Forum Discussion
juniorexus_1332
Nimbostratus
NimbostratusSSL chain not presented by BIGIP
hi guys,
It might be a silly question but I am going a bit mad here.
I configured a chain for my SSL VS offload ( firstly I tried just with Intermediate Cert, then also with the Root Cert) and when I testto my VS with "openssl s_client -connect" command BIGIP doesn't present the certificate chain to me.
Why is that? Is this because cert + chain does not create a trust? Same config ( SSL cert + chain ) works on the legacy ACE.
appreciate any response!
6 Replies
natheCirrocumulus
The cert and chain on the server side will create a trust but you would still need to trust either the intermediate or Root CA on the client side too. By adding the chain doesn't necessarily provide trust to the certificate. It really only tells the client which certs to use in the chain to enable trust.
You can use this command on the ltm to check that the cert and chain are working, just in case.
openssl verify -purpose sslserver -CAfile /config/ssl/ssl.crt/test_bundle.crt /config/ssl/ssl.crt test_server.crt
This is how I understand it anyway.
Rgds
N
juniorexus_1332Thanks Nathan for coming back.
I am totally with you, but I still can't understand why I can't see F5 presenting the chain to me(which is configured with two certs): openssl s_client -connect x.x.x.x:443 -key /config/filestore/files_d/www-qa_d/certificate_key_d/:test.key -cert /config/filestore/files_d/www-qa_d/certificate_d/:test.crt
CONNECTED(00000003) depth=0 /C=US/ST=.....
verify error:num=20:unable to get local issuer certificate
verify return:1 depth=0 /C=US/ST=....
verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=N.... verify error:num=21:unable to verify the first certificate
verify return:1Certificate chain 0 s:/C=US/ST=....
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CAI can see that when I try it connect from F5 itself to VIP, cert is not trusted anyway.
After running openssl verify command, I'm getting below error:
"error 20 at 0 depth lookup:unable to get local issuer certificate"
Do you recognize this error?
- nitass
Employee
openssl s_client -connect x.x.x.x:443 -key /config/filestore/files_d/www-qa_d/certificate_key_d/:test.key -cert /config/filestore/files_d/www-qa_d/certificate_d/:test.crt
are you doing client certificate authentication? if not, shouldn't it be CAfile option rather than cert and key?
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } myclientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 65 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl ltm profile client-ssl myclientssl { app-service none cert-key-chain { server { cert server.crt chain chain.crt key server.key } } defaults-from clientssl } server certificate [root@ve11a:Active:In Sync] certificate_d perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:server.crt_51362_1 --- subject= /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com issuer= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com intermediate certificate [root@ve11a:Active:In Sync] certificate_d perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:chain.crt_33273_1 --- subject= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com --- subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com test [root@centos1 ~] perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); > print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /root/newca/certs/ca.crt --- subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com [root@centos1 ~] openssl s_client -connect 172.28.24.10:443 -CAfile /root/newca/certs/ca.crt CONNECTED(00000003) depth=2 /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com verify return:1 depth=1 /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com verify return:1 depth=0 /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com verify return:1 --- Certificate chain 0 s:/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com i:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com 1 s:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com 2 s:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com --- Server certificate -----BEGIN CERTIFICATE----- MIIFmzCCA4OgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCV0ExDTALBgNVBAoTBEFjbWUxEDAOBgNVBAsTB1N1cHBvcnQxGDAW BgNVBAMTD2NhMjAxMy5hY21lLmNvbTAeFw0xNDA4MjAxMDIzNTBaFw0xNTA4MjAx MDIzNTBaMFAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTENMAsGA1UEChMEQWNt ZTELMAkGA1UECxMCSVQxGDAWBgNVBAMTD3NlcnZlci5hY21lLmNvbTCCAiIwDQYJ KoZIhvcNAQEBBQADggIPADCCAgoCggIBAOPRWmOQTeUW1PEpF1kUhaTBx0s6sT61 BYUhvkvWL751iL7ij1Sp8/SwyxeyWnvOMbLX1c7yeoWFZo1xOtuIyzXYBx8COYOq xt550NspaAQIpdPZbGJFkpq3eK/q9mDdl+H88yI5L9EeCd5EDW+A3uKl+3yW/XXh K14rKahFNmMwamMRl0m9uWLii/3ivfjnF7bU+u/3vhBt8IOvUDWVGBdUHHKf9KDx 7IVlw4X+Vx/ApeQraEv819TRvBdExepPvb+Nnn2jMqstmv7EA+VX5gll4xmvb8mV vk5XmQmNFnaFS8BsHkPiXZsb/7V6a+99g5u04gGq/ydAIztpzxwcsezaOABlURqp 3w7dHUHg7tcSXLCSSltwryrYvcm5WguqIy0Mflw4/C8Y6KFYKetHAemoTSowj5wP QWRRTOzfgfps4jstHZZssNpDvlbdwdxW3dFIBItrmHo70/47bKF1YeY/PFF3p0x+ 3MGRJaiUt6iGGTRNlk4cgr/YDmvBJOeXrm8wjR1ASEHvg+0XuG/qbBtZNyDC5oCJ Rx02qyvBwo55TZc/BEfb1U4rpnZPScwXnuexjN+fj2glxgF9nCMnZ9ZEL/CkECKI 2LNGvOHevT8rgtXTpRM2PSrzp1k0R3UB0eb/Hsw9nSxNjU6dFhoIXJ7oty8Dnjro bIcA0LoutMCvAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ/8YYZxuAXV79i y7ux9U6F3xWOujAfBgNVHSMEGDAWgBSCOznFhO68X2r1WREpmuBuEabGcTANBgkq hkiG9w0BAQUFAAOCAgEA4LrE5RlXF6fNQKx4aVI3oioUXbpp/6FpnIBzT9y2r/Ei m7zOOCysqdIqwEVjwlpd8/kw5/a/ympJ6Wt8A7CT4fTakYAEyEFhys4XjHdW074I R+PR4wYPnWCs1ylq+vUX04UlIVmecVx5/7gqPCZ4wQyjwnzoHI+I+gbYc2IeWfRU nfh4DEeD7PBjZb6zUKnT4PfpHhVwyA9LPOVLQqeTlHtBWZmFYGOTnuJ6kBBHOnDG 07qoxonue9oa1EGzBqDqYQx0PNHaQ3HEzj7UD2tdQ/FqVyu1xWxyGqZ0uVZUdIY0 tfvZA+Yv1rpimaRrMZgEkIouGOxdzNhrc5XleLsAPyLkCEez7YP1d2gKTH6Orl/H +hCoFVGrxjEpaglo36ijvXpqhMxczX28QA8qUQZNgX+CSfCYEgTnNqcAp94m0DgB JLAuSBUn0CV8af7dEInpcYMN7FaWYOG9WUmuYGmUNffLLhwLYXzcpo0Od/ATdvWZ ORam3uhU/zNr3MENHNT+1dfLi7BLRQNjzo3HhMmcVCfKW9YBRU88rOXlPBBAc91r svO7PkHtidRixb0vHJzOLOg4O44F2PPwMwL1eys2gzjKPHLZcPNQkWokE4Ipn6wS AEzQqZ83uMOh122h2aJcHU7Y/s57gnBQBdy8yEyeoToxfL6sQkuQWmLCje/J+cY= -----END CERTIFICATE----- subject=/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com issuer=/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com --- No client certificate CA names sent --- SSL handshake has read 4703 bytes and written 703 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 457BB7CC171B41B0E605CD1C37DF7B0F4A3530C8F0D9C9B5F190A8740F6865DC Session-ID-ctx: Master-Key: F15E99AF1F808310F917E9B4A90B46D37EB6D24C6371AD29CB7A3C44684EFFDFE0CC081742E81985F6EE771B18075093 Key-Arg : None Krb5 Principal: None Start Time: 1408530869 Timeout : 300 (sec) Verify return code: 0 (ok) ---- nitassIn case ca certificate is not pre-defined in default openssl ca file.
nitass_89166Noctilucent
openssl s_client -connect x.x.x.x:443 -key /config/filestore/files_d/www-qa_d/certificate_key_d/:test.key -cert /config/filestore/files_d/www-qa_d/certificate_d/:test.crt
are you doing client certificate authentication? if not, shouldn't it be CAfile option rather than cert and key?
