Forum Discussion

BBIT-Filip's avatar
BBIT-Filip
Icon for Nimbostratus rankNimbostratus
Jan 18, 2018

reCAPTCHA v2 and BIG-IP 13.0

Hi all,

After upgrading from v12 to v13 we've lost reCAPTCHA support for our network access. We have created new CAPTCHA keys at google and new CAPTCHA-V2 profile with all settings left default.

For a test, we have run network access wizard with all default settings and added new CAPTCHA to it via access policy editor, error still remains the same.

Error that user receive is:

Data provided for authentication is not valid. Please try again. 

and here's error we can see in session access report:

Unexpected result while verifying CAPTCHA (/Common/CAPTCHA-V2): Couldn't perform CAPTCHA validation: Peer certificate cannot be authenticated with given CA certificates, proceeding with policy: 0
  • Hi Filip,

     

    We have the same issue here after upgrading from v12.1.2 to v13.1.

     

    It seems that google site is sending in his chain of certificates a root CA for Geotrust that was signed by "Equifax Secure Certificate Authority" but it is not sending the CA cert.

     

    Looking into my box ca store /config/ssl/ssl.crt/ca-bundle.crt I can see "Equifax Secure Certificate Authority" was removed on the ca-bundle in v13.1 (it expires on August 2018).

     

    I have fixed the issue by manually adding this root CA cert to the trusted store. In my lab this is the process

     

    no reboot require to fix the issue.

     

    Hope it helps on your issue too.

     

    Best Regards David Martín

     

  • Hello friends,

     

    After updating the ca-bundle against f5 through the Bundle Manager List, the missing certificate has been loaded, and it works.

     

    A greeting

     

  • Finally, I found the solution for my issue. You can follow the instruction to update Cert Bundle

    https://support.f5.com/csp/article/K60612439#:~:text=To%20update%20the%20default%20CA,Select%20Update.