Forum Discussion
why the device certificate verify failed when the device certificate is not expired?
hi, we have some GTM/DNS devices. One of them - DSN01 is shown down, but the error message is shown as below.
SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (336134278)
the device certificate of DNS01 is still not expired. And can ping DNS01 external physical interface IP from other DNS nodes. On DNS01, other DNS nodes are shown online. Can someone please advise what the possible cause is? Can restarting big3d on DNS01 to resolve the issue? Thanks in advance!
Hello Herman2024 GTM iquery depends upon valid certificates. This reference article Overview of BIG-IP device certificates (11.x - 16.x) will go into details for Trusted Device Certificates as well as Trusted Server Certificates (DNS).
Device Cert Location ---> “Configuration Utility: Device Certificates” (System > Certificate Management > Device Certificate Management > Device Certificate | Device Key
DNS Server Cert Location ---> ” (DNS > GSLB > Servers > Trusted Server Certificates)
Check these stores and ensure there aren't any expired certifications etc.
- Herman2024Cirrus
hi Jeffrey_Granier , thanks for your kind advice! can I ask last question : should I remove all expired device trust certificates on the local F5? the remote f5 renewed the device certificate recently. thanks in advance!
- Jeffrey_GranierEmployee
Hi Herman2024 Before you remove anything please ensure you have a backup/archive of each system saved locally and offline. We do have a KB article on cert cleanup on DNS systems: Identify Duplicate and Expired SSL Certificates for BIG-IP DNS/GTM. Before you remove any expired certificates make sure all of your DNS devices have no sync issues and iquery is in a good state. This KB article has good advice on maintaining state. Troubleshooting BIG-IP DNS synchronization and iQuery connections (13.x - 17.x)
From a high level when working with expired certificates on a GTM/DNS systems and if iQuery is in a bad state:
You would do the following ( In a maintenance window)
Delete expired certs from DNS ›› GSLB : Servers : Trusted Server Certificates
&
System ›› Certificate Management : Device Certificate Management : Device Trust Certificates
Renewed self-signed certsRun bigip_add <LTMs> and gtm_add <GTMs>
- Herman2024Cirrus
ThanksJeffrey_Granier I saw there are multiple certificates in other DNS nodes "Device Trust Certificate" with the same serial number. How to verify and confirm whether one client certificate belong to DNS01? I saw the serial number in some certificate is in the format like mac address, don't know what these certificates are. Please advise, thanks in advance!
- Jeffrey_GranierEmployee
Hello Herman2024 GTM iquery depends upon valid certificates. This reference article Overview of BIG-IP device certificates (11.x - 16.x) will go into details for Trusted Device Certificates as well as Trusted Server Certificates (DNS).
Device Cert Location ---> “Configuration Utility: Device Certificates” (System > Certificate Management > Device Certificate Management > Device Certificate | Device Key
DNS Server Cert Location ---> ” (DNS > GSLB > Servers > Trusted Server Certificates)
Check these stores and ensure there aren't any expired certifications etc.
- Herman2024Cirrus
Hi Jeffrey_Granier , thanks a lot for your kind advice! Our device certificats and trust certificates seem not expire, so what next step I should do is to restart big3d on local DNS/gtm and gtmd on remote DNS/gtm, right? please advise, thanks.
- Jeffrey_GranierEmployee
Hello, You will have to make sure the certificate trust store is up to date: SSL routines:ssl3_get_server_certificate:certificate verify failed &
Error Message: SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com