Forum Discussion

Suresh_Jo_32729's avatar
Suresh_Jo_32729
Icon for Nimbostratus rankNimbostratus
Apr 02, 2018

Getting Verify return code: 21 (unable to verify the first certificate) error message.

All,

 

I have uploaded same ssl cert in two different LTMs, in device it's working fine but in other device I am getting Verify return code: 21 (unable to verify the first certificate) error message.

 

I created CSR from one device and then got the cert from CA for that csr. Then I have uploaded same ssl cert in two different LTMs. Do I need to raise CSR from both the devices and then upload cert to each device?

 

PS: The common name is same for both the LTMs.

 

9 Replies

  • Can you list your setup from both ltm's

    tmsh list ltm profile client-ssl 

    The error is more likely to occur because you may have missed to have include intermediate certificate.

  • You can mask your confidential objects & share us the output. This is to compare the clientssl settings on both LTM's.

     

  • Suresh jo : are you creating device ssl cert or ssl cert for ssl profile ?

     

  • Hello,

     

    Can you confirm that you importe Chain (intermediate) too?

     

    In your Client ssl profile you have to set your intermediate and check that you have the settings that other profil on working device.

     

    Regards,

     

  • I am creating ssl cert for ssl profile.

     

    I have imported intermediate chain too, what I did in the ssl cert tab I copied contents of both the cert (ssl and intermediate). After that I got the verify code 20 instead of 21.

     

  • Hello,

     

    Can you please confirm that you copie firt SSL Cert then below the chain?

     

    Regards,

     

  • Yes, I edit both cert in notepad++ and then I paste the contents of ssl cert followed by intermediate cert.

     

  • Hello Suresh,

     

    I suspect a problem with your intermediaries or the way you paste them. Do it step by step.

     

    First, let just your certificate without chain (intermediate) in your cert profile. And check in your ssl certificate list that you can see the correct common Name. already like that it should work with ssl error.

     

    Then Add intermediate in a dedicated ssl certificate (you do not have to use the one of the certificate) and add it to ssl client profile...

     

    Give me a feed back...

     

    Regards.