Forum Discussion

RemcoAA's avatar
RemcoAA
Icon for Altostratus rankAltostratus
Jun 27, 2024

gtm_add failing due to CERT error

I am trying to cluster to GTM devices using the gtm_add command, but this is failing with this error:

ERROR: found "END CERT..." without BEGIN at line: 0.
ERROR: Malformed certificates found in local /config/httpd/conf/ssl.crt/server.crt.

But when I check the mentioned file it looks like a valid certificate:

 

more /config/httpd/conf/ssl.crt/server.crt
-----BEGIN CERTIFICATE-----
MIIHFjCCBP6gAwIBAgIDbUVxMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAoTA0lORzERMA8GA1UE
CxMIU2VydmljZXMxIDAeBgNVBAsTF0NlcnRpZmljYXRlIEF1dGhvcml0aWVzMScwJQYDVQQDEx5J
TkcgQ29ycG9yYXRlIEludGVybmFsIENBIC0gRzMwHhcNMjQwNjI0MTQyMzAyWhcNMjUwNzI0MTMw
...
E1Zg8g9QlL+jksX7ew0tIuZPNGPbhPE3StATtD7b4oi1TYjVfIwn79DluSwkIp5hwVDrAcW/B5T6
zK+sJJlib4ZeCnV19cCkwBnYyRz0p46VrwXw7i3bYeC8Cq4Of++LaYaXDuhOVq/V61phJRoGTlRU
vOII3wHBmXiXQv7MIScQQbmKaBRC2lxu0gAJV9a8vzpXfN6T+n7PxNBH4AuNdR5KeeG7
-----END CERTIFICATE-----

Also via the browser the correct certificate is shown.

 

Any suggestions on what the problem could be?

5 Replies

  • Hi,

    TCP port 22 is open and we are using certificates signed by our Internal CA and these are working fine via the browser.

    I also got the feeling this error happens before even an attempt is made to connect to the other device.

    I am running v17.1.1.3

    • zamroni777's avatar
      zamroni777
      Icon for Nacreous rankNacreous

      please try "openssl x509 -in /config/httpd/conf/ssl.crt/server.crt -text -noout" to verify the cert.

      also see the "Signature Algorithm" in the output.
      it should not be sha1
      .

      • RemcoAA's avatar
        RemcoAA
        Icon for Altostratus rankAltostratus

        the openssl command gives:

         

        Signature Algorithm: sha256WithRSAEncryption

  • https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-dns-implementations/adding-a-new-big-ip-dns-to-a-big-ip-dns-synchronization-group.html#GUID-BEB250C1-7019-4CF5-BD4A-E44A17D5B42D

     

    Running the gtm_add script

    Before you start this task, you must determine the self IP address of a DNS system in the BIG-IP DNS synchronization group to which you want to add another BIG-IP DNS.

    You run the 

    gtm_add

     script on the BIG-IP DNS system you are adding to your network to acquire the configuration settings from a BIG-IP DNS system that is already installed on your network. For additional information about running the script, see SOL13312 on AskF5.com (

    www.askf5.com

    ).

    The BIG-IP DNS and other BIG-IP systems must have TCP port 

    22

     open between the systems for the script to work. You must perform this task from the command-line interface.