Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Got a new SRX-4100 to replace our old 1400. Did all the configuration by CLI as it allowed a, more-or-less, direct copy/paste from the 1400. With web management enabled I get this when trying to load the site. This is in Firefox on Rocky 8 as Chrome fails with the self-signed cert.
admin@fw> show configuration system services web-management
Please make sure you download and use 21.4R3-S5 as per announcement... https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
I would try another browser first, you can accept the certificate by importing it to your trusted certificate store on your PC. I would also suggest deactivating the security control measures (such as max-threads, idle-timeout and session-limit, while troubleshooting the issue.
Thanks for the info on that. I was unaware that there was a vulnerability and that it affected J-Web. I'll be certain to get it installed ASAP, hopefully it will help with my J-Web issue.
I've tried both Firefox and Chrome. Both give the usual self-signed cert warning but Chrome won't let me proceed. Checking the cert in Chrome gives an error "Unable to decode certificate," I can still save it though. Trying to import the certificate into Chrome fails with it saying there is no private key in the cert. I also tried saving the cert in Firefox with the same issue when importing it into Chrome. As for Firefox it will let me access the site after adding an exception.
You may want to generate your own Public/Private Key pair, this might be better accepted by browsers as you can customize the encryption algorithm and the size of the encryption key etc with a CN of your choice.
Instructions are found here: https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/public-key-cryptography.html#id-manually-generating-selfsigned-certificates-on-switches-cli-procedure
Typically we would recommend creating your own CA-signed pki certificate for use in production, LetsEncrpyt is a good free option for testing.
The self-generated certificate seems to have been to root of the issue. Once I did all that was necessary to add an SSL cert using our internal CA the problems went away. No more certificate errors with Chrome and the interface finally loads correctly.
This seems to be an issue with the self-generated certificate. Either it isn't generated correctly, such as the wrong bit-length, format, etc, or it isn't served correctly. Don't know which, or if it is something completely different, but it may be something to bring up to the engineers.
Thanks for the assist.