Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Mar 25, 2015

Machine Cert Auth Error - unable to get local issuer certificate

Hi,

I've read through quite a few forum post related to this error but couldn't find anything specific to my issue.

I have several machines I have been testing my APM policy with however, one is now failing. We use machine certs via our internal PKI. I've tried deleting it's machine cert and enrolling it again. I've tried deleting it's root/stub and installing them again. The certificate store matches my other working hosts. I've tried rebooting the machine and even the F5.

Lastly, I've exported the failing machine root and sub and created it's own SSL profile to compare against on the F5 with no luck.

It wasn't initially failing and I have not made any changes to the machine. The error I receive for session data is below:

    06507f43.session.check_machinecert.auth_ag.nonce 28 ZDJQVjBiV3BqY05oWVhqTTdIdU4=
    06507f43.session.check_machinecert.auth_ag.result 1 0
    06507f43.session.check_machinecert.auth_ag.signature_verified 1 1
    06507f43.session.check_machinecert.last.certificate_revoked 1 0
    06507f43.session.check_machinecert.last.certificate_verified 1 0
    06507f43.session.check_machinecert.last.error_message 103  X509_verify_cert failed: error : 20 at depth 0, error message:unable to get local issuer certificate

    06507f43.session.check_machinecert.last.result 1 0
    06507f43.session.check_machinecert.last.signature_verified 1 1
  • Hi Nick,

     

    Here are a few things to try.

     

    • Use the f5wininfo.exe tool (can download it from the BigIP) to remove all components (under "Tools") from the machine that doesn't work.
    • In the same tool (f5wininfo.exe) you can enable logging (under "Tools").
    • On the windows client navigate to "%temp%" in windows explorer and search for files that start with "f5*". Delete all the files you find.
    • Launch IE as administrator.
    • Access the VS and approve the install of the components and running the machine check service
    • Check the logs in %temp%. The log you need to focus on is f5mcertcheck.txt

    Verify that the certificate on the machine is the correct one for the CA profile you created and have configured in the VPE action.

     

    With only one machine failing it seems to be a client side issue. Hopefully the steps above will help you out. If not please let me know.

     

    Seth

     

  • Hey Seth,

    Always appreciate your help. Unfortunately the above steps did not resolve the issue. I do agree it is probably a client issue. I am just puzzled as these are my isolated machines and I know all changes I've ever made, we're made to the entire section. I was expecting to see failure in the logs, but it appear all came back successful and positive.

    2015-03-25,15:49:15:795, 1308,4244,, 48,,,, current log level = 63
    2015-03-25,15:49:15:795, 1308,4244,, 48, , 39, ::DllMain, ActiveX control location: "C:\Windows\Downloaded Program Files\f5certchk.dll"
    2015-03-25,15:49:16:296, 1308,4244,, 48, , 73, CCertCheckCtrl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:0, RootCertInfo:IS_TRUSTED:0, Nonce: d0RTVXplUDA3cHlzQTZPaDFxRkY=
    2015-03-25,15:49:16:296, 1308,4244,, 48, , 96, CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"0", Allow elevation UI:"1", Serial number(HEX):"", Issuer:"", SubjectAltName:""
    2015-03-25,15:49:16:297, 1308,4244,, 48, \certinfo.cpp, 1152, CCertInfo::MatchCertificate, fqdn:
    2015-03-25,15:49:16:297, 1308,4244,, 48, \certinfo.cpp, 1302, CCertInfo::FindCertificateInStoreExt: , Total certs tested: 1
    2015-03-25,15:49:16:297, 1308,4244,, 48, \certinfo.cpp, 1306, CCertInfo::FindCertificateInStoreExt: ,   found matched certificate.
    
    2015-03-25,15:49:16:297, 1308,4244,, 48, \m_uac_helpers.cpp, 77, uGetProcessIntegrityLevel(), Running on high integrity level
    
    2015-03-25,15:49:16:300, 1308,4244,, 48,,,, CCertInfo::IsPrivateKeyPresent: CryptAcquireCertificatePrivateKey succeeded: found private key.
    2015-03-25,15:49:16:300, 1308,4244,, 48, , 343, CCertCheckCtrl::CheckPrivateKey, The machine certificate has private key on this machine
    2015-03-25,15:49:16:302, 1308,4244,, 48,,,, CCertInfo::SignHash: CryptAcquireCertificatePrivateKey succeeded: found private key.
    2015-03-25,15:49:16:305, 1308,4244,, 48, , 369, CCertCheckCtrl::CheckPrivateKey, Signing message succeeded
    2015-03-25,15:49:16:305, 1308,4244,, 48, , 266, CCertCheckCtrl::Verify, Succesfully found the certificate and verified the private key
    
  • Do you by chance have multiple certificates? From the logs and data you have provided it appears it is finding a certificate but when that certificate was sent back to the APM the APM couldn't verify it against the CA certificate.

     

    If you add the check for issuer or something other than just the defaults does it find the correct cert?

     

    Seth

     

  • Great! The logs can be a little bit tricky to read and we have RFE IDs created to clarify the logging on both the client and server side regarding machine certificates. The logging should get better in the next few releases.

     

    Glad you got it working.

     

    Seth