Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support
Search

Tips when using SSL Packet Inspection (man-in-the-middle) on your network

THE PAGE APPLIES TO:

Some network infrastructure can interfere with the SSL/TLS handshake processes used by PaperCut products. We’ve seen examples of this include security appliances such as firewalls, proxy servers, corporate VPNs or content filters doing SSL/TLS packet inspection (AKA man-in-the-middle).

When using these types of packet inspection, encrypted SSL traffic is opened, inspected, and then re-encrypted using whatever certificate is installed on the network appliance. If the PaperCut Application server doesn’t trust the certificate then customers might see SSL handshake errors.

Some examples of issues seen are with:

  • Integrated scanning - where scans to cloud storage may fail with an error in the server logs:
    • Delivering scan images for scan job jobId@xxxxxxx:scanAction@xxxx:task@xxx failed with an error: unable to find valid certification path to requested target. See more details in the server log
    • Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • Connections to the Global Entitlements Service used in PaperCut MF version 24.0.1 and later - where the license upgrade may fail, or subsequent updates to the entitlements on the Application Server may fail. Errors include:
    • Unable to submit activation key. Contact your Accredited Reseller for support or Last background entitlement sync failed or Unable to contact PaperCut Gateway Service to register license file in the admin interface, or
    • ERROR CloudNoticeFetcher - Fetch cloud messages from https://mf.cloud.papercut.com. Will return empty list [http-43] javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target seen in the server logs.

Another clue that can point to this being a potential issue is when you see the certificate for PaperCut cloud services being issued by your own organization or security appliance organization. For example, if you see the certificate for https://scan.cloud.papercut.com or https://mf.cloud.papercut.com issued by a common name different to what you see when you’re on a public network (not using a network appliance or SSL packet inspection).

Screenshot showing the certificate information (including Common name) for scan.cloud.papercut.com and mf.cloud.papercut.com

The screenshot above shows the unaltered certificate information for scan.cloud.papercut.com and mf.cloud.papercut.com. You can view this in most browsers by clicking on a padlock or ‘info’ icon in the URL bar, then viewing the certificate details. If you see that the certificates have been issued by a different entity - e.g. your security or networking company, or if it shows your organization name as the Issuer - this points to the network using SSL packet inspection.

Step 1 - rule out a proxy

Sometimes the issue is that a proxy server has been configured on the network, but the PaperCut Application Server hasn’t been configured with the proxy config information.

To configure PaperCut to use the Proxy Server - see Configuring PaperCut NG/MF to use a proxy .

Step 2 - configure the Application Server to trust the proxy / firewall / content filter

If you have ensured that the correct firewall ports are open, and if you’ve configured your proxy as detailed on Configuring PaperCut NG/MF to use a proxy , but you’re still seeing connection errors, you will need to configure the Application Server to trust the network device/appliance by importing its certificate into the Application Server’s keystore.

The other solution, that’s been confirmed, is to download the certificate from the security appliance and add it to the Java Keystore under the runtime.

These steps are borrowed from a Securly Knowledge Base Article about getting Google Cloud Print to work, where PaperCut cannot establish a secure connection because a MiTM is modifying the packets.

  1. Download the certificate from your security appliance that is doing the SSL packet inspection.
  2. Download KeyStore explorer for your applicable Operating System from: http://www.keystore-explorer.org/downloads.html
  3. After installing KeyStore Explorer please goto File -> Open
  4. Navigate the Open Keystore window to your installation ([Application Server install directory]\runtime\win64\jre\lib\security\cacerts), in your case it may be C:\Program Files\PaperCut MF\runtime\win64\jre\lib\security and select cacerts for the keystore to open, and clic OK.
  5. The password to unlock the keystore is: changeit
  6. Please click on the red ribbon icon from the toolbar, titled Import Trusted Certificate.
    Keystore explorer application screenshot showing the ‘Import Trusted Certificate’ button in the toolbar (a red ribbon)
  7. Select the certificate that you downloaded in the first step and click OK. Then click OK on the alert letting you know this was successful.
  8. Click on the floppy disk icon for Save.
    Keystore explorer application screenshot showing the ‘Save’ button in the toolbar (a floppy disk icon)
  9. Open services.msc and restart the PaperCut Primary Application Server service - see Stopping and starting PaperCut Services for more.

Categories: Troubleshooting Articles , Administration

Comments

Last updated June 21, 2024