Forum Discussion
F5 OAUTH JWT error "failed trust verification with trusted CA bundle"
Hi Nikolay,
I have no experience with OAuth, but I found the following log message reference:
01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).
Location:
/var/log/ltm
Conditions:
This is a common error for OAuth profile or OAuth provider page.
The JWK config, associated with a OAuth profile or provider, contains a certificate, certificate-chain, and trusted-ca bundle assigned to the OAuth profile or provider that failed a trust verification check. A trust verification check means that the certificate issuer is included within certificate-chain and that the issuer for certificate-chain is included in the trusted-ca bundle.
Impact:
Configuration changes leading to this error will remain ineffective.
Recommended Action:
* If a JWK config contains only a certificate, make sure to include the certificate issuer in the trusted-ca bundle.
* If a JWK config includes a certificate-chain, make sure that the certificate issuer is included in the certificate-chain. If there are multiple certificates in the certificate-chain, the issuer for all of the certificates must exist within the certificate-chain, except the last certificate. A certificate issuer for the last certificate-chain must be part of trusted-ca bundle.
- Nikoolayy1Nov 09, 2022MVP
Hello Enes_Afsin_Al ,
Thanks fo the reply as forgot to mention reference this article/bug that you shared is the first thing I checked and this why I am thinking to be a bug as I have generated my own CA cert on the F5 signed the keys with it and I get the error and in pictures I shared, it is seen that the same SSL cert is configured under the Oauth profile or the key config.
As a note I used https://jwt.io/ and article https://support.f5.com/csp/article/K07645403 to see the JWT and it has my user claim, so JWT is something that is much better than opaque tokens and I am thinking getting to the bottom of this may help other people as well. For now Octed JWT with shared secret is the workaround but for me it is less secure than JWT signed with SSL certs even the Octed JWT is rotated every month for example.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com