Printing not working (cups-pki-expired)

Lubuntu 20.04 automatically discovered my printer on my LAN. However, printing does not work. Tried printing a PDF from Firefox, and got a popup error message:

‘Dell_Color_MFP_E525w_02_99_1B_’: ‘cups-pki-expired’

Printing works fine from my other systems.

Looking in the logs, I saw that AppArmor was denying cupsd access to several things. I disabled AppArmor, but printing still does not work. If I go into the printer dialog, in Printer Properties, under the Policies tab, I see that the printer is not enabled. If I enable it, it seems to work, but within a few seconds, it goes back to not enabled.

/var/log/syslog:
Apr 28 08:07:37 moo dbus-daemon[720]: [system] Activating service name=‘org.opensuse.CupsPkHelper.Mechanism’ requested by ‘:1.57’ (uid=1000 pid=1332 comm=“/usr/bin/python3 /usr/share/system-config-printer/” label=“unconfined”) (using servicehelper)
Apr 28 08:07:37 moo dbus-daemon[720]: [system] Successfully activated service ‘org.opensuse.CupsPkHelper.Mechanism’
Apr 28 08:07:38 moo systemd-resolved[707]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

/var/log/cups/access_log:
localhost - - [28/Apr/2020:08:07:37 -0500] “POST /admin/ HTTP/1.1” 401 185 Resume-Printer successful-ok
localhost - cups-pk-helper [28/Apr/2020:08:07:37 -0500] “POST /admin/ HTTP/1.1” 200 185 Resume-Printer successful-ok
localhost - cups-pk-helper [28/Apr/2020:08:07:37 -0500] “POST /admin/ HTTP/1.1” 200 208 CUPS-Add-Modify-Printer successful-ok
localhost - root [28/Apr/2020:08:07:38 -0500] “POST /admin/ HTTP/1.1” 200 297 CUPS-Add-Modify-Printer successful-ok

/var/log/cups/error_log:
W [28/Apr/2020:07:38:17 -0500] CreateProfile failed: org.freedesktop.DBus.Error.NoReply:Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
W [28/Apr/2020:07:38:19 -0500] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'Dell_Color_MFP_E525w_02_99_1B_-Gray…' already exists
W [28/Apr/2020:07:38:19 -0500] CreateProfile failed: org.freedesktop.ColorManager.AlreadyExists:profile id 'Dell_Color_MFP_E525w_02_99_1B_-DeviceN…' already exists

After setting CUPS to debug2 level output, error_log contains:

D [28/Apr/2020:08:28:41 -0500] [Job 1] update_reasons(attr=0(), s="-cups-certificate-error")
d [28/Apr/2020:08:28:41 -0500] [Job 1] op='-', new_reasons=1, state_reasons=1
D [28/Apr/2020:08:28:41 -0500] [Job 1] Connection is encrypted.
d [28/Apr/2020:08:28:41 -0500] select_timeout: JobHistoryUpdate=0
D [28/Apr/2020:08:28:41 -0500] [Job 1] Credentials are expired (Credentials have expired.)
D [28/Apr/2020:08:28:41 -0500] [Job 1] Printer credentials: DELL02991B (issued by unknown) / Wed, 02
Jan 2019 00:00:00 GMT / RSA-SHA256 / A1D969DB328B48E674BE84EDC8C2D18D
d [28/Apr/2020:08:28:41 -0500] select_timeout: JobHistoryUpdate=0
D [28/Apr/2020:08:28:41 -0500] [Job 1] No stored credentials.
D [28/Apr/2020:08:28:41 -0500] [Job 1] update_reasons(attr=0(), s="-cups-pki-invalid,cups-pki-change
d,cups-pki-expired,cups-pki-unknown")
d [28/Apr/2020:08:28:41 -0500] [Job 1] op='-', new_reasons=4, state_reasons=1
D [28/Apr/2020:08:28:41 -0500] [Job 1] update_reasons(attr=0(), s="+cups-pki-expired")
d [28/Apr/2020:08:28:41 -0500] [Job 1] op='+', new_reasons=1, state_reasons=1
D [28/Apr/2020:08:28:41 -0500] [Job 1] STATE: +cups-pki-expired
d [28/Apr/2020:08:28:41 -0500] cupsdSetPrinterReasons(p=0x55b3a136ac00(Dell_Color_MFP_E525w_02_99_1B_),s=“+cups-pki-expired”

One recommendation was to change client.conf setting AllowExpiredCerts from the default, which is No, to Yes. But there is no client.conf file. I’ve run out of ideas for now.

Looks like you’ve found the upstream bug which has been raging for four years and affects more than just Lubuntu. I fear we’re not going to do any better with figuring out the solution, especially since we’re not CUPS developers!

Yes, I found that bug and added some heat. However, seems those are red herrings. The printing problem I’m seeing is not an AppArmor problem. Unless AppArmor can somehow still block printing despite supposedly being disabled?

So what’s going on here? DRM for printers? Maybe new printers now come with some sort of UEFI for printers, and CUPS has to negotiate that? I really don’t want CUPS to do this perfectly useless extra security step of checking whether some cert is expired. Is there a compile time option to leave that out of CUPS?

I have no problem printing from Lubuntu 18.04 to that printer.

I would start with investigating if other flavours of 20.04 have problems. If not, then somehow it’s a Lubuntu issue. If so, then it might not be AppArmor, but it’s something core to all flavours. I would be more inclined to suspect the latter since we share a similar core.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.