Forum Discussion
pool member sending Alert (Level: Fatal, Description: Unknown Certificate [46]) for a new SSL Cert of a VS
Thanks for you time and effort to help me out. Current wildcard is expiring this Sunday. So, it's a bit of crisis.
Disabling Generic Alert in client SSL profile did not add much detail. Both cases I see only handshake error message between pool member and VS. Nothing much besides this error.
I had tail -f /var/log/ltm running
Jul 23 06:32:49 Ottciof5101 warning tmm1[21959]: 01260013:4: SSL Handshake failed for TCP 10.5.15.120:62226 -> 10.5.29.11:443
Jul 23 06:38:11 Ottciof5101 warning tmm1[21959]: 01260013:4: SSL Handshake failed for TCP 10.5.15.120:62242 -> 10.5.29.11:443
This being a wildcard cert it was used on multiple client SSL profile. I created a custom parent SSL profile pointed the new cert there. And all old SSL profiles were extended from that custom parent instead of factory default
(/Common)(tmos)
ltm profile client-ssl clientssl_Wildcard_COMPANY {
app-service none
cert-key-chain {
Wildcard_COMPANY_2020_Entrust_Chain_Bundle_Dec_2030_0 {
cert Wildcard_COMPANY_2020.com
chain Entrust_Chain_Bundle_Dec_2030
key Wildcard_COMPANY_2020.com
}
}
defaults-from clientssl
inherit-ca-certkeychain true
inherit-certkeychain false
}
(cfg-sync In Sync)(Active)(/HR)(tmos)#
ltm profile client-ssl HR-Accero-SNI_cfmws.com-SHA2 {
app-service none
cert-key-chain {
Wildcard_COMPANY_2020_Entrust_Chain_Bundle_Dec_2030_0 {
cert /Common/Wildcard_COMPANY_2020.com
chain /Common/Entrust_Chain_Bundle_Dec_2030
key /Common/Wildcard_COMPANY_2020.com
}
}
defaults-from /Common/clientssl_Wildcard_COMPANY
generic-alert disabled
inherit-ca-certkeychain true
inherit-certkeychain true
server-name *.abc.com
sni-default true
}
ltm profile client-ssl HR-Accero-SNI_cfpsa.com_SHA2 {
app-service none
cert-key-chain {
Wildcard_COMPANY_2020_Entrust_Chain_Bundle_Dec_2030_0 {
cert /Common/Wildcard_COMPANY_2020.com
chain /Common/Entrust_Chain_Bundle_Dec_2030
key /Common/Wildcard_COMPANY_2020.com
}
}
defaults-from /Common/clientssl_Wildcard_COMPANY
generic-alert disabled
inherit-ca-certkeychain true
inherit-certkeychain true
server-name *.xyz.com
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com