An invalid or expired certificate was presented by the server
Hi Guys! So we are building a per-app VPN setup using Intune för iOS (iPADOS) units and we pushed out F5 Access app along with Intune F5 Access App which is then configured using F5 Access VPN profile using authentication with certificate which is pushed out to the device from internal CA using connector. Certificates for device is installed fine along side with root and intermediate, the profile in F5 Access app has all the settings correct and the certificate is listed. On server side we also configured everything with access policy for iOS, we have added certificate for root and intermediate for trust and everything looks as it should but we seem to have missed something and are unable to initiate a VPN connection, the device attempts to start a VPN tunnel but failes to do so with error "An invalid or expired certificate was presented by the server" What are we missing? Something with the ceritficates? a setting on device? something on server we missed adding the trust? 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:435, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:436, startTunnel(options:completionHandler:), Release Version: 3.0.7 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:437, startTunnel(options:completionHandler:), Bundle Version: 3.0.7.402 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:438, startTunnel(options:completionHandler:), Build Date: Mon Sep9 12:13:19 PDT 2019 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:439, startTunnel(options:completionHandler:), Build Type: CM 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:440, startTunnel(options:completionHandler:), Changelist: 3134102 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:441, startTunnel(options:completionHandler:), Locale: English (Sweden) 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:442, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:117, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:451, startTunnel(options:completionHandler:), Connection Parameters: Optional("serverAddress: https://ourserver.adress.com, password: , ignorePassword: false, passwordExpirationTimeStamp: -1, passwordReference: not-set, passwordExpired: false, identityReference: set, postLaunchUrl: , webLogon: false, launchedByUriScheme: false, vpnScope: device, startType: manual, deviceIdentity: assignedId: ,instanceId: ,udid: ,macAddress: ,serialNumber: ") 2021-05-11,15:36:54:229, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, AsyncURLRequest.swift:186, urlSession(_:didReceive:completionHandler:), Server certificate can not be trusted. 2021-05-11,15:36:54:233, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, ProfileDownloadOperation.swift:94, main(), Profile download failed: sslInvalidServerCertificate 2021-05-11,15:36:54:236, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, SessionManager.swift:127, logon(connectionParams:completionHandler:), Failed to download Profile Settings...Error:sslInvalidServerCertificate 2021-05-11,15:36:54:237, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:527, startTunnel(options:completionHandler:), Failed to logon Error Domain=f5PacketTunnelProvider Code=0 "An invalid or expired certificate was presented by the server" UserInfo={NSLocalizedFailureReason=Error Domain=PacketTunnel.AsyncURLRequestError Code=5 "An invalid or expired certificate was presented by the server", NSLocalizedDescription=An invalid or expired certificate was presented by the server} 2021-05-11,15:36:54:238, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:383, displayMessageIfUIVisible, An invalid or expired certificate was presented by the server Any thoughts be much appreciated! Thanks in advance Alex
Windows BIG-IP Edge Client cannot verify certificate revocation information
Hi, I have the local Windows firewall on for my test machine ONLY allows access to the IP address of the SSL VPN. This all works fine. However the Windows BIG-IP Edge Client cannot verify certificate revocation information. The funny thing is, Internet Explorer can and doesnt give me any warnings. I've tried making it a trusted site, installing the certificate. I just don't know why IE can check it/trust it, but the Edge Client can't?
