Forum Discussion

JBlogs_314812's avatar
JBlogs_314812
Icon for Nimbostratus rankNimbostratus
Sep 26, 2017

iQuery/ Big-IP DNS server certificate trust problem

Unable to establish iQuery between bigip devices. Connectivity is in place but failing with:

SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I take this to be a certificate chain failure. The device certificates have been added to both DNS > GSLB > Servers > Trusted Server Certificates and System > Cert Mgmt > Device Cert Mgmt > Device Trust Certs.

Yet, still no joy, running openssl confirms trust issues. Device certs are issued by a 2 tier PKI (intermediary and root). Big IP is 13 HF 2.

Any suggestions? Is it common place to be using internal certs here?

  • It was a long time ago when I used intermediaries for setting up iQuery, however I did make some notes.

    How have you added the intermediate? I used the following:

    tmsh modify sys httpd ssl-certchainfile /config/httpd/conf/ssl.crt/your_ca_cert_chain.crt
    (this instructs HTTPS to use the chain cert - so probably not what you need)

    Then you need to add chain to two places, firstly the in GUI > Trusted Device Certs Secondly in Global Traffic/DNS Servers > Trusted Server Certificates.

    Restart services: bigstart restart httpd gtmd big3d