System > Safety > HTTPS Install Signed Certificate Upload fails

[Jiri]

Hello,

Bought a IPC-B5442E-Z4E camera from Andy, firmware version V2.800.0000000.10.R, Build Date: 2019-11-18.

Trying to setup HTTPS in System > Safety with my own certs. I am trying to upload it through Install Signed Certificate section. When I select files to upload from my PC, located on my Desktop (c:\Users\foo\Desktop\file.cert.pem), Dahua web interface instead fills out c:\fakepath\file.cert.pem. Just to note, there is no such path on my C: drive. I cannot hand edit the field and sure enough, when I try to hit Upload, it fails with Bad File Format. Has anybody tried to enable HTTPS with your own certs?

Thanks,
Jiri

 

[redfive]

Mmm... just tried, load my own cert and key with no issues, but this cam has dahua logo fw V2.800.0000000.8.R, Build Date: 2019-09-02, maybe later I'll try too install to a brand new cam with general V2.800.0000000.10.R, Build Date: 2019-11-18

 

[Jiri]

Great, thanks @redfive for trying. I have another IPC-T5442TM-AS with firmware version V2.800.0000000.8.R, Build Date: 2019-09-02. So not the same as yours, but perhaps closer. Trying there, I get the same issue. I have also tried to rename the filename extensions to see if it makes any difference and tried to upload the files from the root of C:\ to see if it is anything to do with my path. Still getting the same failure. I have tried a self signed cert and a full cert chain with the Server Auth EKU, still no luck. I have tried from both Edge and Chome, no difference. Is there a chance you could share your cert and key files with me so I can try them and if they work for me, I can structurally compare them to my files?

 

[redfive]

I've simply created the cert, with its 4096 bit RSA private key, and loaded it ...

 

[Jiri]

@redfive, is there a chance you can share the actual files (cert and key or at least the cert)? If not, can you point me to the toolchain and flow that you used to generate the certs?

 

[pcunite]

Having the same issues here. What is the Dahua certificate format for certs and keys?

 

[pcunite]

I was able to get it to work, via the following command. My certs are created using powershell PKIClient, so they are a pfx file. So, run this command to create a PEM file with everything in one file. Then upload the same file for both the cert and key locations.

openssl pkcs12 -in Dahua.pfx -out Dahua.pem -nodes -passin pass:"youpass"

 

[Jiri]

Thank you @pcunite and @redfive for your help in getting this unblocked.

Including the full chain and the private key into a single file as mentioned by @pcunite helped, but only worked on a single camera. It took me a while to figure out why, but turns out the file name format is also important. It cannot have more than one period, so foo.pem works, foo.bar.pem does not.

Hope this helps somebody else as well. And also hope Dahua can remove random restrictions or improve their error messages (@EMPIRETECANDY FYI).

 

[Jiri]

Also, if anybody reads it, I am still getting the c:\fakepath\... when uploading the cert file, but that is red herring.

 

[rufik]

I'm facing the same "fakepath" issue with my new SD29204UE-GN. To be precise:

Device Type: DH-SD29204UE-GN
System Version: V2.810.0000000.4.R.E4.4a3.UN.NR, Build Date: 2020-05-09
WEB Version: V3.2.1.889961
ONVIF Version: 18.12(V2.4.5.826858)
PTZ Version: V2.301.0000000.25.RHNAX_191224_34329
Security Baseline Version: V2.1

I have my own self-signed SSL certificate (RSA 4096) exported in PEM format and key as well (-----BEGIN RSA PRIVATE KEY-----, etc) and totally unable to upload it vi web gui. First problem is with "fakepath" in input fields, second one is "bad file format" after hitting "Upload" button:


This "fakepath" appears always, no matter the file comes from. What's going on?
And what precisely is required format of SSL certs?

 

[rufik]

Solved! I had to use IE11 with Dahua plugin to get rid of "fakepath" issue and upload cert successfully.
SSL cert and key in PEM format are fine, no need to combine them into one file.

 

[lkuty]

It is working OK here. "fakepath" is a false positive. It has nothing to do with a problem. But as metionned we can't have more that one dot in the filename of the PEM file. Thus: no need for IE, "fakepath" is ok, PEM is ok, one single dot in filename.