Forum Discussion
Excuse my delay. Pardon me... instead of replying back I was writing answer. Organized mess :)
@syslog:~$ openssl s_client -connect 10.5.29.11:443
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = XX, ST = XX, L = XX, O = X Y Z, XX = *.abc.com
verify return:1
---
Certificate chain
0 s:/C=xxxxx/CN=*.abc.com
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
---
Server certificate
Server public key is 4096 bit
Verify return code: 0 (ok)
syslog:~$ openssl s_client -connect 10.5.15.120:443
CONNECTED(00000003)
depth=0 C = XX, ST = XX, L = XX, O = xxxxxxx, OU = IT, CN = *.abc.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = XX, ST = XX, L =XX, O = xxxxxxxx, OU = IT, CN = *.abc.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=xx/ST=xx/L=xx/O=xxxxxxxx/OU=IT/CN=*.abc.com
i:/DC=com/DC=domain/CN=COLOCAL-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
subject=/C=XXXXXXXX/OU=IT/CN=*.abc.com
issuer=/DC=com/DC=domain/CN=COLOCAL-CA
---
No client certificate CA names sent
Server public key is 4096 bit
Verify return code: 21 (unable to verify the first certificate)
---
closed
I am taking the client doing SSL connection request does not have the Local CA cert installed.
Hello,
It looks like an SSL configuration problem on the backend server side, enable SSL log debug on your F5 BIG-IP .
modify /sys db log.ssl.level value Debug
don't forget to disable SSL debug logging after by typing the following command: (modify /sys db log.ssl.level value Warning)
Also start a SSL Dump to monitor all SSL trafifc (https://support.f5.com/csp/article/K10209)
With all this, you will have more information about SSL traffic and you may have more insight into the problem you are facing.