Forum Discussion

MVP

Nov 09, 2022

F5 OAUTH JWT error "failed trust verification with trusted CA bundle"

Hello to All, I tried using F5 as an OAUTH server that generates JWT tokens on 16.1.3.2 but I get the error "01071ca5:3: The JWK config (/Common/F5-CA) associated to OAuth profile (/Common/F5-O...

MVP

Hi Nikolay,

I have no experience with OAuth, but I found the following log message reference:

01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).

Location:
/var/log/ltm

Conditions:
This is a common error for OAuth profile or OAuth provider page.

The JWK config, associated with a OAuth profile or provider, contains a certificate, certificate-chain, and trusted-ca bundle assigned to the OAuth profile or provider that failed a trust verification check. A trust verification check means that the certificate issuer is included within certificate-chain and that the issuer for certificate-chain is included in the trusted-ca bundle.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* If a JWK config contains only a certificate, make sure to include the certificate issuer in the trusted-ca bundle.
* If a JWK config includes a certificate-chain, make sure that the certificate issuer is included in the certificate-chain. If there are multiple certificates in the certificate-chain, the issuer for all of the certificates must exist within the certificate-chain, except the last certificate. A certificate issuer for the last certificate-chain must be part of trusted-ca bundle.

Ref: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01071ca5

Nikoolayy1

MVP

Nov 09, 2022

Hello Enes_Afsin_Al ,

Thanks fo the reply as forgot to mention reference this article/bug that you shared is the first thing I checked and this why I am thinking to be a bug as I have generated my own CA cert on the F5 signed the keys with it and I get the error and in pictures I shared, it is seen that the same SSL cert is configured under the Oauth profile or the key config.

As a note I used https://jwt.io/ and article https://support.f5.com/csp/article/K07645403 to see the JWT and it has my user claim, so JWT is something that is much better than opaque tokens and I am thinking getting to the bottom of this may help other people as well. For now Octed JWT with shared secret is the workaround but for me it is less secure than JWT signed with SSL certs even the Octed JWT is rotated every month for example.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

F5 OAUTH JWT error "failed trust verification with trusted CA bundle"

01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).

Recent Discussions

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Related Content

SSL Bridging verification

OS version verification

ASM secheduled reports "SMTP Error: The following recipients failed"

Google Authenticator Token Verification iRule For APM

Configure NGINX microgateway for MTLS termination and client certificate hash verification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS