For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RemcoAA's avatar
RemcoAA
Icon for Altostratus rankAltostratus
Jun 27, 2024

gtm_add failing due to CERT error

I am trying to cluster to GTM devices using the gtm_add command, but this is failing with this error:

ERROR: found "END CERT..." without BEGIN at line: 0.
ERROR: Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt.

But when I check the mentioned file it looks like a valid certificate:

 

more /config/httpd/conf/ssl.crt/server.crt
-----BEGIN CERTIFICATE-----
MIIHFjCCBP6gAwIBAgIDbUVxMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAoTA0lORzERMA8GA1UE
CxMIU2VydmljZXMxIDAeBgNVBAsTF0NlcnRpZmljYXRlIEF1dGhvcml0aWVzMScwJQYDVQQDEx5J
TkcgQ29ycG9yYXRlIEludGVybmFsIENBIC0gRzMwHhcNMjQwNjI0MTQyMzAyWhcNMjUwNzI0MTMw
...
E1Zg8g9QlL+jksX7ew0tIuZPNGPbhPE3StATtD7b4oi1TYjVfIwn79DluSwkIp5hwVDrAcW/B5T6
zK+sJJlib4ZeCnV19cCkwBnYyRz0p46VrwXw7i3bYeC8Cq4Of++LaYaXDuhOVq/V61phJRoGTlRU
vOII3wHBmXiXQv7MIScQQbmKaBRC2lxu0gAJV9a8vzpXfN6T+n7PxNBH4AuNdR5KeeG7
-----END CERTIFICATE-----

Also via the browser the correct certificate is shown.

 

Any suggestions on what the problem could be?

gtm

5 Replies

  • RemcoAA's avatar
    RemcoAA
    Icon for Altostratus rankAltostratus
    Jun 28, 2024

    Hi,

    TCP port 22 is open and we are using certificates signed by our Internal CA and these are working fine via the browser.

    I also got the feeling this error happens before even an attempt is made to connect to the other device.

    I am running v17.1.1.3

    • zamroni777's avatar
      zamroni777
      Icon for MVP rankMVP
      Jun 28, 2024

      please try "openssl x509 -in /config/httpd/conf/ssl.crt/server.crt -text -noout" to verify the cert.

      also see the "Signature Algorithm" in the output.
      it should not be sha1
      .

      • RemcoAA's avatar
        RemcoAA
        Icon for Altostratus rankAltostratus
        Jul 01, 2024

        the openssl command gives:

         

        Signature Algorithm: sha256WithRSAEncryption

  • RemcoAA's avatar
    RemcoAA
    Icon for Altostratus rankAltostratus
    Jun 28, 2024

    https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-dns-implementations/adding-a-new-big-ip-dns-to-a-big-ip-dns-synchronization-group.html#GUID-BEB250C1-7019-4CF5-BD4A-E44A17D5B42D

     

    Running the gtm_add script

    Before you start this task, you must determine the self IP address of a DNS system in the BIG-IP DNS synchronization group to which you want to add another BIG-IP DNS.

    You run the 

    gtm_add

     script on the BIG-IP DNS system you are adding to your network to acquire the configuration settings from a BIG-IP DNS system that is already installed on your network. For additional information about running the script, see SOL13312 on AskF5.com (

    www.askf5.com

    ).

    The BIG-IP DNS and other BIG-IP systems must have TCP port 

    22

     open between the systems for the script to work. You must perform this task from the command-line interface.