Applies To:

Show Versions Show Versions

sol9467: Error Message: SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error MessageError Message

Original Publication Date: 12/11/2008
Updated Date: 06/10/2016

Issue

Error Message

iqmgmt_ssl_connect: SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Message Location

You may encounter this message in the following location:

  • The /var/log/gtm file

Description

This message occurs when one of the following conditions is met:

  • BIG-IP systems use Secure Sockets Layer (SSL) certificates for inter-device communication using the iQuery protocol. If the BIG-IP device certificates are missing or expired on an F5 device, iQuery communication will fail and the BIG-IP GTM system that is initiating the iQuery connection logs the above error message. For example, trusted device certificates are stored in the /config/big3d/client.crt file, which the big3d agent of the local BIG-IP device uses to authenticate a connection from a remote F5 device. Trusted server certificates are stored in the /config/gtm/server.crt file, and are used when the local BIG-IP DNS or GTM system authenticates itself to a remote F5 device. If the trusted device or server certificates are missing or expired on one or more of your F5 systems, refer to the article listed in the Supplemental Information section.
  • When creating or renewing BIG-IP device certificates, you should provide meaningful and unique entries for the appropriate certificate fields. For example, if the BIG-IP device certificates contain duplicate common name (CN) entries with certificates on other F5 devices, iQuery communication will fail and the BIG-IP system that is initiating the iQuery connection logs the above error message.

Impact

SSL and Transport Layer Security (TLS) handshakes fail to complete. This may impact communication between F5 devices using the iQuery protocol.

Recommended Actions

When creating or renewing BIG-IP device certificates, use the following guidelines:

  • Device certificates should have unique and meaningful Subject data. For example, the CN field should match the host name for the BIG-IP system in which the device certificate was created.
  • When possible, create device certificates with an extended expiration date.
  • Make sure that SSL certificates are not expired.

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)