For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AnthicL's avatar
AnthicL
Icon for Nimbostratus rankNimbostratus
Nov 26, 2021

SSL Alert: Fatal Unknown CA GTM/LTM with big3d_install and bipip_add

Dear All,

 

I am getting the above error while running the big3d_install or bigip_add from a DNS/GTM device.

 

Packet captures also show the BIG-IP device sending a reset to the GTM. Reset cause is SSL Alert: Fatal Unknown CA

I have already appended the trusted device certificate of the DNS/GTM device to the remote BIG-IP device and also the trusted server certificate of the remote BIG-IP into the DNS/GTM device. All certificates are self-signed generated by bigip devices. I am not sure why it complains of unknown CA and does not proceed with the script installation.

 

Any advice from the knowledgeable community members would be of great help. I have been struggling to get the iQuery due to this.

 

[root@XX-GLB-1:Active:In Sync] config # big3d_install 10.17.252.27

 

Making sure all BIG-IP systems can be reached, and

checking kernel and big3d versions on each BIG-IP.

 

Gathering big3d info from 10.17.252.27

Attempting via iqsh ... error from SSL_connect

140294618232496:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1498:SSL alert number 48

SSL return code: SSL_ERROR_ZERO_RETURN

---

Certificate chain

0 s:/C=QA/CN=XX-LB-Internal-VIPRION2.XX.xx

  i:/C=QA/CN=XX-LB-Internal-VIPRION2.XX.XX

-----BEGIN CERTIFICATE-----

MIIB4zCCAUygAwIBAgICBkYwDQYJKoZIhvcNAQEFBQAwNzELMAkGA1UEBhMCUUEx

KDAmBgNVBAMTH01WMi1MQi1JbnRlcm5hbC1WSVBSSU9OMi5pY3QucWEwHhcNMTQw

NTI2MTAzMjA0WhcNMjQwNTIzMTAzMjA0WjA3MQswCQYDVQQGEwJRQTEoMCYGA1UE

AxMfTVYyLUxCLUludGVybmFsLVZJUFJJTnzANBgkqhkiG9w0B

AQEFAAOBjQAwgYkCgYEAskfnemVQlBNoJBSmlH10I3GkHaz/5oGB7yxuByKRM3Au

VwQKp8s/vWjoWhmGDF6u9eUYYWqGiMphMuyYQNlQfcA6837suGhW0CmVd8typD5P

Ag2DoMbKbF0kWk0hvXTaP8C+mKUfIrT/J2pJenC

vDFe9iyzmw==

-----END CERTIFICATE-----

---

Server certificate

subject=/C=QA/CN=XX-LB-Internal-VIPRION2.xx.xx

issuer=/C=QA/CN=XX-LB-Internal-VIPRION2.xx.xx

---

Acceptable client certificate CA names

/C=--/ST=WA/L=Seattle/O=MyCompany/OU=MyOrg/CN=localhost.localdomain/emailAddress=root@localhost.localdomain

/CN=ad4431c9-e7fd-4e1b-9eb8-aee85d594702

/CN=af46d71b-8b0e-4938-bf5f-e2039d04e997

---

SSL handshake has read 885 bytes and written 1396 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384

Server public key is 1024 bit

SSL-Session:

  Protocol : TLSv1.2

  Cipher  : AES256-GCM-SHA384

  Session-ID:

  Session-ID-ctx:

  Master-Key: 636EE1341A1E2BC05382A7B218E4ACDBDD1FA642CFDCD64084C54A461FB8DC92DF1E8732EE12E9BC0CC0E7CFF03A5231

  Key-Arg  : None

  PSK identity: None

  PSK identity hint: None

  Start Time: 1637822778

  Timeout  : 300 (sec)

  Verify return code: 0 (ok)

---

Unable to retrieve version and platform information via iqsh for 10.17.252.27

Attempting via ssh ...

Connection timed out during banner exchange

Unable to retrieve tmsh and/or big3d versions from 10.17.252.27

 

There is 1 system that could not be reached.

There are multiple reasons that this can occur, including:- The network connection to the system is down.- The system is down.There are no reachable systems to install big3d on.

Exiting

 

 

 

 

 

application delivery
BIG-IP
BIG-IP DNS
No RepliesBe the first to reply