Oh Brother, my Let's Encrypt SSL certificate is broken

TL;DR: PROBLEM: Let's Encrypt SSL certificates made after September 2021 will not load on the Brother MFC-9340CDW.

SOLUTION: build the PKCS #12 file from the cert.pem and seperate the fullchain.pem into individual certificates and upload each as a CA certificate.

PROBLEM: Chrome deprecated TLS versions 1.0 and 1.1, so now the Brother printer web UI is not reachable from Chrome 88 and newer.

SOLUTION: There is no plan to support TLS version greater than 1.1 on the MFC9340CDW. Some of their newer machines do support TLS 1.2.
Root CA change
Let's Encrypt SSL Certificate not loading on Brother printer
How to load the SSL cert on Brother printer
How to load Let's Encrypt SSL CA cert on Brother printer
Brother SSL upload BASH script
Depreciation of TLS 1.0 & TLS 1.1
Brother official response

Root CA change

 [Picture of CA cert chain of authority] On September 30, 2021, the DST Root CA X3 expired.

More information can be found at the URL below:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Since X3 is the root certificate was used to sign Let's Encrypt R3 certificate, all certificates signed with R3 will have an unrecognized root and be untrusted.

To avoid this, Let's Encrypt's R3 certificate was cross signed by the Internet Security Research Group's X1 Root certificate.
Since everyone updates their SSL certificate every 30 days this will be a non-issue.

Let's Encrypt SSL Certificate not loading on Brother printer

But the new certificate that Let's Encrypt issues will not load on the Brother printer.
My previous work flow was to take the fullchain.pem and privkey.pem and generate a PKCS #12 certificate using the following command:

openssl pkcs12 -export ‑in /etc/letsencrypt/live/${domain.com}/fullchain.pem ‑inkey /etc/letsencrypt/live/${domain.com}/privkey.pem ‑out /etc/letsencrypt/live/${domain.com}/cert.p12 ‑name ${domain.com} ‑CAfile /etc/letsencrypt/live/${domain.com}/fullchain.pem ‑caname "Let\'s Encrypt Authority X3" -passin pass:"" ‑passout pass:""

Previously this worked fine on the Brother MFC-9340CDW. However, in anticipation of Internet Security Research Group's X1 Root certificate revocation, the certification for Let's Encrypt RS was recently cross signed by ISRG Root X1. As a direct result, the chain.pem file when from have one certificate, to having two certificates. Likewise, the full-chain.pem went from having two records to 3.

 [Certificate and Private Key Import error] It seems this produces a .p12 file that the printer does not like. When importing the certificate and private key, the Brother printer gives the following Submit Error:
"The size of the PKCS#12 file is too large."

After some trial and error I discovered that the printer did not like the extra certificate that is now included in chain.pem and fullcahin.pem. When I instead generated the PKCS #12 certificate using the cert.pem and privkey.pem and referenced the fullchain.pem for the CA then it loaded fine.

Instead generate the PKCS #12 file as follows:

openssl pkcs12 -export -in /etc/letsencrypt/live/${domain.com}/cert.pem ‑inkey /etc/letsencrypt/live/${domain.com}/privkey.pem ‑out /etc/letsencrypt/live/${domain.com}/cert.p12 ‑name ${domain.com} ‑CAfile /etc/letsencrypt/live/${domain.com}/fullchain.pem ‑caname "Let\'s Encrypt Authority X3" -passin pass:"" ‑passout pass:"" 

| your domain here |
V                  V

Let's Encrypt CA Certificate

 [CA certificate Import Error] There were also errors when importing the CA Certificate. I tried to upload the fullchain.pem, chain.pem, and even fullchain-key.pem with no success. Like the PKCS #12 file, the Brother printer does not like the newer CA-certs with the inclusion of an extra certificate.


Parsing the PEM file into three individual files and uploading them separately as CA certificates worked fine.

BASH script to generate and upload certificates

 make-ssl-bro-mfc9340.sh is a small BASH shell script to upload certificates to the Brother MFC-9340CDW.
You can freely use it providing:

Depreciation of TLS 1.0 & TLS 1.1

A few days later, Chrome officially dropped support for TLS 1.0 & TLS 1.1. Since the brother printer only speaks TLS 1.1, it is no longer reachable from Chome version 84 and newer.

See the following for details:
 https://blog.chromium.org/2019/10/chrome-ui-for-deprecating-legacy-tls.html

Prior to Chrome 88 there was the following warning:
"Your site is not fully secure. The site uses an outdated security configuration, which may expose your information
(for example, passwords, messages, or credit card) when it is sent to this site.
NET::ERR_SSL_OBSOLETE_VERSION"
[CA certificate Import Error] [CA certificate Import Error]
Chrome 88+ offers the following error and refuses to connect:

"This site can't provide a secure connection
host.domain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH" 		[Chrome 88 TLS 1.1 Error]

cial word from Brother:

Regarding above (1), what he/she performed seems to be the best way in what our engineers thinks taking into account other methods in case of MFC9340CDW series. According to our engineers, the maximum file size of CA Certificate being imported is 2KB. Since an errorxi like file size is beyond the acceptable one seems to be displayed,xi the size of this CA Certificate would be more than 2 KB. As thexi workaround, dividing CA Certificate into one file and importing it per file would be better way.

With regard to above (2), the error "NET::ERR_SSL_OBSOLETE_VERSION" would be presumed to be displayed when using EWS (Web Based Management) but this error occurs when accessing to the machine using TLS 1.0/1.1. Unfortunately occurrence of its error cannot be avoided in case of DCL series (MFC9340CDW) because of supported version of TLS.


Return to Schiller.net