Forum Discussion

F5LearnerLNR's avatar
F5LearnerLNR
Icon for Cirrus rankCirrus
Jun 01, 2024

Unable to add R Series as Provider in BIGIP NEXT CM

Hi All ,

I am fairly new to BIGIP NEXT  so are many of you , I am trying to add my R Series Appliance to bigip NEXT CM as a  provider , but always getting the below error   "   DEVICE-00060: Internal error testing authentication  "

Read this article  DEVICE-00060: Internal error testing authentication (f5.com)   and accordingly  created a SAN name certifcate for  my R series Applicance and tried again , but no luck this article is of really no use . I am searching many articles to see how to add a Provider to Bigip NEXT CM , not able to  find a single one except for the cloud docs article , which is of no use as to really how to add the Provider . Anyone who is expert in BIGIP NEXT can please help me .

 

 

Thank you 

 

bigip next
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Jun 02, 2024

    Hi F5LearnerLNR,

    the support solution (K000139300: DEVICE-00060: Internal error testing authentication) actually tells you exaclty what to do.
    You must replace the private key and certificate for the webUI on your rSeries with another one, which contains a well formed SAN.
    Beginning from v20.2 the BIG-IP Central Manager requires that the VELOS or rSeries provider has a well formed SAN certificate.

    What does this actually mean? Let's say want to add your rSeries as a provider to the BIG-IP Central Manager with it's FQDN (example: my-rseries01.mydomain.com), then this FQDN must be in the Subject Alternative Name (SAN) extension of the SSL certificate which is installed on your rSeries. The same applies if you want to add it by IP - in that case the IP has to in the Subject Alternative Name (SAN).

    In the K000139300 there is a link to https://my.f5.com/manage/s/article/K11438 which explains you with a step-by-step guide how to create such a certificate with a well formed SAN.

    Good luck
    Daniel

    • F5LearnerLNR's avatar
      F5LearnerLNR
      Icon for Cirrus rankCirrus
      Jun 02, 2024

      Hi Daniel ,

       

      Thanks for this detailed explanation and i read this article , and created SAN based certification for webUI , still i could not get rid of this error message  DEVICE-00060: Internal error testing authentication . And you know what even if i  give incorrect credentials it still gives the same error ,  so even if the credetials are right and the device is with  SAN certificate , i still get this error

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP
        Jun 02, 2024

        When you check your cert with the openssl , what does it say?

        ┌──(webserverdude@linux-vm)-[~/Downloads/ssl]
└─$ openssl x509 -in my-rseries.crt -noout -text

        It should look like this:

        Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
           (removed)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = Hessen, L = Bad Vilbel, O = domain.com, OU = IT, CN = my-rseries.domain.com
        Validity
            Not Before: Jun  2 14:11:41 2024 GMT
            Not After : Jul  2 14:11:41 2024 GMT
        Subject: C = DE, ST = Hessen, L = Bad Vilbel, O = domain.com, OU = IT, CN = my-rseries.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus: (removed)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:my-rseries5000.domain.com, IP Address:10.10.10.10
            X509v3 Subject Key Identifier: 
                (removed)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: (removed)

        This part is important  X509v3 Subject Alternative Name.
        In this part you should find the DNS name of your rSeries, the IP Adress or both. DNS must be as DNS and IP must be as IP Address.