Problem solved.
The self-generated certificate seems to have been to root of the issue. Once I did all that was necessary to add an SSL cert using our internal CA the problems went away. No more certificate errors with Chrome and the interface finally loads correctly.
This seems to be an issue with the self-generated certificate. Either it isn't generated correctly, such as the wrong bit-length, format, etc, or it isn't served correctly. Don't know which, or if it is something completely different, but it may be something to bring up to the engineers.
Thanks for the assist.
------------------------------
CHRIS WOELKERS
------------------------------
Original Message:
Sent: 12-05-2023 23:12
From: GAVIN WHITE
Subject: J-Web not loading properly - SRX4100
You may want to generate your own Public/Private Key pair, this might be better accepted by browsers as you can customize the encryption algorithm and the size of the encryption key etc with a CN of your choice.
Instructions are found here: https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/public-key-cryptography.html#id-manually-generating-selfsigned-certificates-on-switches-cli-procedure
Typically we would recommend creating your own CA-signed pki certificate for use in production, LetsEncrpyt is a good free option for testing.
------------------------------
GAVIN WHITE
Original Message:
Sent: 12-05-2023 11:42
From: CHRIS WOELKERS
Subject: J-Web not loading properly - SRX4100
Gavin,
Thanks for the info on that. I was unaware that there was a vulnerability and that it affected J-Web. I'll be certain to get it installed ASAP, hopefully it will help with my J-Web issue.
I've tried both Firefox and Chrome. Both give the usual self-signed cert warning but Chrome won't let me proceed. Checking the cert in Chrome gives an error "Unable to decode certificate," I can still save it though. Trying to import the certificate into Chrome fails with it saying there is no private key in the cert. I also tried saving the cert in Firefox with the same issue when importing it into Chrome. As for Firefox it will let me access the site after adding an exception.
------------------------------
CHRIS WOELKERS
Original Message:
Sent: 12-05-2023 03:53
From: GAVIN WHITE
Subject: J-Web not loading properly - SRX4100
Hi Chris,
Please make sure you download and use 21.4R3-S5 as per announcement... https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
I would try another browser first, you can accept the certificate by importing it to your trusted certificate store on your PC. I would also suggest deactivating the security control measures (such as max-threads, idle-timeout and session-limit, while troubleshooting the issue.
------------------------------
GAVIN WHITE
Original Message:
Sent: 12-04-2023 12:18
From: CHRIS WOELKERS
Subject: J-Web not loading properly - SRX4100
Got a new SRX-4100 to replace our old 1400. Did all the configuration by CLI as it allowed a, more-or-less, direct copy/paste from the 1400. With web management enabled I get this when trying to load the site. This is in Firefox on Rocky 8 as Chrome fails with the self-signed cert.
The configuration is as such.
admin@fw> show configuration system services web-management
management-url admin;
https {
system-generated-certificate;
interface fxp0.0;
}
control {
max-threads 2;
}
session {
idle-timeout 5;
session-limit 2;
}
The device is running 21.4R3.15.
------------------------------
CHRIS WOELKERS
------------------------------