iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
You may encounter this message in the following location:
This message occurs when one of the following conditions is met:
- BIG-IP systems use Secure Sockets Layer (SSL) certificates for inter-device communication using the iQuery protocol. If the BIG-IP device certificates are missing or expired on an F5 device, iQuery communication will fail and the BIG-IP GTM system that is initiating the iQuery connection logs the above error message. For example, trusted device certificates are stored in the /config/big3d/client.crt file, which the big3d agent of the local BIG-IP device uses to authenticate a connection from a remote F5 device. Trusted server certificates are stored in the /config/gtm/server.crt file, and are used when the local BIG-IP DNS or GTM system authenticates itself to a remote F5 device. If the trusted device or server certificates are missing or expired on one or more of your F5 systems, refer to the article listed in the Supplemental Information section.
- When creating or renewing BIG-IP device certificates, you should provide meaningful and unique entries for the appropriate certificate fields. For example, if the BIG-IP device certificates contain duplicate common name (CN) entries with certificates on other F5 devices, iQuery communication will fail and the BIG-IP system that is initiating the iQuery connection logs the above error message.
SSL and Transport Layer Security (TLS) handshakes fail to complete. This may impact communication between F5 devices using the iQuery protocol.
When creating or renewing BIG-IP device certificates, use the following guidelines:
- Device certificates should have unique and meaningful Subject data. For example, the CN field should match the host name for the BIG-IP system in which the device certificate was created.
- When possible, create device certificates with an extended expiration date.
- Make sure that SSL certificates are not expired.