What Certificates should be where? GSLB Trust Certificates vs Device Trusted Certificates
Hi All, My setup consists of two DC's with Two GTM's (Active/Standby) and Two LTM's (Active/Standby) in each DC. Within the GSLB Trusted Certificate Store, there are certs for each others devices, which I believe is the correct setup. (Each device has 8 certs, of its other devices)… However I am not sure about what should be in the "System - Certificate Management - Device Certificate Management - Device Trust Certificates store. (This is a bit of a mess, some devices have each others, some don't etc. Would like to have this cleaned up. For ease of description will refer to items as the following : - DC1GTMA - DC1 Active GTM DC1GTMS - DC1 Standby GTM DC1LTMA - DC1 Active LTM DC1LTMS - DC1 Standby LTM DC2GTMA - DC2 Active GTM DC2GTMS - DC2 Standby GTM DC2LTMA - DC2 Active LTM DC2LTMS - DC2 Standby LTM The four GTM's are in a device sync group "DNS - Settings - GSLB - General"...so when you make a change on one GTM, its replicated across all of them. Would this come under IQUERY and thus come under the GSLB Trusted Certificate store, or is this under the Device Trust Store? Hope the above makes sense. Thanks
Problem with C3D - Client Certificate Constrained Delegation
Hi all, We have been using C3D in a public facing web app several years now having no issues. Clients use their certificates from many different CAs to login into the app and when somebody has a certificate from a different CA we add that CA to a list of trusted and allowed CAs that users can use certificates to log in form. The internal CA that we use to forge client certificates and pass them to the node uses sha256RSA as sign algorithm and sha256 as hash signature algorithm. We had to add a new allowed CA that client will use certificates to connect from but uses sha512ECDSA as sign algorithm and sha512 as hash signature algorithm and when someone uses a client certificate of this CA to try to connect to our application TLS connection breaks with "Alert (Level: Fatal, Description: Handshake Failure)" ¿Has anyone enncountered a similar issue? Thank you.INFORM: Entrust CA will be untrusted in Chrome after Oct 31, 2024
If you manage certs from Entrust in your environment, this will impact your Google Chrome users, so intermediate certs will likely need to be bundled to handle this in your clientssl profiles OR if you control all the clients you can assure that explicit trust in the clients is enabled for Entrust CAs. Google details on the situation
Unable to login with Certificate Manager local user
I've created a local user account with the Certificate Manager role on All partitions - and have enabled tmsh access. However, when I attempt to login with this account - either GUI or SSH - I am receiving a login failed message. We don't have any password enforcement in place and access restrictions are tied to the RFC1918 address space, so that is not coming into play. We have remote auth (TACACS) enabled with fallback to local and other local accounts are able to login successfully. Thoughts? Version: 17.1.1.2 Username - cert-mgr Role - Certificate Manager Partition: All Terminal Access: tmsh Wed Sep 11 10:51:20 CDT 2024 cert-mgr 0-0 httpd(pam_audit): User=cert-mgr tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Wed Sep 11 10:51:18 2024" end="Wed Sep 11 10:51:20 2024").: Wed Sep 11 11:00:20 CDT 2024 cert-mgr 0-0 httpd(pam_audit): User=cert-mgr tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Wed Sep 11 11:00:18 2024" end="Wed Sep 11 11:00:20 2024").:
Create a CSR and Key using the BigIP LTM GUI when renewing a certificate
Hi, I use the F5 Bigip LTM to create CSR's and Keys. I submit the CSR to our public CA to obtain the Certificate and then import the generated certificate to the F5. I use the F5 Certificate Management GUI as a database for all of our Public Certificates (as they are all in use in our SSL profiles). All this is good, however after 13 months when it is time to renew the certificate, I use the F5 GUI to renew the CSR. The problem is that the GUI does not allow me to create a new key when using the "Renew" option. I could use other command line tools for this, but it would be easier to manage in the F5 GUI. Does anyone know if there is a way to renew a certificate from the F5 GUI and have it create a new Key? For example click on "System / Certificate Management". Then click on a Public CA Certificate and click "Renew". Fill out the required fields and have it generate a new key. Any advice is appreciated.
