Forum Discussion

Nikoolayy1's avatar
Nov 09, 2022

F5 OAUTH JWT error "failed trust verification with trusted CA bundle"

Hello to All,

 

I tried using F5 as an OAUTH server that generates JWT tokens on 16.1.3.2 but I get the error "01071ca5:3: The JWK config (/Common/F5-CA) associated to OAuth profile (/Common/F5-Oauth-Server-JWT) failed trust verification with trusted CA bundle (/Common/clientCA-cert). " .

 

I generated my own CA cert following   "K14499: Using OpenSSL to create CA and client certificates (11.x - 16.x" https://support.f5.com/csp/article/K14499

 

Maybe I am doing something wrong or it is a bug but I am not certain as I do not have not worked with F5 as an Oauth JWT server.

 

I am checking just really fast with the community as this is not something critical but if someone has seen this I will be happy to get a feedback 🙂

 

 

 

With or without Certificate Chain it is the same error or X5C.

 

 

I am wondering as the certificate is 2048 bits RSA ifit should be 256 but I think this shouldn't matter.

 

 

As a workaround I am using Octed JWT Key with a long shared password generated by a password generator that works. Also I tested with opaque keys as shown in https://support.f5.com/csp/article/K14391041 and it works but with those keys I do not think there is a way the F5 Auth server to return some usefull info like AD groups/emails to to the Oauth Client that is another F5 device as with JWT this is done with Claims. I did not find if F5 as an Oauth Authorization server supports UserInfo Request URI where after the authorization code that the web browsers provide is exchanged for Opaque Access token to configure what info the F5  Oauth Server to provide to the F5 Oauth Client but maybe some knows this.

 

To bad that for OpenID Connect the JWT needs first to be enabled for the Oauth profile and thisagain means using Octed JWT Keys for either Access or ID tokens ğŸ˜ž

 

 

 

2 Replies

  • Hi Nikolay,

    I have no experience with OAuth, but I found the following log message reference:

    01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).

    Location:
    /var/log/ltm

    Conditions:
    This is a common error for OAuth profile or OAuth provider page.

    The JWK config, associated with a OAuth profile or provider, contains a certificate, certificate-chain, and trusted-ca bundle assigned to the OAuth profile or provider that failed a trust verification check. A trust verification check means that the certificate issuer is included within certificate-chain and that the issuer for certificate-chain is included in the trusted-ca bundle.

    Impact:
    Configuration changes leading to this error will remain ineffective.

    Recommended Action:
    * If a JWK config contains only a certificate, make sure to include the certificate issuer in the trusted-ca bundle.
    * If a JWK config includes a certificate-chain, make sure that the certificate issuer is included in the certificate-chain. If there are multiple certificates in the certificate-chain, the issuer for all of the certificates must exist within the certificate-chain, except the last certificate. A certificate issuer for the last certificate-chain must be part of trusted-ca bundle.

    Ref: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01071ca5

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP

      Hello Enes_Afsin_Al  ,

       

       

      Thanks fo the reply as forgot to mention reference this article/bug that you shared is the first thing I checked and this why I am thinking to be a bug as I have generated my own CA cert on the F5 signed the keys with it and I get the error and in pictures I shared, it is seen that the same SSL cert is configured under the Oauth profile or the key config.

       

      As a note I used https://jwt.io/ and article https://support.f5.com/csp/article/K07645403 to see the JWT and it has my user claim, so JWT is something that is much better than opaque tokens and I am thinking getting to the bottom of this may help other people as well. For now Octed JWT with shared secret is the workaround but for me it is less secure than JWT signed with SSL certs even the Octed JWT is rotated every month for example.