Certified printer fumes
After losing a fair bit of hair due to quality and reliability issues with our home laser multifunctional (Brother DCP1600-series, which we bought after checking it was meant to work on Linux… And it does, but with a very buggy, proprietary driver — Besides being the printer itself of quite low quality), we decided it was time to survey the market again, and get a color inkjet printer. I was not very much an enthusiast of the idea, until I found all of the major manufacturers now offer refillable ink tanks instead of the darn expensive cartridges of past decades. Lets see how it goes!
Of course, with over 20 years of training, I did my homework. I was about to buy an Epson printer, but decided for an HP Ink Tank 410 Wireless printer. The day it arrived, not wanting to fuss around too much to get to see the results, I connected it to my computer using the USB cable. Everything ran smoothly and happily! No driver hunting needed, print quality is superb… I hope, years from now, we stay with this impression.
Next day, I tried to print over WiFi. Of course, it requires configuration. And, of course, configuration strongly wants you to do it from a Windows or MacOS machine — which I don’t have. OK, fall back to Android — For which an app download is required (and does not thrill me, but what can I say. Oh — and the app needs location services to even run. Why‽ Maybe because it interacts with the wireless network in WiFi Direct, non-authenticated way?)
Anyway, things seem to work. But they don’t — My computers can
identify and connect with the printer from CUPS, but nothing ever
comes out. Printer paused, they say. Entering the printer’s web
interface is somewhat ambiguous — Following the old HP practices, I
tried http://192.168.1.75:9100/ (no point in hiding my internal IP),
and got a partial webpage sometimes (and nothing at all
othertimes). Seeing the printer got detected over ipps://, my
immediate reaction was to try pointing the browser to port 631. Seems
to work! Got some odd messages… But it seems I’ll soon debug the
issue away. I am not a familiar meddler in the dark lands of cups,
our faithful print server, but I had to remember my toolkit..
# cupsenable HP_Ink_Tank_Wireless_410_series_C37468_ --release
Sucess in enabling, but self-auto-disabled right away… lpstat -t
was not more generous, reporting only it was still paused.
… Some hours later (mix in attending kids and whatnot), I finally
remember to try cupsctl --debug-logging, and magically,
/var/log/cups/error_log turns from being quiet to being quite
chatty. And, of course, my first print job starts being processed:
D [10/May/2020:23:07:20 -0500] Report: jobs-active=1
(...)
D [10/May/2020:23:07:25 -0500] [Job 174] Start rendering...
(...)
D [10/May/2020:23:07:25 -0500] [Job 174] STATE: -connecting-to-device
(...)
Everything looks fine and dandy so far! But, hey, given nothing came out of the printer… keep reading one more second of logs (a couple dozen lines)
D [10/May/2020:23:07:26 -0500] [Job 174] Connection is encrypted.
D [10/May/2020:23:07:26 -0500] [Job 174] Credentials are expired (Credentials have expired.)
D [10/May/2020:23:07:26 -0500] [Job 174] Printer credentials: HPC37468 / Thu, 01 Jan 1970 00:00:00 GMT / 28A59EF511A480A34798B6712DEEAE74
D [10/May/2020:23:07:26 -0500] [Job 174] No stored credentials.
D [10/May/2020:23:07:26 -0500] [Job 174] update_reasons(attr=0(), s=\"-cups-pki-invalid,cups-pki-changed,cups-pki-expired,cups-pki-unknown\")
D [10/May/2020:23:07:26 -0500] [Job 174] STATE: -cups-pki-expired
(...)
D [10/May/2020:23:08:00 -0500] [Job 174] envp[16]="CUPS_ENCRYPTION=IfRequested"
(...)
D [10/May/2020:23:08:00 -0500] [Job 174] envp[27]="PRINTER_STATE_REASONS=cups-pki-expired"
My first stabs were attempts to get CUPS not to care about expired certificates, but it seems to have been hidden or removed from its usual place. Anyway, I was already frustrated.
WTF‽ Well, yes, turns out that from the Web interface, I paid some attention to this the first time around, but let it pass (speaks wonders about my security practices!):
So, the self-signed certificate the printer issued at itself expired
116 years before even being issued. (is this maybe a Y2k38 bug?
Sounds like it!) Interesting thing, my CUPS log mentions the printer
credentials to expire at the beginning of the Unix Epoch
(01 Jan 1970 00:00:00 GMT).
OK, lets clickety-click away on the Web interface… Didn’t take me
long to get to Network ⇒ Advanced settings ⇒ Certificates:
However, clicking on Configure leads me to the not very reassuring…
I don’t remember what I did for the next couple of minutes. Kept
fuming… Until I parsed again the output of lpstat -t, and found
that:
# lpstat -t
(...)
device for HP_Ink_Tank_Wireless_410_series_C37468_: ipps://HPF43909C37468.local:443/ipp/print
(...)
Hmmmm… CUPS is connecting using good ol’ port 443, as if it were a Web thingy… What if I do the same?
Click on “New self-signed certificate”, click on Next, a couple of reloads… And a very nice color print came out of the printer, yay!
Now, it still baffles me (of course I checked!): The self-signed
certificate is now said to come from
Issuer : CN=HPC37468, L=Vancouver, ST=Washington, C=US, O=HP,OU=HP-IPG,
alright… not that it matters (I can import a more meaningful one if I really feel like
it), but, why is it Issued On: 2019-06-14 and set to
Expires On: 2029-06-11?
Anyway, print quality is quite nice. I hope to keep the printer long enough to rant at the certificate being expired in the future!
Comments
Jeff Epler (Adafruit) 2020-05-11 20:39:17 -0500
“why is it Issued On: 2019-06-14 and set to Expires On: 2029-06-11?” → Because it’s 3650 days
Gunnar Wolf 2020-05-11 20:39:17 -0500
Nice catch! Thanks for doing the head-scratching for me 😉