ssl certificate
5 TopicsFailure creating certificate acme challenge 404 error in BIG-IP F5 WAF
We have more than 600 government websites behind the BIG-IP system. We have done almost 60% of certificates created and offloaded.Suddenly we couldn't create any certificate and got the below error. This error not only for one website. Now we can't renew or create a new certificate. We use fanceg/letsencrypt -in GitHub to integrates Let's Encrypt with BigIP (GitHub - fanceg/letsencrypt-bigip). INFO: Using main config file /etc/dehydrated/configProcessing verugal.ds.gov.lk Signing domains... Generating private key... Generating signing request... Requesting new certificate order from CA... Received 1 authorizations URLs from the CA Handling authorization for verugal.ds.gov.lk 1 pending challenge(s) Deploying challenge tokens... Responding to challenge for verugal.ds.gov.lk authorization... Cleaning challenge tokens... Challenge validation has failed : ( ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01" ["status"] "invalid" ["error","type"] "urn:ietf:params:acme:error:unauthorized" ["error","detail"] "Invalid response fromhttp://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE1[43.224.124.166]: 404" ["error","status"] 403 ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response fromhttp://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE1[43.224.124.166]: 404","status":403} ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12995442889/eoq1dQ" ["token"] "CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE" ["validationRecord",0,"url"] "http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE1" ["validationRecord",0,"hostname"] "verugal.ds.gov.lk" ["validationRecord",0,"port"] "80" ["validationRecord",0,"addressesResolved",0] "43.224.124.166" ["validationRecord",0,"addressesResolved"] ["43.224.124.166"] ["validationRecord",0,"addressUsed"] "43.224.124.166" ["validationRecord",0] {"url":"http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE","hostname":"verugal.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"} ["validationRecord"] [{"url":"http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE","hostname":"verugal.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"}] ["validated"] "2021-05-10T04:46:36Z") Processing vrc.bopepoddala.ds.gov.lk Signing domains... Generating private key... Generating signing request... Requesting new certificate order from CA... Received 1 authorizations URLs from the CA Handling authorization for vrc.bopepoddala.ds.gov.lk 1 pending challenge(s) Deploying challenge tokens... Responding to challenge for vrc.bopepoddala.ds.gov.lk authorization... Cleaning challenge tokens... Challenge validation has failed : ( ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01" ["status"] "invalid" ["error","type"] "urn:ietf:params:acme:error:unauthorized" ["error","detail"] "Invalid response fromhttp://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y[43.224.124.166]: 404" ["error","status"] 403 ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response fromhttp://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y[43.224.124.166]: 404","status":403} ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12995448812/pq_1KA" ["token"] "v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y" ["validationRecord",0,"url"] "http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y" ["validationRecord",0,"hostname"] "vrc.bopepoddala.ds.gov.lk" ["validationRecord",0,"port"] "80" ["validationRecord",0,"addressesResolved",0] "43.224.124.166" ["validationRecord",0,"addressesResolved"] ["43.224.124.166"] ["validationRecord",0,"addressUsed"] "43.224.124.166" ["validationRecord",0] {"url":"http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y","hostname":"vrc.bopepoddala.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"} ["validationRecord"] [{"url":"http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y","hostname":"vrc.bopepoddala.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"}] ["validated"] "2021-05-10T04:46:58Z") Can anyone help me out with this issue? Are there any process changes or updates in letsencrypt site or BIG-IP intigrations? Due to this lots of government websites affected!2.2KViews0likes1CommentSSL Certificate : Can we have CN and SAN name field each with different URL names ?
Hi Mates , I have one doubt related to SAN certificate , Can you please help me understand . If we configure a certificate with CN : tech.support.ca-consumer.ab-cd.xyzand add only tech.support.ca-consumer.local in SAN , will the URL for tech.support.ca-consumer.ab-cd.xyzworks or we get certificate error ? CN : tech.support.ca-consumer.ab-cd.xyz SAN : DNS:tech.support.ca-consumer.localSolved2KViews0likes4CommentsSSL certificate export greyed out !
Hi, I tried to export an SSL certificate from the Traffic Certificate list clicking on the Cert but the export button and all other buttons under the Cert and all other certs are greyed out, I'm using Admin user with full access, anyone encountered this issue before ? Regards, -AbdelSolved999Views0likes2CommentsBig IQ Cert Renewal: Unmanaged LTM and Certs
Hello, We have recently installed/configured Big IQ in our environment and have imported our LTMs but they are still unmanaged. We have a SSL certificate that needs to be renewed and I am not sure the best practice for that. I am new to Big IQ so want to know, should I: 1.renew the cert directly only the LTM and then rediscover/reimport that LTM? a. is the rediscover/reimport needed? 2. import the SSL cert into Big IQ and then deploy down to the LTM (even though the LTM is unmanaged)? b. how is this done if this is the better option? Thanks in advance! Diane422Views0likes0CommentsCA issued device SSL certificate assistance needed
BLUF - CA signed device certificate is required. The built in GUI generated certificate request (.req) is missing info required by the CA. The plain vanilla OpenSSL generated .req is missing info required by the CA. OpenSSL seems to be the way to go. How to add/specify the "Key Usage" and "Extended Key Usage" attributes/parameters to an openSSL generated certificate .req. It will look like: KeyUsage = <hex value> and EnhancedKeyUsageExtension OID=x.x.x.x.x.x.x.x.x Changing CA is not an option. Using a self-signed certificate is not an option. Thanks in advance416Views0likes0Comments