Forum Discussion
NimbostratusSSL Alert: Fatal Unknown CA GTM/LTM with big3d_install and bipip_add
Dear All,
I am getting the above error while running the big3d_install or bigip_add from a DNS/GTM device.
Packet captures also show the BIG-IP device sending a reset to the GTM. Reset cause is SSL Alert: Fatal Unknown CA
I have already appended the trusted device certificate of the DNS/GTM device to the remote BIG-IP device and also the trusted server certificate of the remote BIG-IP into the DNS/GTM device. All certificates are self-signed generated by bigip devices. I am not sure why it complains of unknown CA and does not proceed with the script installation.
Any advice from the knowledgeable community members would be of great help. I have been struggling to get the iQuery due to this.
[root@XX-GLB-1:Active:In Sync] config # big3d_install 10.17.252.27
Making sure all BIG-IP systems can be reached, and
checking kernel and big3d versions on each BIG-IP.
Gathering big3d info from 10.17.252.27
Attempting via iqsh ... error from SSL_connect
140294618232496:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1498:SSL alert number 48
SSL return code: SSL_ERROR_ZERO_RETURN
---
Certificate chain
0 s:/C=QA/CN=XX-LB-Internal-VIPRION2.XX.xx
i:/C=QA/CN=XX-LB-Internal-VIPRION2.XX.XX
-----BEGIN CERTIFICATE-----
MIIB4zCCAUygAwIBAgICBkYwDQYJKoZIhvcNAQEFBQAwNzELMAkGA1UEBhMCUUEx
KDAmBgNVBAMTH01WMi1MQi1JbnRlcm5hbC1WSVBSSU9OMi5pY3QucWEwHhcNMTQw
NTI2MTAzMjA0WhcNMjQwNTIzMTAzMjA0WjA3MQswCQYDVQQGEwJRQTEoMCYGA1UE
AxMfTVYyLUxCLUludGVybmFsLVZJUFJJTnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAskfnemVQlBNoJBSmlH10I3GkHaz/5oGB7yxuByKRM3Au
VwQKp8s/vWjoWhmGDF6u9eUYYWqGiMphMuyYQNlQfcA6837suGhW0CmVd8typD5P
Ag2DoMbKbF0kWk0hvXTaP8C+mKUfIrT/J2pJenC
vDFe9iyzmw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=QA/CN=XX-LB-Internal-VIPRION2.xx.xx
issuer=/C=QA/CN=XX-LB-Internal-VIPRION2.xx.xx
---
Acceptable client certificate CA names
/C=--/ST=WA/L=Seattle/O=MyCompany/OU=MyOrg/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
/CN=ad4431c9-e7fd-4e1b-9eb8-aee85d594702
/CN=af46d71b-8b0e-4938-bf5f-e2039d04e997
---
SSL handshake has read 885 bytes and written 1396 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 636EE1341A1E2BC05382A7B218E4ACDBDD1FA642CFDCD64084C54A461FB8DC92DF1E8732EE12E9BC0CC0E7CFF03A5231
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1637822778
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Unable to retrieve version and platform information via iqsh for 10.17.252.27
Attempting via ssh ...
Connection timed out during banner exchange
Unable to retrieve tmsh and/or big3d versions from 10.17.252.27
There is 1 system that could not be reached.
There are multiple reasons that this can occur, including:- The network connection to the system is down.- The system is down.There are no reachable systems to install big3d on.
Exiting