Machine Cert Auth Error - unable to get local issuer certificate
Hi, I've read through quite a few forum post related to this error but couldn't find anything specific to my issue. I have several machines I have been testing my APM policy with however, one is now failing. We use machine certs via our internal PKI. I've tried deleting it's machine cert and enrolling it again. I've tried deleting it's root/stub and installing them again. The certificate store matches my other working hosts. I've tried rebooting the machine and even the F5. Lastly, I've exported the failing machine root and sub and created it's own SSL profile to compare against on the F5 with no luck. It wasn't initially failing and I have not made any changes to the machine. The error I receive for session data is below: 06507f43.session.check_machinecert.auth_ag.nonce 28 ZDJQVjBiV3BqY05oWVhqTTdIdU4= 06507f43.session.check_machinecert.auth_ag.result 1 0 06507f43.session.check_machinecert.auth_ag.signature_verified 1 1 06507f43.session.check_machinecert.last.certificate_revoked 1 0 06507f43.session.check_machinecert.last.certificate_verified 1 0 06507f43.session.check_machinecert.last.error_message 103 X509_verify_cert failed: error : 20 at depth 0, error message:unable to get local issuer certificate 06507f43.session.check_machinecert.last.result 1 0 06507f43.session.check_machinecert.last.signature_verified 1 1
Edit SSL Profile fails with "apiError":26214401
I am trying to edit a server-ssl profile via REST API to add options. The request fails with HTTP 400 :: {"code":400,"message":"\"{ dont-insert-empty-fragments no-tlsv1.3 }\" unexpected argument","errorStack":[],"apiError":26214401} The same operation works well with TMOS shell. BIGIP version is Version15.1.3 Any suggestions on what could possibly be wrong here?
iRule to choose SSL serverside Profile to use based on HTTP_REQUEST
Hi Folks, I want to think this is possible. I am trying to based on the HTTP_REQUEST and host header, select the serverside connections SSL profile. For example, If host header is abc.example.com I want the serverside SSL profile to be the default serverssl. But if the host header is xyz.example.com then I want the serverside SSL profile to be serverssl-insecure-compatible. Teh client side connection works fine, and I am also using a wildcard cert for example.com I've seen a lot of posts on enabling or disabling ssl serverprofiles, but not about selecting which profile to use. here is my code thus far. when HTTP_REQUEST { HTTP::header remove "Accept-Encoding" switch [string tolower [HTTP::host]] { "abc.example.com" { Server ssl profile select goes here pool abc_pool_https } "xyz.example.com" { Server ssl profile select goes here pool xyz_pool } }
Server-side SSL Failing
Hello everyone We have a project where we need to provide TLS offload (client-side) and server-side encryption to the back-end web servers. I thought I'd test this out in my lab but seem to be struggling. I have an Apache2 web server configured to serve HTTPS web pages. The certificate presented by the web server is from my lab PKI. Browsing to the server directly from my PC, bypassing the LTM appears all good. The handshake is successfull. Things appear to work. When I introduce the LTM things fail. So far I have created a client-side cert and attached this to a client SSL profile then virtual server. I know this works because if I change the backend web server to a plain HTTP, the offload works just fine. I have imported my two PKI certificates (root/sub) and concatinated them as per sol13302, then installed them. I then attach this chain certificate to the server SSL profile under Configuration > Chain. Then attach the SSL profile to the VS. Even after all this, I get the following error: 'Secure Connection Failed'. If I use OpenSSL to test I get the following: [root@:Active:Standalone] tmp openssl s_client -connect red-https-server.lab.com:443 CONNECTED(00000003) depth=0 C = UK, ST = London, L = London, O = Lab Inc., OU = IT Dept., CN = blue-https-server.lab.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = UK, ST = London, L = London, O = Lab Inc., OU = IT Dept., CN = blue-https-server.lab.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = UK, ST = London, L = London, O = Lab Inc., OU = IT Dept., CN = blue-https-server.lab.com verify error:num=21:unable to verify the first certificate verify return:1 I understand the error messages, the LTM clearly cannot verify the identity certificate the web server is presenting. If I change the OpenSSL command to use the chain cert, it works: [root@:Active:Standalone] tmp openssl s_client -connect red-https-server.lab.com:443 -CAfile /config/filestore/files_d/Common_d/certificate_d/:Common:LAB-CHAIN-CERT.crt_71998_1 CONNECTED(00000003) depth=2 CN = LAB-ROOT-CA verify return:1 depth=1 DC = com, DC = lab, CN = LAB-SUB-CA verify return:1 depth=0 C = UK, ST = London, L = London, O = Lab Inc., OU = IT Dept., CN = blue-https-server.lab.com verify return:1 Verify return code: 0 (ok) This is really frustrating me as it seems as if regardless of how I configure the SSL profile the handshake keeps failing. Anyone have an idea on where I am going wrong? Thank you
...has more than one clientssl/serverssl profiles that is default for SNI
I'm getting this error when applying two ClientSSL profiles to a VS. The first profile (already assigned) has 'Default for SNI' enabled, the second I'm trying to add does not. Any ideas? VE: TMOS v11.3.0 build 3138.0. I've tried removing both profiles and re-adding and disabling 'Default for SNI' in both profiles without success.
Application works externally via F5 but not internally
Hi One of the application works fine when accessed externally eventhough the certificate on the server isn't correct and on F5, we have added digi cert signed certificate as client ssl profile and used as server ssl profile as the server is running https service.when accessed internally, the connection is reset and page doesn't come up. Couple points to note when accessed internally, the application is in a different domain than the one from where it is being tried but the same laptop when connected to external, the application works fine. Network wise, telnet works on 443 from internal network to application. Did packet capture and ssl handshake seems to be successful between (client and f5) and (f5 and sever) and I can see 'application data' sent but then the client resets the traffic. Not sure why the application access works externally because the certificate on the server is wrong and when access directly to server, it gives cerficate error.
Does using default clientssl profile disable SSL offload for the VIP?
I have a VIP that is using client ssl profile with default (localhost) certificate. my pool members for this VIP have the Certificate for this URL. I see the certificate when i access the VIP. I believe that i should receive a certificate error if SSL offloading is enabled on F5 but i dont see the error. Why is that?
