F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

masajjad's avatar
masajjad
Icon for Cirrus rankCirrus
Jul 22, 2020

pool member sending Alert (Level: Fatal, Description: Unknown Certificate [46]) for a new SSL Cert of a VS

Current wildcard cert (2048 bit key size) about to expired used for SSL offloading on HTTPS VS. New cert (4096 bit key size) was applied to the that VS and application breaks.   VS server also ha...
masajjad's avatar
masajjad
Icon for Cirrus rankCirrus
Jul 23, 2020

Excuse my delay. Pardon me... instead of replying back I was writing answer. Organized mess :)

 

@syslog:~$ openssl s_client -connect 10.5.29.11:443

CONNECTED(00000003)

depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2

verify return:1

depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

verify return:1

depth=0 C = XX, ST = XX, L = XX, O = X Y Z, XX = *.abc.com

verify return:1

---

Certificate chain

 0 s:/C=xxxxx/CN=*.abc.com

  i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K

 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K

  i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

  i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2

---

Server certificate

 

 

Server public key is 4096 bit

 

  Verify return code: 0 (ok)

 

 syslog:~$ openssl s_client -connect 10.5.15.120:443

CONNECTED(00000003)

depth=0 C = XX, ST = XX, L = XX, O = xxxxxxx, OU = IT, CN = *.abc.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = XX, ST = XX, L =XX, O = xxxxxxxx, OU = IT, CN = *.abc.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

 0 s:/C=xx/ST=xx/L=xx/O=xxxxxxxx/OU=IT/CN=*.abc.com

  i:/DC=com/DC=domain/CN=COLOCAL-CA

---

Server certificate

-----BEGIN CERTIFICATE-----

 

subject=/C=XXXXXXXX/OU=IT/CN=*.abc.com

issuer=/DC=com/DC=domain/CN=COLOCAL-CA

---

No client certificate CA names sent

 

 

Server public key is 4096 bit

 

 

  Verify return code: 21 (unable to verify the first certificate)

---

closed

 

 

I am taking the client doing SSL connection request does not have the Local CA cert installed.

masajjad's avatar
masajjad
Icon for Cirrus rankCirrus
Jul 24, 2020

Hi Lidev,

 

Turns out there is some authentication component of the application that requires the frontend cert. We copied the external cert to backend and issue was fixed. We were chasing out own tail.

 

Thanks a lot for your time and effort.

  • cpalacio's avatar
    cpalacio
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2024

    Hi masajjad,

    I'm facing the same issue, in this case I understand you uploaded the same certificate for client and server side ssl profile, right?