Forum Discussion

Herman2024's avatar
Jan 06, 2025

why the device certificate verify failed when the device certificate is not expired?

hi, we have some GTM/DNS devices. One of them - DSN01 is shown down, but the error message is shown as below.

SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (336134278)

 the device certificate of DNS01 is still not expired. And can ping DNS01 external physical interface IP from other DNS nodes. On DNS01, other DNS nodes are shown online. Can someone please advise what the possible cause is? Can restarting big3d on DNS01 to resolve the issue? Thanks in advance!

  • Hello Herman2024  GTM iquery depends upon valid certificates.  This reference article Overview of BIG-IP device certificates (11.x - 16.x)  will go into details for  Trusted Device Certificates as well as  Trusted Server Certificates (DNS).  

     

    Device Cert Location --->  “Configuration Utility: Device Certificates” (System > Certificate Management > Device Certificate Management > Device Certificate | Device Key

     

    DNS Server Cert Location ---> ” (DNS > GSLB > Servers > Trusted Server Certificates)

     

    Check these stores and ensure there aren't any expired certifications etc.  

  • ThanksJeffrey_Granier I saw there are multiple certificates in other DNS nodes "Device Trust Certificate" with the same serial number. How to verify and confirm whether one client certificate belong to DNS01? I saw the serial number in some certificate is in the format like mac address, don't know what these certificates are. Please advise, thanks in advance!

    • Jeffrey_Granier's avatar
      Jeffrey_Granier
      Icon for Employee rankEmployee

      Hello Herman2024  GTM iquery depends upon valid certificates.  This reference article Overview of BIG-IP device certificates (11.x - 16.x)  will go into details for  Trusted Device Certificates as well as  Trusted Server Certificates (DNS).  

       

      Device Cert Location --->  “Configuration Utility: Device Certificates” (System > Certificate Management > Device Certificate Management > Device Certificate | Device Key

       

      DNS Server Cert Location ---> ” (DNS > GSLB > Servers > Trusted Server Certificates)

       

      Check these stores and ensure there aren't any expired certifications etc.  

      • Herman2024's avatar
        Herman2024
        Icon for Cirrus rankCirrus

        Hi Jeffrey_Granier , thanks a lot for your kind advice! Our device certificats and trust certificates seem not expire, so what next step I should do is to restart big3d on local DNS/gtm and gtmd on remote DNS/gtm, right? please advise, thanks. 

  • hi Jeffrey_Granier , thanks for your kind advice! can I ask last question : should I remove all expired device trust certificates on the local F5? the remote f5 renewed the device certificate recently. thanks in advance!

    • Jeffrey_Granier's avatar
      Jeffrey_Granier
      Icon for Employee rankEmployee

      Hi Herman2024 Before you remove anything please ensure you have a backup/archive of each system saved locally and offline.  We do have a KB article on cert cleanup on DNS systems:  Identify Duplicate and Expired SSL Certificates for BIG-IP DNS/GTM.  Before you remove any expired certificates make sure all of your DNS devices have no sync issues and iquery is in a good state.  This KB article has good advice on maintaining state.  Troubleshooting BIG-IP DNS synchronization and iQuery connections (13.x - 17.x)

       

      From a high level when working with expired certificates on a GTM/DNS systems  and if iQuery is in a bad state:

      You would do the following ( In a maintenance window)

      Delete expired certs from DNS ›› GSLB : Servers : Trusted Server Certificates

      &

      System ›› Certificate Management : Device Certificate Management : Device Trust Certificates

      Renewed self-signed certs 

      Run bigip_add <LTMs> and gtm_add <GTMs>