Forum Discussion

F5LearnerLNR's avatar
F5LearnerLNR
Icon for Cirrus rankCirrus
Jun 01, 2024

Unable to add R Series as Provider in BIGIP NEXT CM

Hi All , I am fairly new to BIGIP NEXT  so are many of you , I am trying to add my R Series Appliance to bigip NEXT CM as a  provider , but always getting the below error   "   DEVICE-00060: Interna...
bigip next
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Jun 02, 2024

Hi F5LearnerLNR,

the support solution (K000139300: DEVICE-00060: Internal error testing authentication) actually tells you exaclty what to do.
You must replace the private key and certificate for the webUI on your rSeries with another one, which contains a well formed SAN.
Beginning from v20.2 the BIG-IP Central Manager requires that the VELOS or rSeries provider has a well formed SAN certificate.

What does this actually mean? Let's say want to add your rSeries as a provider to the BIG-IP Central Manager with it's FQDN (example: my-rseries01.mydomain.com), then this FQDN must be in the Subject Alternative Name (SAN) extension of the SSL certificate which is installed on your rSeries. The same applies if you want to add it by IP - in that case the IP has to in the Subject Alternative Name (SAN).

In the K000139300 there is a link to https://my.f5.com/manage/s/article/K11438 which explains you with a step-by-step guide how to create such a certificate with a well formed SAN.

Good luck
Daniel

  • F5LearnerLNR's avatar
    F5LearnerLNR
    Icon for Cirrus rankCirrus
    Jun 02, 2024

    Hi Daniel ,

     

    Thanks for this detailed explanation and i read this article , and created SAN based certification for webUI , still i could not get rid of this error message  DEVICE-00060: Internal error testing authentication . And you know what even if i  give incorrect credentials it still gives the same error ,  so even if the credetials are right and the device is with  SAN certificate , i still get this error

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Jun 02, 2024

      When you check your cert with the openssl , what does it say?

      ┌──(webserverdude@linux-vm)-[~/Downloads/ssl]
└─$ openssl x509 -in my-rseries.crt -noout -text

      It should look like this:

      Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
           (removed)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = Hessen, L = Bad Vilbel, O = domain.com, OU = IT, CN = my-rseries.domain.com
        Validity
            Not Before: Jun  2 14:11:41 2024 GMT
            Not After : Jul  2 14:11:41 2024 GMT
        Subject: C = DE, ST = Hessen, L = Bad Vilbel, O = domain.com, OU = IT, CN = my-rseries.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus: (removed)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:my-rseries5000.domain.com, IP Address:10.10.10.10
            X509v3 Subject Key Identifier: 
                (removed)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: (removed)

      This part is important  X509v3 Subject Alternative Name.
      In this part you should find the DNS name of your rSeries, the IP Adress or both. DNS must be as DNS and IP must be as IP Address.