BIGIP device certificate - Ansible Error
Hi, I am trying to use bigip Ansible module for managing self-signed device certificates `bigip_device_certificate` Here is the snippet of task: - name: Device HTTPs certificate bigip_device_certificate: cert_name: "server.crt" key_name: "server.key" days_valid: 365 key_size: 4096 force: no new_cert: no issuer: country: "{{ device_cert.issuer_country }}" state: "{{ device_cert.issuer_state }}" organization: "{{ device_cert.issuer_org }}" division: "{{ device_cert.issuer_division }}" email: "{{ device_cert.issuer_email }}" locality: "{{ device_cert.issuer_locality }}" common_name: "{{ device_cert.common_name }}" provider: server: "{{ ansible_host }}" user: "{{ bigip_username }}" password: "{{ bigip_password }}" transport: cli server_port: 22 ssh_keyfile: ~/.ssh/id_rsa delegate_to: localhost So, the certificate on bigip isn't expired. But, for some reason, the above task fails for one of the devices (have two - worked on 1 of them) with below error: "/tmp/ansible_bigip_device_certificate_payload_lazf97h6/ansible_bigip_device_certificate_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_device_certificate.py\", line 452, in expired\nTypeError: '>' not supported between instances of 'int' and 'NoneType'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1 } I tried toggling the values for `force` and `new_cert` without any success. As per the error , seems something fails at `bigip_device_certificate.py` line 452. Below is the snippet of function around it: def expired(self): self.have = self.read_current_certificate() current_epoch = int(datetime.now().timestamp()) if current_epoch > self.have.epoch: return True return False Any ideas?An invalid or expired certificate was presented by the server
Hi Guys! So we are building a per-app VPN setup using Intune för iOS (iPADOS) units and we pushed out F5 Access app along with Intune F5 Access App which is then configured using F5 Access VPN profile using authentication with certificate which is pushed out to the device from internal CA using connector. Certificates for device is installed fine along side with root and intermediate, the profile in F5 Access app has all the settings correct and the certificate is listed. On server side we also configured everything with access policy for iOS, we have added certificate for root and intermediate for trust and everything looks as it should but we seem to have missed something and are unable to initiate a VPN connection, the device attempts to start a VPN tunnel but failes to do so with error " An invalid or expired certificate was presented by the server" What are we missing? Something with the ceritficates? a setting on device? something on server we missed adding the trust? 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:435, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:436, startTunnel(options:completionHandler:), Release Version: 3.0.7 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:437, startTunnel(options:completionHandler:), Bundle Version: 3.0.7.402 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:438, startTunnel(options:completionHandler:), Build Date: Mon Sep 9 12:13:19 PDT 2019 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:439, startTunnel(options:completionHandler:), Build Type: CM 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:440, startTunnel(options:completionHandler:), Changelist: 3134102 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:441, startTunnel(options:completionHandler:), Locale: English (Sweden) 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:442, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:117, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:451, startTunnel(options:completionHandler:), Connection Parameters: Optional("serverAddress: https://ourserver.adress.com, password: , ignorePassword: false, passwordExpirationTimeStamp: -1, passwordReference: not-set, passwordExpired: false, identityReference: set, postLaunchUrl: , webLogon: false, launchedByUriScheme: false, vpnScope: device, startType: manual, deviceIdentity: assignedId: ,instanceId: ,udid: ,macAddress: ,serialNumber: ") 2021-05-11,15:36:54:229, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, AsyncURLRequest.swift:186, urlSession(_:didReceive:completionHandler:), Server certificate can not be trusted. 2021-05-11,15:36:54:233, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, ProfileDownloadOperation.swift:94, main(), Profile download failed: sslInvalidServerCertificate 2021-05-11,15:36:54:236, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, SessionManager.swift:127, logon(connectionParams:completionHandler:), Failed to download Profile Settings...Error:sslInvalidServerCertificate 2021-05-11,15:36:54:237, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:527, startTunnel(options:completionHandler:), Failed to logon Error Domain=f5PacketTunnelProvider Code=0 "An invalid or expired certificate was presented by the server" UserInfo={NSLocalizedFailureReason=Error Domain=PacketTunnel.AsyncURLRequestError Code=5 "An invalid or expired certificate was presented by the server", NSLocalizedDescription=An invalid or expired certificate was presented by the server} 2021-05-11,15:36:54:238, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:383, displayMessageIfUIVisible, An invalid or expired certificate was presented by the server Any thoughts be much appreciated! Thanks in advance AlexSomehow corrupt SSL-files
Hi there, we have some strange behavior with some of our uploaded SSL-files (under System->File Management->SSL Certificate List). They will be correctly displayed on the overview list page, but if you click on it, the Certificate-tab shows "No certificate". And if you then click on the Key-tab, it just displays the error: "An error has occured while trying to process your request." If I check the filestore folder, I can see the corresponding entries in the certificate_d and certificate_key_d subfolder. Deleting these entries is also not possible. Here I get the error: "01020036:3: The requested Certificate File (/<partition-name>/<certificate-name>.crt) was not found." What's the reason for this? Is there any other reference to these configuration objects, other than in the bigip.conf file? How can I fix/delete these files manually? Fyi: this is running on 12.1.5.2 Thank you! Ciao Stefan :)
