Machine Cert Auth Error - unable to get local issuer certificate
Hi, I've read through quite a few forum post related to this error but couldn't find anything specific to my issue. I have several machines I have been testing my APM policy with however, one is now failing. We use machine certs via our internal PKI. I've tried deleting it's machine cert and enrolling it again. I've tried deleting it's root/stub and installing them again. The certificate store matches my other working hosts. I've tried rebooting the machine and even the F5. Lastly, I've exported the failing machine root and sub and created it's own SSL profile to compare against on the F5 with no luck. It wasn't initially failing and I have not made any changes to the machine. The error I receive for session data is below: 06507f43.session.check_machinecert.auth_ag.nonce 28 ZDJQVjBiV3BqY05oWVhqTTdIdU4= 06507f43.session.check_machinecert.auth_ag.result 1 0 06507f43.session.check_machinecert.auth_ag.signature_verified 1 1 06507f43.session.check_machinecert.last.certificate_revoked 1 0 06507f43.session.check_machinecert.last.certificate_verified 1 0 06507f43.session.check_machinecert.last.error_message 103 X509_verify_cert failed: error : 20 at depth 0, error message:unable to get local issuer certificate 06507f43.session.check_machinecert.last.result 1 0 06507f43.session.check_machinecert.last.signature_verified 1 1
Server-side SSL Failing
Hello everyone We have a project where we need to provide TLS offload (client-side) and server-side encryption to the back-end web servers. I thought I'd test this out in my lab but seem to be struggling. I have an Apache2 web server configured to serve HTTPS web pages. The certificate presented by the web server is from my lab PKI. Browsing to the server directly from my PC, bypassing the LTM appears all good. The handshake is successfull. Things appear to work. When I introduce the LTM things fail. So far I have created a client-side cert and attached this to a client SSL profile then virtual server. I know this works because if I change the backend web server to a plain HTTP, the offload works just fine. I have imported my two PKI certificates (root/sub) and concatinated them as per sol13302, then installed them. I then attach this chain certificate to the server SSL profile under Configuration > Chain. Then attach the SSL profile to the VS. Even after all this, I get the following error: 'Secure Connection Failed'. If I use OpenSSL to test I get the following: [root@:Active:Standalone] tmp openssl s_client -connect red-https-server.lab.com:443 CONNECTED(00000003) depth=0 C = UK, ST = London, L = London, O = Lab Inc., OU = IT Dept., CN = blue-https-server.lab.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = UK, ST = London, L = London, O = Lab Inc., OU = IT Dept., CN = blue-https-server.lab.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = UK, ST = London, L = London, O = Lab Inc., OU = IT Dept., CN = blue-https-server.lab.com verify error:num=21:unable to verify the first certificate verify return:1 I understand the error messages, the LTM clearly cannot verify the identity certificate the web server is presenting. If I change the OpenSSL command to use the chain cert, it works: [root@:Active:Standalone] tmp openssl s_client -connect red-https-server.lab.com:443 -CAfile /config/filestore/files_d/Common_d/certificate_d/:Common:LAB-CHAIN-CERT.crt_71998_1 CONNECTED(00000003) depth=2 CN = LAB-ROOT-CA verify return:1 depth=1 DC = com, DC = lab, CN = LAB-SUB-CA verify return:1 depth=0 C = UK, ST = London, L = London, O = Lab Inc., OU = IT Dept., CN = blue-https-server.lab.com verify return:1 Verify return code: 0 (ok) This is really frustrating me as it seems as if regardless of how I configure the SSL profile the handshake keeps failing. Anyone have an idea on where I am going wrong? Thank you
Edit SSL Profile fails with "apiError":26214401
I am trying to edit a server-ssl profile via REST API to add options. The request fails with HTTP 400 :: {"code":400,"message":"\"{ dont-insert-empty-fragments no-tlsv1.3 }\" unexpected argument","errorStack":[],"apiError":26214401} The same operation works well with TMOS shell. BIGIP version is Version15.1.3 Any suggestions on what could possibly be wrong here?
iRule to choose SSL serverside Profile to use based on HTTP_REQUEST
Hi Folks, I want to think this is possible. I am trying to based on the HTTP_REQUEST and host header, select the serverside connections SSL profile. For example, If host header is abc.example.com I want the serverside SSL profile to be the default serverssl. But if the host header is xyz.example.com then I want the serverside SSL profile to be serverssl-insecure-compatible. Teh client side connection works fine, and I am also using a wildcard cert for example.com I've seen a lot of posts on enabling or disabling ssl serverprofiles, but not about selecting which profile to use. here is my code thus far. when HTTP_REQUEST { HTTP::header remove "Accept-Encoding" switch [string tolower [HTTP::host]] { "abc.example.com" { Server ssl profile select goes here pool abc_pool_https } "xyz.example.com" { Server ssl profile select goes here pool xyz_pool } }
Does using default clientssl profile disable SSL offload for the VIP?
I have a VIP that is using client ssl profile with default (localhost) certificate. my pool members for this VIP have the Certificate for this URL. I see the certificate when i access the VIP. I believe that i should receive a certificate error if SSL offloading is enabled on F5 but i dont see the error. Why is that?
Application works externally via F5 but not internally
Hi One of the application works fine when accessed externally eventhough the certificate on the server isn't correct and on F5, we have added digi cert signed certificate as client ssl profile and used as server ssl profile as the server is running https service.when accessed internally, the connection is reset and page doesn't come up. Couple points to note when accessed internally, the application is in a different domain than the one from where it is being tried but the same laptop when connected to external, the application works fine. Network wise, telnet works on 443 from internal network to application. Did packet capture and ssl handshake seems to be successful between (client and f5) and (f5 and sever) and I can see 'application data' sent but then the client resets the traffic. Not sure why the application access works externally because the certificate on the server is wrong and when access directly to server, it gives cerficate error.Multiple SSL Certs but single VS
Hi, I want to use the same VS for some new webservices. so I will be created some new pools and updating the existing Irule to redirect traffic to the new pools based on the FQDN. However, the current SAN certificate only covers the first few web services and I have a new SSL cert for the new webservices. As I am new to F5 - wondering, if I just need to create a new SSL profile and assign the new profile to the existing VS or I am missing something? btw the new webservices are also hosted on the same servers the hosts the old webservices, look forward to hearing from you soon. thanks.Multiple Client Certificates - Query using single Virtual Server SSL Profile (Client)
I have an interesting one, and just started digging into its creation. I need to perform an OCSP check (easy), collect information off of 1 of 3 certificates a client might have on their token (easy), and pass that information on to the webserver (got that one all day long). Now for the curve ball. At somepoint in the APM policy, I have to query 1 of the other 2 certificates for another piece of information (think an email certificate vs. one used for authentication), but I can't mess with the data (or session) from the original certificate. My first few tries forces the session to reset and I lost the session data collected on the initial query. Thoughts?? open to ideas.. One knowledge nugget, I have to use the same URL, maintain the current session, and pass the data from both certs (that are in the same chain, covered by the same cert bundle) on to the web/app server. I might be able to use different URIs, so not sure if that helps.. Thanks
SSL Profile for the Management Certificate
Can I apply an SSL profile to the management certificate of the F5? I have a Internal CA certificate assigned to the Management address but I currently have no way of enforcing what version of TLS is used and what ciphers it will negotiate with etc. Version 11.6.0
