Forum Discussion
New SSL Certificate update breaks F5 On-Demand
Greetings,
Our SSL certificate for our virtual server entry expired yesterday, so I replaced it as normal process. However, On-Demand VPN users using the IOS application can no longer login via certificate auth. According to F5 device, the On-Demand certificate doesn't expire till 2017.
However since switching to the new web cert the IOS client now throws “Server rejected the supplied client certificate or one was not sent”. The caveat to this is that we are using MobileIron to manage the certificates and policies on the iDevices.
If I am to switch back to the expired SSL certificate it all works flawlessly. I am failing to understand how switching the virtual/web SSL certificate breaks the On-Demand feature.
However, enabling SSL Debug, the only error that crops up is:
Peer cert verify error: unable to get local issuer certificate (depth 0; cert /CN=F5SSLONDEMAND2-clientname/OU=appSetting:a9146cd7-011a-441e-xxxx-xxxxxx) Connection error: ssl_shim_vfycerterr:4249: unable to get local issuer certificate (48)
However I am failing to find any information on this. I've tried creating a new policy within MobileIron and uploaded the new root CA certificate that it creates. However I still have the same error.
While I understand MobileIron is a completely different system and likely out of F5's scope. It is F5 producing the error and my google-fu fails to find anything positive to rectify this error.
Any assistance would seriously be appreciated.
Cheers, David
- Kevin_StewartEmployee
Okay, let's start with a quick rundown of the SSL handshake process (I'm simplifying it of course):
-
ClientHello - client initiates the SSL handshake and sends a list of capabilities (supported protocols, ciphers, extensions)
-
ServerHello - server responds to ClientHello with a chosen protocol and cipher, and reciprocates any extensions as required
-
Certificate - server immediately sends its certificate to the client, which the client must be able to the validate. For browsers, it usually means a pop-up nag screen that you can click past, but for some other user agents it may just fail right there if the trust can't be established. The trust is established by virtue of the client's ability to build an unbroken "chain" from the server's cert, up through its issuing authority, and up to the self-signed root CA.
-
Certificate Request - if mutual authentication is required the server sends this message and an optional list of "root hints". These root hints are the named and identifiers of the issuing CAs that the server will accepts client certificates from. In the BIG-IP client SSL profile this is handled by the Advertised Certificate Authorities selection. In the browser's context, if the root hints don't include an issuing CA that issued (any of) the client's certificate(s), then the browser either won't send a cert or won't prompt the user to select a cert if there's more than one.
-
ServerHelloDone - server tells client it's done
-
Certificate - this is the client sending the server its certificate, for which the server must be able to validate. In the BIG-IP client SSL profile this is handled by the Trusted Certificate Authorities selection and is a single CA or bundle of CAs that are needed to explicitly build an unbroken chain from the client's cert, up through its issuing authority, and up to the self-signed root CA. Unlike a browser, there's no nag screen. If the BIG-IP cannot build this trust chain, the certificate validation will fail.
-
...the rest of the handshake... - not important to discuss here since it doesn't seem the problem you're seeing is getting past the above messages.
So the “Server rejected the supplied client certificate or one was not sent” message would seem to imply that the client either isn't sending a certificate (because of the advertised certificate authorities list), or the BIG-IP can't validate the client's certificate (because of the trusted certificate authorities list). The best way to validate when this is happening is with an SSLDUMP capture:
ssldump -AdNn -i 0.0 port 443 and host [IP of VIP] [and other optional filters]
In this capture you'll essentially see the above messages in roughly the same order. If it fails after the client's Certificate message, then you have reason to suspect a server side trust chain issue. If the client never sends a Certificate message, then you have reason to suspect a root hints issue. And if you do this capture in WireShark, or tcpdump and import into WireShark:
tcpdump -lnni 0.0 -Xs0 -w capture_file.pcap port 443 and host [IP of VIP]
you'll be able to see exactly what root hints the server (BIG-IP) is sending, and exactly what certificate the client is sending.
Give that a go and tell us what you find.
-
- Brad_ParkerCirrus
When you say you replaced the certificate through the "normal process" what was that process? Did you just replace the server certificate, key and chain in your SSL profile or did you replace the SSL profile? It sounds like the client certificate authentication is what is failing which means your client certificate auth settings changed or need to change.
- D-avid_226238NimbostratusHi Brad, missed your comment, but I now have it resolved. However the "normal process" was Uploaded new SSL cert > New Client SSL Profile, filled in the details and then assigned this to the Virtual server profile.
- Brad_ParkerCirrusI assuming the advertised certificate authorities was what was missed in this new profile as you found above. Glad you got a resolution.
- Brad_Parker_139Nacreous
When you say you replaced the certificate through the "normal process" what was that process? Did you just replace the server certificate, key and chain in your SSL profile or did you replace the SSL profile? It sounds like the client certificate authentication is what is failing which means your client certificate auth settings changed or need to change.
- D-avid_226238NimbostratusHi Brad, missed your comment, but I now have it resolved. However the "normal process" was Uploaded new SSL cert > New Client SSL Profile, filled in the details and then assigned this to the Virtual server profile.
- Brad_Parker_139NacreousI assuming the advertised certificate authorities was what was missed in this new profile as you found above. Glad you got a resolution.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com