I onboarded an application "https://xyz.com:5555". Have applied client and server SSL profiles to it. However, when API requests for API, it throws an error "http_request_failed" along with "cURL error 60: SSL Certificate problem: unable to get local issuer certificate". Once we shift traffic directly to the server, issue can no longer be seen.Kindly let me know where i could be going wrong.
09-May-2022 07:29 - edited 09-May-2022 07:31
Have you googled what the errors mean for curl not f5 as there is a lot of info on the internet that maybe the API client system does not have the CA cert that F5 uses or the intermidiate cert is not attached to the F5 ssl profile:
F5 CA chain:
Thank you for the details Nikoolayy, certificate is available at API client end and also we have required certificates under SSL profile attached with VIP.
Application works fine once we direct the traffic directly to the server. Issue comes when WAF is in picture and once OTP requests are made.
Thank you once again for your input.
10-May-2022 07:38 - edited 10-May-2022 07:40
If you have other F5 modules like WAF or APM for OTP in some rare cases they can cause issues as the F5 apm and asm can be controlled with layered virtual servers how to work with each other which module to be first and the f5 asm needs to be bypassed for f5 APM remote vpn to work if you are using this. Also check the ssl handshake logs on the F5 device and if needed enable ssl handshake debug(it should be enabled by default on 13.1 and newer) as F5 in many cases can better tell you why the handshake fails as maybe ssl client certificate authentication failure etc. and if features like ask proxy, etc.are enabled on the client ssl profile. Just for info you are not using machine certificate authentication to the F5 APM on the rest-api clients right as I saw something about that?
Also, we are not using machine certificate authentication.
@Gajji API is to get OTP. Yes, it works fine once WAF is bypassed, error screenshot attached with initial post.
As of now it i not possible to take tcpdump, traffic is bypassed.
1)client certificate , does it contain chain certficate(including root) or you just install cert or
2) on Client and server side both having self signed cert?
3)WAF bypassed - when WAF is enabled - do you see any error with support id or Source IP?