Forum Discussion

masajjad's avatar
masajjad
Icon for Cirrus rankCirrus
Jul 23, 2020

pool member sending Alert (Level: Fatal, Description: Unknown Certificate [46]) for a new SSL Cert of a VS

Current wildcard cert (2048 bit key size) about to expired used for SSL offloading on HTTPS VS. New cert (4096 bit key size) was applied to the that VS and application breaks.   VS server also ha...
Lidev's avatar
Lidev
Icon for Nacreous rankNacreous
Jul 23, 2020

The configuration of Client SSL profiles looks good.

Can you provide the result of theses commands please ?

openssl s_client -connect <virtual_server>:<port>
openssl s_client -connect <backend>:<port>
  • masajjad's avatar
    masajjad
    Icon for Cirrus rankCirrus
    Jul 23, 2020

    Excuse my delay. Pardon me... instead of replying back I was writing answer. Organized mess :)

     

    @syslog:~$ openssl s_client -connect 10.5.29.11:443

    CONNECTED(00000003)

    depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2

    verify return:1

    depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

    verify return:1

    depth=0 C = XX, ST = XX, L = XX, O = X Y Z, XX = *.abc.com

    verify return:1

    ---

    Certificate chain

     0 s:/C=xxxxx/CN=*.abc.com

      i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K

     1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K

      i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

     2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

      i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

    ---

    Server certificate

     

     

    Server public key is 4096 bit

     

      Verify return code: 0 (ok)

     

     syslog:~$ openssl s_client -connect 10.5.15.120:443

    CONNECTED(00000003)

    depth=0 C = XX, ST = XX, L = XX, O = xxxxxxx, OU = IT, CN = *.abc.com

    verify error:num=20:unable to get local issuer certificate

    verify return:1

    depth=0 C = XX, ST = XX, L =XX, O = xxxxxxxx, OU = IT, CN = *.abc.com

    verify error:num=21:unable to verify the first certificate

    verify return:1

    ---

    Certificate chain

     0 s:/C=xx/ST=xx/L=xx/O=xxxxxxxx/OU=IT/CN=*.abc.com

      i:/DC=com/DC=domain/CN=COLOCAL-CA

    ---

    Server certificate

    -----BEGIN CERTIFICATE-----

     

    subject=/C=XXXXXXXX/OU=IT/CN=*.abc.com

    issuer=/DC=com/DC=domain/CN=COLOCAL-CA

    ---

    No client certificate CA names sent

     

     

    Server public key is 4096 bit

     

     

      Verify return code: 21 (unable to verify the first certificate)

    ---

    closed

     

     

    I am taking the client doing SSL connection request does not have the Local CA cert installed.

    • Lidev's avatar
      Lidev
      Icon for Nacreous rankNacreous
      Jul 23, 2020

      if the test were performed from the BIG-IP, you find the root cause of your issue ;-)

      Double check the CA assign on your SSL Client and Server profile (you may have forgotten to include intermediate chain) .

      if you perform TLS 2 ways, check also Trusted Certificate Authorities.

       

    • masajjad's avatar
      masajjad
      Icon for Cirrus rankCirrus
      Jul 23, 2020

      Hi Lidev,

       

      Appreciate your continued feedback.

       

      1. Cert of "Local CA" that signed the cert for back-end was imported to F5 (from System File Management SSL Certificate List).
      2. From tcpdump we see back-end send that newly generated cert signed by the Local CA and F5 does client exchange. This suggests F5 knows about the Local CA that signed the cert for back-end
      3. Issue arises when F5 sends (Public CA signed) cert to back-end. We send public CA chain bundle for both and new cert from SSL profile.

       

       

      Am I missing something from your reply?

       

      Thanks again.

    • Lidev's avatar
      Lidev
      Icon for Nacreous rankNacreous
      Jul 24, 2020

      Hello,

      It looks like an SSL configuration problem on the backend server side, enable SSL log debug on your F5 BIG-IP .

      modify /sys db log.ssl.level value Debug

       don't forget to disable SSL debug logging after by typing the following command: (modify /sys db log.ssl.level value Warning)

      Also start a SSL Dump to monitor all SSL trafifc (https://support.f5.com/csp/article/K10209)

      With all this, you will have more information about SSL traffic and you may have more insight into the problem you are facing.