Original Publication Date: 12/11/2008
Updated Date: 06/20/2013
BIG-IP systems use SSL certificates for inter-device communication using the iQuery protocol. If device certificates are missing or expired on an F5 device, iQuery communication will fail and the GTM system that is initiating the iQuery connection logs error messages that appear similar to the following to the /var/log/gtm file:
gtmd: 011ae020:5: Connection in progress to <iquery_peer>
gtmd: 011ae01c:5: Connection complete to <iquery_peer>. Starting SSL handshake
iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
For example, trusted device certificates are stored in /config/big3d/client.crt, which the big3d agent of the local BIG-IP GTM or BIG-IP LTM device uses to authenticate a connection from a remote F5 device.
Trusted server certificates are stored in /config/gtm/server.crt, and are used when the local BIG-IP GTM system authenticates itself to a remote F5 device.
If the trusted device or server certificates are missing or expired on one or more of your F5 systems, refer to the following article:
If you are using third party SSL certificates, refer to the following articles: