admin and None and connections from modern browsers still fail.
I have gone through the TIB for this FW and I can see there is a DipSw mod that prevents issues with SSL if the device name contains “_”character, the device does not contain this character in its device name.
I did try a new Device and HOST name then re-issuing the cert to make sure. I also did the DipSw modification to test, which made no difference.
So, I appear to have a huge issue with the self signed certificate that the device is generating for itself. It looks like there is mismatch in the CN name even though CN verification is off. Has anyone encountered this issue before and am I making some huge blunder here? I have completed this process many many times to allow scan to Gmail/O365 with no issues whatsoever, this device appears to be cursed or I am needing more coffee.....
Edit: Copier BIOS clock and System time are correct and pull from NTP.
Comment