Forum Discussion
pool member sending Alert (Level: Fatal, Description: Unknown Certificate [46]) for a new SSL Cert of a VS
The configuration of Client SSL profiles looks good.
Can you provide the result of theses commands please ?
openssl s_client -connect <virtual_server>:<port>
openssl s_client -connect <backend>:<port>
Excuse my delay. Pardon me... instead of replying back I was writing answer. Organized mess :)
@syslog:~$ openssl s_client -connect 10.5.29.11:443
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = X Y Z, XX = *.abc.com
verify return:1
---
Certificate chain
0 s:/C=xxxxx/CN=*.abc.com
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
---
Server certificate
Server public key is 4096 bit
Verify return code: 0 (ok)
syslog:~$ openssl s_client -connect 10.5.15.120:443
CONNECTED(00000003)
depth=0 C = XX, ST = XX, L = XX, O = xxxxxxx, OU = IT, CN = *.abc.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = XX, ST = XX, L =XX, O = xxxxxxxx, OU = IT, CN = *.abc.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=xx/ST=xx/L=xx/O=xxxxxxxx/OU=IT/CN=*.abc.com
i:/DC=com/DC=domain/CN=COLOCAL-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
subject=/C=XXXXXXXX/OU=IT/CN=*.abc.com
issuer=/DC=com/DC=domain/CN=COLOCAL-CA
---
No client certificate CA names sent
Server public key is 4096 bit
Verify return code: 21 (unable to verify the first certificate)
---
closed
I am taking the client doing SSL connection request does not have the Local CA cert installed.
- LidevJul 23, 2020
MVP
if the test were performed from the BIG-IP, you find the root cause of your issue ;-)
Double check the CA assign on your SSL Client and Server profile (you may have forgotten to include intermediate chain) .
if you perform TLS 2 ways, check also Trusted Certificate Authorities.
- masajjadJul 23, 2020
Cirrus
Hi Lidev,
Appreciate your continued feedback.
- Cert of "Local CA" that signed the cert for back-end was imported to F5 (from System > File Management > SSL Certificate List).
- From tcpdump we see back-end send that newly generated cert signed by the Local CA and F5 does client exchange. This suggests F5 knows about the Local CA that signed the cert for back-end
- Issue arises when F5 sends (Public CA signed) cert to back-end. We send public CA chain bundle for both and new cert from SSL profile.
Am I missing something from your reply?
Thanks again.
- LidevJul 24, 2020
MVP
Hello,
It looks like an SSL configuration problem on the backend server side, enable SSL log debug on your F5 BIG-IP .
modify /sys db log.ssl.level value Debug
don't forget to disable SSL debug logging after by typing the following command: (modify /sys db log.ssl.level value Warning)
Also start a SSL Dump to monitor all SSL trafifc (https://support.f5.com/csp/article/K10209)
With all this, you will have more information about SSL traffic and you may have more insight into the problem you are facing.
- masajjadJul 24, 2020
Cirrus
Hi Lidev,
Turns out there is some authentication component of the application that requires the frontend cert. We copied the external cert to backend and issue was fixed. We were chasing out own tail.
Thanks a lot for your time and effort.
- cpalacioAug 21, 2024
Nimbostratus
Hi masajjad,
I'm facing the same issue, in this case I understand you uploaded the same certificate for client and server side ssl profile, right?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com