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } myclientssl { context clientside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 65 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl ltm profile client-ssl myclientssl { app-service none cert-key-chain { server { cert server.crt chain chain.crt key server.key } } defaults-from clientssl } server certificate [root@ve11a:Active:In Sync] certificate_d perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:server.crt_51362_1 --- subject= /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com issuer= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com intermediate certificate [root@ve11a:Active:In Sync] certificate_d perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:chain.crt_33273_1 --- subject= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com --- subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com test [root@centos1 ~] perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); > print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /root/newca/certs/ca.crt --- subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com [root@centos1 ~] openssl s_client -connect 172.28.24.10:443 -CAfile /root/newca/certs/ca.crt CONNECTED(00000003) depth=2 /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com verify return:1 depth=1 /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com verify return:1 depth=0 /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com verify return:1 --- Certificate chain 0 s:/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com i:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com 1 s:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com 2 s:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com --- Server certificate -----BEGIN CERTIFICATE----- MIIFmzCCA4OgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCV0ExDTALBgNVBAoTBEFjbWUxEDAOBgNVBAsTB1N1cHBvcnQxGDAW BgNVBAMTD2NhMjAxMy5hY21lLmNvbTAeFw0xNDA4MjAxMDIzNTBaFw0xNTA4MjAx MDIzNTBaMFAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTENMAsGA1UEChMEQWNt ZTELMAkGA1UECxMCSVQxGDAWBgNVBAMTD3NlcnZlci5hY21lLmNvbTCCAiIwDQYJ KoZIhvcNAQEBBQADggIPADCCAgoCggIBAOPRWmOQTeUW1PEpF1kUhaTBx0s6sT61 BYUhvkvWL751iL7ij1Sp8/SwyxeyWnvOMbLX1c7yeoWFZo1xOtuIyzXYBx8COYOq xt550NspaAQIpdPZbGJFkpq3eK/q9mDdl+H88yI5L9EeCd5EDW+A3uKl+3yW/XXh K14rKahFNmMwamMRl0m9uWLii/3ivfjnF7bU+u/3vhBt8IOvUDWVGBdUHHKf9KDx 7IVlw4X+Vx/ApeQraEv819TRvBdExepPvb+Nnn2jMqstmv7EA+VX5gll4xmvb8mV vk5XmQmNFnaFS8BsHkPiXZsb/7V6a+99g5u04gGq/ydAIztpzxwcsezaOABlURqp 3w7dHUHg7tcSXLCSSltwryrYvcm5WguqIy0Mflw4/C8Y6KFYKetHAemoTSowj5wP QWRRTOzfgfps4jstHZZssNpDvlbdwdxW3dFIBItrmHo70/47bKF1YeY/PFF3p0x+ 3MGRJaiUt6iGGTRNlk4cgr/YDmvBJOeXrm8wjR1ASEHvg+0XuG/qbBtZNyDC5oCJ Rx02qyvBwo55TZc/BEfb1U4rpnZPScwXnuexjN+fj2glxgF9nCMnZ9ZEL/CkECKI 2LNGvOHevT8rgtXTpRM2PSrzp1k0R3UB0eb/Hsw9nSxNjU6dFhoIXJ7oty8Dnjro bIcA0LoutMCvAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ/8YYZxuAXV79i y7ux9U6F3xWOujAfBgNVHSMEGDAWgBSCOznFhO68X2r1WREpmuBuEabGcTANBgkq hkiG9w0BAQUFAAOCAgEA4LrE5RlXF6fNQKx4aVI3oioUXbpp/6FpnIBzT9y2r/Ei m7zOOCysqdIqwEVjwlpd8/kw5/a/ympJ6Wt8A7CT4fTakYAEyEFhys4XjHdW074I R+PR4wYPnWCs1ylq+vUX04UlIVmecVx5/7gqPCZ4wQyjwnzoHI+I+gbYc2IeWfRU nfh4DEeD7PBjZb6zUKnT4PfpHhVwyA9LPOVLQqeTlHtBWZmFYGOTnuJ6kBBHOnDG 07qoxonue9oa1EGzBqDqYQx0PNHaQ3HEzj7UD2tdQ/FqVyu1xWxyGqZ0uVZUdIY0 tfvZA+Yv1rpimaRrMZgEkIouGOxdzNhrc5XleLsAPyLkCEez7YP1d2gKTH6Orl/H +hCoFVGrxjEpaglo36ijvXpqhMxczX28QA8qUQZNgX+CSfCYEgTnNqcAp94m0DgB JLAuSBUn0CV8af7dEInpcYMN7FaWYOG9WUmuYGmUNffLLhwLYXzcpo0Od/ATdvWZ ORam3uhU/zNr3MENHNT+1dfLi7BLRQNjzo3HhMmcVCfKW9YBRU88rOXlPBBAc91r svO7PkHtidRixb0vHJzOLOg4O44F2PPwMwL1eys2gzjKPHLZcPNQkWokE4Ipn6wS AEzQqZ83uMOh122h2aJcHU7Y/s57gnBQBdy8yEyeoToxfL6sQkuQWmLCje/J+cY= -----END CERTIFICATE----- subject=/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com issuer=/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com --- No client certificate CA names sent --- SSL handshake has read 4703 bytes and written 703 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 457BB7CC171B41B0E605CD1C37DF7B0F4A3530C8F0D9C9B5F190A8740F6865DC Session-ID-ctx: Master-Key: F15E99AF1F808310F917E9B4A90B46D37EB6D24C6371AD29CB7A3C44684EFFDFE0CC081742E81985F6EE771B18075093 Key-Arg : None Krb5 Principal: None Start Time: 1408530869 Timeout : 300 (sec) Verify return code: 0 (ok) ---- nitass_89166In case ca certificate is not pre-defined in default openssl ca file.