Select clientssl profile based on uri pattern
Hello everyone, I need some help with this scenario. I've found similar questions and suggestions from devcentral memebers but I'm stuck and haven't been able to come up with a solution. I have an API Management solution published through a single Virtual Server in my BigIP. There are several API's present on this solution and I would like to enforce client authentication with SSL\TLS certificates, but requiring a specific certificate depending on which API they will be requesting. In other words, if I have a single VS where I if the request is to: myapidomain.com/api-companyA, then I want to request the client certificate of Company A if the request is to: myapidomain.com/api-companyB, , then I want to request the client certificate of Company B if the request is to: myapidomain.com/general-public-api, then I don't want to use client authentication, just present the server certificate I think that it all comes down to choosing a different clientssl profile based on the uri pattern, but: I can only inspect the http request after the TLS negotation has been completed using the default ssl profile of the VS I cannot use the command to change the ssl profile inside the HTTP REQUEST event I have seen some related questions where they suggest to do something like this. But they are changing the current ssl profile to request client authentication, instead of changing the ssl profile. For testing purposes, I have setup two client ssl profiles, each of them requiring client authentication but using different self signed certificates. when HTTP_REQUEST { switch -glob [HTTP::path] { "/api-companyA" { HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate // Another post suggested using SSL::profile here to change the profile, but it is not allowed inside HTTP REQUEST } "/api-companyB" { HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } } Would it be possible to use a flag variable for this? For example, start with a default value, change it within the HTTP_REQUEST event based on the URI, force an SSL\TLS renegotiation and then in a CLIENT_ACCEPTED event use the value of that variable to set the profile? I tried something like this but it seems that the CLIENT_ACCEPTED method does not fire after the SSL::renegotiate command is issued. when RULE_INIT { set ::count 0 } when CLIENT_ACCEPTED { if{$::count == 1} { SSL::profile profile_with_client_authentication_companyA } } when HTTP_REQUEST { switch -glob [HTTP::path] { "/supervielledev/public-partners/myloopbackapi" { set ::count 1 SSL::renegotiate } "/supervielledev/public-partners/myotherloopbackapi" { set ::count 2 SSL::renegotiate } } } Thanks in advance.Somehow corrupt SSL-files
Hi there, we have some strange behavior with some of our uploaded SSL-files (under System->File Management->SSL Certificate List). They will be correctly displayed on the overview list page, but if you click on it, the Certificate-tab shows "No certificate". And if you then click on the Key-tab, it just displays the error: "An error has occured while trying to process your request." If I check the filestore folder, I can see the corresponding entries in the certificate_d and certificate_key_d subfolder. Deleting these entries is also not possible. Here I get the error: "01020036:3: The requested Certificate File (/<partition-name>/<certificate-name>.crt) was not found." What's the reason for this? Is there any other reference to these configuration objects, other than in the bigip.conf file? How can I fix/delete these files manually? Fyi: this is running on 12.1.5.2 Thank you! Ciao Stefan :)
Does server ssl profile check a web-server certificate validity ?
Hi :) I would like to know if a self created ssl server profile can check if some web-servers pool have valid certificate. I have a full proxy, client side works properly and server side also with default serverssl profile. But now we would like to create our own server ssl profile to validate web-servers certificates (if it's ok or if it's "insecure"). In server ssl profile we configure this options: Server Certificate: Require Untrusted Certificate Response Control: Drop The last option is "Trusted Certificate Authorities" that we have to specify CA of endpoint or a chain/bundle. We tried to add all CA (root+intermediate+server) in a bundle but fails, also try to put (root+intermediate) in the server profile but fails again. Finally try to put only "server" CA in the server profile but fails also. How we can accomplish this goal ? Thanks, Eric
Wildcard Certificates
We are looking at using a wildcard certificate going forward. I see where I can import the certs in Big IP and that it will except a PKCS 12 IIS cert and convert it to PEM for me. My question is when I export the cert from IIS I am also supposed to export the private key. When Importing to the F5 is the cert and key two separate imports or will it get the private key when I import the PKCS cert? I noticed in the import options there is an option just for a key. The only documentation I have found so far on wildcard certs is SOL6823. Thanks,Basic Machine Cert inspection in APM Policy
Hi Guys Just a newbie question here I guess. I need to setup a basic Machine Cert Auth action in my access policy. I've read the documentation but it just describe it, just not naming conventions etc. I've checked my PC and I get a valid machine certificate and its stored in Certificates (Local Computer)\Personal\Certificates. Its a valid machine cert issued to the machine with the correct FQDN and issued by my Subordinate CA. In the Machine Cert Auth action, I'm not sure what to name the Certificate Store. I've tried personal and personal\certificates but I'm not sure if its actually finding the certificate. Certificate Store Location is LocalMachine. CA Profile is /Common/certificateauthority (all default settings - can't seem to select a valid CA cert inside this profile it just keeps resetting to none) OCSP Responder is None Certificate Match Rule SubjectCN Match FQDN It doesnt need to be fancy just yet. All I want it to do is check that it has a valid machine cert issued from our internal CA and that it hasn't expired. THen it passes on to the next auth method. No idea where to start really, the only error I can see if the reports is machinecert_auth_ag.result -2 I can't even tell if the policy is finding the certificate. HELP!? :)
