F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Nov 09, 2022

F5 OAUTH JWT error "failed trust verification with trusted CA bundle"

Hello to All,   I tried using F5 as an OAUTH server that generates JWT tokens on 16.1.3.2 but I get the error "01071ca5:3: The JWK config (/Common/F5-CA) associated to OAuth profile (/Common/F5-O...
application delivery
jwt
oauth
security
Enes_Afsin_Al's avatar
Enes_Afsin_Al
Icon for MVP rankMVP
Nov 09, 2022

Hi Nikolay,

I have no experience with OAuth, but I found the following log message reference:

01071ca5 : The JWK config (%s) associated to OAuth %s (%s) failed trust verification with trusted CA bundle (%s).

Location:
/var/log/ltm

Conditions:
This is a common error for OAuth profile or OAuth provider page.

The JWK config, associated with a OAuth profile or provider, contains a certificate, certificate-chain, and trusted-ca bundle assigned to the OAuth profile or provider that failed a trust verification check. A trust verification check means that the certificate issuer is included within certificate-chain and that the issuer for certificate-chain is included in the trusted-ca bundle.

Impact:
Configuration changes leading to this error will remain ineffective.

Recommended Action:
* If a JWK config contains only a certificate, make sure to include the certificate issuer in the trusted-ca bundle.
* If a JWK config includes a certificate-chain, make sure that the certificate issuer is included in the certificate-chain. If there are multiple certificates in the certificate-chain, the issuer for all of the certificates must exist within the certificate-chain, except the last certificate. A certificate issuer for the last certificate-chain must be part of trusted-ca bundle.

Ref: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html#A01071ca5

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Nov 09, 2022

Hello Enes_Afsin_Al  ,

 

 

Thanks fo the reply as forgot to mention reference this article/bug that you shared is the first thing I checked and this why I am thinking to be a bug as I have generated my own CA cert on the F5 signed the keys with it and I get the error and in pictures I shared, it is seen that the same SSL cert is configured under the Oauth profile or the key config.

 

As a note I used https://jwt.io/ and article https://support.f5.com/csp/article/K07645403 to see the JWT and it has my user claim, so JWT is something that is much better than opaque tokens and I am thinking getting to the bottom of this may help other people as well. For now Octed JWT with shared secret is the workaround but for me it is less secure than JWT signed with SSL certs even the Octed JWT is rotated every month for example.