Uploading Custom Certificate Result verification failed (400) _root: property is missing and it is not optional

[poetry]

Hello,

We have a wildcard certificate for our domain. I want to change it and every time I try to upload the certificate I get this error:


I have tried adding or removing parts of certificate chain without any success. The certificate chain works fine on our linux webserver or ftp server. I have verified this with https://www.ssllabs.com/ssltest/. No problems with chain so why it does not work here properly?

Also if I try to test it on https://ssl-tools.net/mailservers I get Results incomplete error unexpected EOF before changing certificate there was no error...

It looks like certificate is uploaded OK...

We have Sectigo certificate and our certificate chain looks like this:
1. Our wildcard certificate *.example.com
2. Sectigo RSA Domain Validation Secure Server CA
3. USERTrust RSA Certification Authority

Any advice?

 

[fiona]

Hi,
seems like wildcard support only just got added and will be available in pmg-api >=6.4-4.

 

[poetry]

Hi,
seems like wildcard support only just got added and will be available in pmg-api >=6.4-4.

I have done the upgrade to Mail Gateway 6.4-4 and the error is still present. Are you sure it was added or I am doing something wrong? I would like to change my certificates properly but I can't. There are no clear instructions how to add certificate properly via command line or in what format must the certificate be for bought wildcard certificate. I can't play with this server and test different formats of certificate as it's a production install...

By different formats I mean how should the certificate be structured. On different systems the certificate must be in different order/structure it's a mess on linux. On windows you have pfx you import that and it works on linux it's not so easy to get the right structure for each system...

 

[fiona]

I can reproduce the result verification error, but it should only be cosmetic. As you noted, the upload itself should still work.

The certificate and key need to be in PEM format, but if the upload worked, I'd assume it was. Does this post/thread help?

 

[poetry]

I can reproduce the result verification error, but it should only be cosmetic. As you noted, the upload itself should still work.

The certificate and key need to be in PEM format, but if the upload worked, I'd assume it was. Does this post/thread help?

EDIT: I will try to do the steps on other thread later. Will let you know.

I have tested uploading of the certificate via GUI a few times with the same results. It will not upload the full certificate + chain only the first part of the certificate (the wildcard certificate *.example.com). All other parts of the certificate are cut off. If the full chain is not uploaded then the certificate will not work properly. As I noted above we have certificate:

We have Sectigo certificate and our certificate chain looks like this:
1. Our wildcard certificate *.example.com
2. Sectigo RSA Domain Validation Secure Server CA
3. USERTrust RSA Certification Authority

Can you verify that the uploading is incomplete and it's missing the other parts of the certificate?

You don't want a broken/missing chain on the certificate....

 

[poetry]

Just want to let you know that I have upgraded our proxmox mail gateway to latest version and tried to upload the certificate via gui and lost gui connection to the server (error in browser PR_END_OF_FILE_ERROR same as noted here https://forum.proxmox.com/threads/cannot-access-https-web-login-page.86290/). I had to manually change the contents of /etc/pmg/pmg-api.pem and /etc/pmg/pmg-tls.pem with correct .pem format for reference you can use https://comodosslstore.com/resources/what-is-a-pem-certificate/. After adding the certificate manually via ssh it worked fine.
Did you guys do any testing before releasing changes that can break the access to core functions of the mail gateway? It should not be possible to add incorrect format of certificate in a way that it will break your gui access. Not everyone has ssh access and this would mean that they can't access their mail gateway anymore.
Make sure you validate the certificate is OK and it will not break your gui access. The strange thing is that I have added exactly the same certificate via ssh as adding it via gui and it did not work properly...

 

[Moltes]

Hello.
I've the same problem with a standard certificate (not wildcard one).
I don't understand what property is missing.

 

[fiona]

I had to manually change the contents of /etc/pmg/pmg-api.pem and /etc/pmg/pmg-tls.pem with correct .pem format for reference you can use https://comodosslstore.com/resources/what-is-a-pem-certificate/. After adding the certificate manually via ssh it worked fine.

I'm not able to reproduce this. In what way were the contents of those files messed up before you replaced them?

Hi,

Hello.
I've the same problem with a standard certificate (not wildcard one).
I don't understand what property is missing.

The error message for the missing _root property is only cosmetic and fixed in git master (packages with the fix are not yet available). The upload itself still should've worked. Or did you also lose GUI access?

 

[Moltes]

I'm not able to reproduce this. In what way were the contents of those files messed up before you replaced them?

Hi,

The error message for the missing _root property is only cosmetic and fixed in git master (packages with the fix are not yet available). The upload itself still should've worked. Or did you also lose GUI access?

The only error I encountered is about uploading a custom certificate. Nothing else.