iQuery/ Big-IP DNS server certificate trust problem

Question

Unable to establish iQuery between bigip devices. Connectivity is in place but failing with:
SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I take this to be a certificate chain failure. The device certificates have been added to both DNS &gt; GSLB &gt; Servers &gt; Trusted Server Certificates and System &gt; Cert Mgmt &gt; Device Cert Mgmt &gt; Device Trust Certs. 
Yet, still no joy, running openssl confirms trust issues. Device certs are issued by a 2 tier PKI (intermediary and root). Big IP is 13 HF 2.
Any suggestions? Is it common place to be using internal certs here?

lee_sutcliffe · Answer

It was a long time ago when I used intermediaries for setting up iQuery, however I did make some notes. 
How have you added the intermediate?
I used the following:
tmsh modify sys httpd ssl-certchainfile /config/httpd/conf/ssl.crt/your_ca_cert_chain.crt
(this instructs HTTPS to use the chain cert - so probably not what you need)
Then you need to add chain to two places, firstly the in GUI &gt; Trusted Device Certs
Secondly in Global Traffic/DNS Servers &gt; Trusted Server Certificates. 
Restart services: bigstart restart httpd gtmd big3d

Forum Discussion

iQuery/ Big-IP DNS server certificate trust problem

Recent Discussions

Client SSL Profile set to Require Client Certificate breaks RDP in APM

TS Declarations for DNS

APM file and registry key date check 8 days old

SSL bridging without SSL proxy forward

Should config via cli rather than gui?

Related Content

Re: Management Certificate

Certifications for security professionals

Certificate Expiry Email alert configuration

LTM Certificate expire

Source_Addr Persistence Problems

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS