ScreenOS : Failed to upgrade via WebUI and bogus image not authenticated on console

By | January 31, 2016

If you tried to upgrade your Juniper SSG ScreenOS version lately using the WebUI and got the message “Failed to upgrade” and the console output showed :

********Invalid image!!!
********Bogus image – not authenticated!!!

Fips check failed

(This would output the same if you tried to manually upgrade from the console).

This could indicate two things :

1. The image you’ve downloaded is corrupted (try to download again and repeat the upgrade procedure)
2. The Authentication Key Certificate (Signature Key) is outdated or not valid for the newer ScreenOS image you’ve tried to install. Get the new key certificate and learn more from Juniper’s KB

To upgrade the authentication key, either use the WebUI :

Configuration > Update > ScreenOS/Keys > Image Signature Key Update

Or using the console, saving from TFTP :

save config to tftp <ip_addr> imagekey.cer

Or using the console, saving from USB :

save config to usb <ip_addr> imagekey.cer

Test/verify the new installed key/certificate :

exec pki test skey

Now you are ready to try updating again the firmware.

WARNING : You should immediately update the software, do not reboot your device before doing the upgrade, otherwise the old software image won’t be able to authenticate and your device may not boot.

NOTE : Some procedures (non-Juniper of course) will suggest to remove the signature key, which I do not recommend unless you are using a 3rd party/custom image – this remove the safety authentication feature… you can brick your device!

The behaviour above have been experienced upgrading from ScreenOS 6.3.0r12.0 and 6.3.0r21