search

OpenPrinting / cups

OpenPrinting CUPS Sources
https://openprinting.github.io/cups
Apache License 2.0
1.1k stars 195 forks source link

IPPS credentials invalid - hard to discover and fix #1046

Closed proski closed 2 months ago

proski commented 2 months ago

My issue is similar to #753 except that the certificate was not expired, it was simply different updated. Before this issue is closed as a "configuration issue" I would ask to consider how to improve user experience. That's why I'm going to describe my experience in more detail than I would normally do.

My laser printer HP LaserJet Pro 4001n stopped working with Fedora 40 a while ago, and I didn't know at the time what triggered it. I updated printer firmware at some point. I also keep the system up to date, which means updating packages almost every day.

I noticed that I could still print from my Android phone, which suggested an issue on Fedora. Finally I found time to debug the issue.

I saw the printer jobs appear on http://localhost:631/jobs/ as "pending" without any context. Messages from journalctl did not indicate any issue.

I looked online how to debug CUPS issues and found the cupsctl --debug-logging command. Only then could I find something that looked like the cause of the issue:

Sep 07 21:47:15 rui cupsd[6384]: [Job 188] Printer credentials: HP5EF1A4.lan (issued by HP) / Fri, 05 May 2034 00:00:00 GMT / RSA-SHA256 / 42C26AC55809DF26B68FD93A153F4C90
Sep 07 21:47:15 rui cupsd[6384]: [Job 188] Stored credentials: HP5EF1A4.lan (issued by HP) / Thu, 13 Oct 2033 00:00:00 GMT / RSA-SHA256 / D38C1C7722E906D2C71D44B52D849909

The messages were shown by journalctl in dim grey, which is used for debug messages. Important messages are shown in red and yellow, but this wasn't considered "important".

I checked the web interface of the printer. Indeed, its certificate was shown as expiring on May 5, 2034. So, it was probably the firmware update.

I started searching for the error message. There were some mentions, but no information how to fix it. When I searched for "CUPS certificate issue" and similar, I could only find information about the certificate of the CUPS server. I could not find anything about printer certificates stored by CUPS and how to clear them.

I disabled IPPS on the printer, and it started working right away.

I tried looking for the certificate, I expected it to be under /var. Eventually I decided to see if anything interesting is in /etc/cups and indeed, there was a file under /etc/cups/ssl that was clearly the certificate for the laser printer. I removed that file, re-enabled IPPS on the printer, and it worked. A new certificate with that name appeared in /etc/cups/ssl.

My issue is that it shouldn't be so much pain. I don't know what can be improved, but I'm sure something can be.

michaelrsweet commented 2 months ago

So in this case the issue is not in CUPS but in the desktop software which is supposed to see the "cups-pki-changed" printer-state-reasons value that the IPP backend sets and pop up a dialog for the user/admin to deal with it.

So please report this issue to Red Hat and hopefully they can come up with a change to system-config-printer to make this both visible and easily fixed for users...