Forum Discussion

KimiLi_147173's avatar
KimiLi_147173
Icon for Nimbostratus rankNimbostratus
Jul 16, 2018

What's the proper procedure to renew device certificate in my case?

Hi all,

 

I have both GTM and LTM module actived on my Viprion device, now LTM is working fine however GTM synchronizing is not working.

 

I got these GSLB log entries on both two devices:

 

Mon Jul 16 14:01:59 CST 2018ltm02iqmgmt_ssl_connect SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Mon Jul 16 14:01:59 CST 2018errslot1/ltm02gtmd[22832]011ae0faiqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (336134278) Mon Jul 16 14:01:59 CST 2018ltm02iqmgmt_ssl_connect SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Mon Jul 16 14:01:59 CST 2018errslot1/ltm02gtmd[22832]011ae0faiqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (336134278) Mon Jul 16 14:01:59 CST 2018ltm02iqmgmt_ssl_connect SSL error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Mon Jul 16 14:01:59 CST 2018errslot1/ltm02gtmd[22832]011ae0faiqmgmt_ssl_connect: SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (336134278)

 

After checking I found a device certificate issue on device 1, which uses wrong CN and invalid RSA key, since this wrong device certificate is restored from the archive of an old bigip device, I'm planning to renew this device certificate, my concerns are:

 

1st, what's the proper procedure to renew it in my case? My plan is: 1. renew device 1's certificate; 2. run bigip_add CLI comand on both devices, like device1 bigip_add device2 LTM SELFIPs device1 bigip_add device1 LTM SELFIPs -- is this neccessary? device2 bigip_add device1 LTM SELFIPs device2 bigip_add device2 LTM SELFIPs -- is this neccessary? 3. check synchronizing status by running iqdump and check if GSLB can read all vs status on LTM.

 

2nd, since I also got LTM module running at the meantime, I wonder that if this renew certificate thing will break the HA status of LTM module on both devices? Am I gonna need to rebuild HA for LTM module after renewing device certificate? In my opinion LTM HA is based on individual certificate systems which is irrelevant to device certificate, but I'm not sure about this.

 

Waiting for your advises, many thanks for all.

 

application delivery
BIG-IP DNS
LTM