Forum Discussion

Gabor_Torok_937's avatar
Gabor_Torok_937
Icon for Nimbostratus rankNimbostratus
Feb 21, 2006

Peer cert verificaiton error

Hi,

Does anyone know where to look at to find out what is causing this error?

Feb 20 18:50:04 tmm tmm[856]: 01260014:4: Peer cert verify error: unable to get local issuer certificate (depth 0; cert xxx)

Note: I marked the certificate details with xxx on purpose, of course, but it seems to me that it points to a valid string (not an LDAP expert, though).

Note2: the reason why I wrote this question in this category (i.e. iRules > v9.x) is that the error might have something to do with our iRules script. At least it starts with:


set my_serial_number [X509::serial_number [SSL::cert 0]]

Thanks,

Tote
application delivery
dev
devops
iRules
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Feb 22, 2006
    Are you using this command in a client side, or server side context? This command is currently only available under a client side context, which could be why you're seeing this error.

     

     

    Could you please post your full iRule to let us take a look?

     

     

    Thanks,

     

    -Colin

     

  • Gabor_Torok_937's avatar
    Gabor_Torok_937
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2006
    Sure. Here is my iRule:

    
when CLIENTSSL_HANDSHAKE
    {
    set my_serial_number [X509::serial_number [SSL::cert 0]]
    if { [matchclass $my_serial_number eq $::RMS_blacklist] }
        {
        log local0. [concat "BLACKLISTED serial: " $my_serial_number]
        reject
        }
    else
        {
        log local0. [concat "DEBUG - serial: " $my_serial_number]
        }
    }

    And some additional info:

    - RMS_blacklist is an external data group containing integers. It's meant to contain certificate serial numbers.

    - This iRule is assigned to one of our virtual servers, which is enabled only on External traffic (if that counts).

    How do I know which side our script is running on? I automatically assumed that it would be running on client-side, but now I'm uncertain.

    Thanks for your help in advance,

    Tote
  • William_Them_99's avatar
    William_Them_99
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2006
    We just got finished banging our heads against the wall with a peer cert verify error that was breaking everything.

     

     

    I think our message was slightly different - to do with not finding the Root CA. We originally had the Root CA for a particular cert chain installed on the BIGIP, but then needed to remove it. It took all day to realize things were breaking because on our Server SSL profiles, we had the box selected for Verify Server Certificate...and since it could no longer work it's way up the chain to the Root, the verification was failing and breaking everything.

     

     

    Hope this helps in some way.

     

     

    -Bill
  • Gabor_Torok_937's avatar
    Gabor_Torok_937
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2006
    I think it's a client-side thing. At least I've checked the configuration of the virtual server in question and found an SSL profile selected in SSL Profile (client) listbox. And the server-side listbox contains nothing (or None, indeed).

     

     

    I've also checked the SSL profile in question and everything seemed fine to my rookie eyes.

     

     

    Actually, I'm looking for the root of the problem by examining the Trusted CAs. I'm not sure, though, if this the right thing to do and unfortunately I haven't yet found any problems. Btw, I found one thing: is it a problem if the certificate of my (trusted) CA doesn't have a serial number? Note that we're talking about a self-issued certificate.

     

     

    Thanks,

     

     

    Tote