Forum Discussion

rgordon_01's avatar
rgordon_01
Icon for Nimbostratus rankNimbostratus
May 09, 2017

Unknown CA error for VIP that is doing SSL offloading on LTM

Website configured to go through LTM. SSL offloading handled by LTM. When accessing the site from an ipad gets unknown CA error. Packet capture from LTM shows the client (ipad) initiates the Client hello, server (LTM) responds back with server hello then sends certificate. Ipad says Unknown CA. The certificate is issued by an intermediate cert. I imported the intermediate cert into the Trusted Device Certs list but that didn't make a difference. The root cert shouldn't have to be added to the Trusted list does it? Both the intermediate and root certs are installed on the ipad. And any other site that uses a cert issued by the SAME intermediate certs works when SSL offloading is done on the server. the ONLY site that is doing the SSL offloading on the LTM is not working so there has to be something I'm missing on the LTM. Please help!

 

certificate
LTM
security
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    May 09, 2017

    Hi,

     

    Is that error specific only to iPad or same result is when accessing via browser on PC?

     

    Piotr

     

  • rgordon_01's avatar
    rgordon_01
    Icon for Nimbostratus rankNimbostratus
    May 09, 2017

    It's only specific to ipad. Originally I thought it was an issue on the ipad -something having to do with the certs not loaded correctly in the cert store. But after finding 2 other sites with certs issued by same issuer and they work and show trusted when I click the icon on the ipad then it has to have something to do with the ssl offloading on the LTM.

     

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    May 09, 2017

    I would say that best way is to do packet capture when connecting with sites that are working and compare SSL Handshake to capture when connecting to your VS - of course if you have a way to capture traffic from iPad to Internet.

     

    If other clients/devices are not complaining about Unknown CA then it has be somehow related to iPad config or specific requirements.

     

    If possible I would as well try some other Apple devices to see if it's the same. If not then there is big chance that configuration for this specific iPad is somehow messed up/corrupted.

     

    Piotr

     

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    May 09, 2017

    If it is an issue with SSL offloading on the LTM, you will see the problem when you utilize a computer/laptop too. Do you see such an issue ?

     

    Do you see the same error for any other cert provided by a different CA ?

     

    Do you see the error on iPhone or MAC. I am thinking may be this CA is not included in the iPad.

     

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    May 09, 2017

    I did some tests. Let's say we have:

     

    Well known Root Ca

     

    Intermediate CA1 Intermediate CA2 Cert issued by CA2 My setup is:

     

    Chain file containing certificates:

     

    CA2 CA1 Root CA Then in clientssl I have:

     

    Certificate and key - one issued for VS FQDN Chain - one described above As result client is receiving in Server Hello both site certificate and certificates from chain file - everything is working OK.

     

    Conclusion - check your Chain file, something has to be wrong here.

     

    Check this article for steps to test your chain file SSL Profiles Part 3: Certificate Chain Implementation

     

    Hope it helps

     

    Piotr