Original Publication Date: 12/11/2008
Updated Date: 04/23/2014
BIG-IP systems use SSL certificates for inter-device communication using the iQuery protocol. If device certificates are missing or expired on an F5 device, iQuery communication will fail and the BIG-IP GTM system that is initiating the iQuery connection logs error messages that appear similar to the following example to the /var/log/gtm file:
gtmd: 011ae020:5: Connection in progress to <iquery_peer>
gtmd: 011ae01c:5: Connection complete to <iquery_peer>. Starting SSL handshake
iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
For example, trusted device certificates are stored in /config/big3d/client.crt, which the big3d agent of the local BIG-IP GTM or BIG-IP LTM device uses to authenticate a connection from a remote F5 device.
Trusted server certificates are stored in /config/gtm/server.crt, and are used when the local BIG-IP GTM system authenticates itself to a remote F5 device.
If the trusted device or server certificates are missing or expired on one or more of your F5 systems, refer to the following article:
If you are using third party SSL certificates, refer to the following articles: