F5 GTM iquery woes

Are you attempting to setup a sync-only device group, or a GTM sync group?

http://support.f5.com/kb/en-us/solutions/public/13000/700/sol13734.html

GTM sync group. We are trying the wildcard certificate key / trusted device cert but its not happy. That's why I wasn't sure if I need to use the F5 self signed certs and import the opposing cert in the other GTM appliance.

iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed May 8 15:51:15 lhr4-lb-01 err gtmd[6453]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (336134278)

Any certificate should work so long as it isn't expired.

So did you copy the wildcard certificate to /config/httpd/conf/ssl.crt/server.crt and overwrite the self-signed, or how are you attempting to use the wildcard cert?

yeah that file on both servers is verified to be the same cert. it is looking at it in encoded form however without any chain or private key

And you've added the certificate to the trusted device certificate list in each of the appliances?

http://support.f5.com/kb/en-us/solutions/public/6000/300/sol6353.html

they keys match in /config/httpd/conf/ssl.key/server.key on both appliances so yes now i am a bit lost as to what the GTM daemon is trying to do every 10 minutes to log the SSL handshake error.

Was the sync group working with the default self-signed certificates prior to changing them?

Wondering if httpd or something else needs restarted...

no first time im trying to get the sync group working. following that article, tried self-signed and the wildcard cert that the appliance uses for XUI and also tried bigstart restart httpd with no joy..

And iqdump isn't going to be helpful since the certificates aren't validating.. Seems you've tried just about everything. Might be best to get a support case open.