Forum Discussion

sreeharii_35834's avatar
sreeharii_35834
Icon for Nimbostratus rankNimbostratus
Apr 11, 2018

BIG IP returns 401 error when there is an expired certificate and the renewed certificate of the same ca in the ca bundle

Hi, I'm just wondering if someone could help me to understand why big ip was returning a 401 error in the below scenario for incoming requests.

 

So I had a root certificate in the ca bundle which got expired recently, even before the expiration I added the renewed certificate of the same to the ca bundle, but I missed to remove the old one which was about to expire.

 

So after the expiry of the first certificate, big ip was returning a 401 error for all the requests which were using that particular certificate authority at the client side. I was using 2 way ssl in this scenario.

 

I am not really sure how big IP works when it checks the validity of a certificate chain which was sent by the client. In this case, I had expired one and renewed one in the cs bundle.

 

device: Big-IP 2000

 

1 Reply

  • i don't really expect the BIG-IP to return a 401 in general if a client certificate is send. or is there some iRule or ASM or such involved?

     

    in that case it will most likely depend on your configuration. i do believe you can put what you want in a CA bundle. what i could imagine is that the expired cert is also used for advertising CA and that a client cert from that CA is offered which doesn't happen when it isn't there.

     

    but again, in general that means connections failing, no 401, something else must be causing that.