Machine Cert Auth Error - unable to get local issuer certificate

Hi Nick,

Here are a few things to try.

• Use the f5wininfo.exe tool (can download it from the BigIP) to remove all components (under "Tools") from the machine that doesn't work.
• In the same tool (f5wininfo.exe) you can enable logging (under "Tools").
• On the windows client navigate to "%temp%" in windows explorer and search for files that start with "f5*". Delete all the files you find.
• Launch IE as administrator.
• Access the VS and approve the install of the components and running the machine check service
• Check the logs in %temp%. The log you need to focus on is f5mcertcheck.txt

Verify that the certificate on the machine is the correct one for the CA profile you created and have configured in the VPE action.

With only one machine failing it seems to be a client side issue. Hopefully the steps above will help you out. If not please let me know.

Seth

Hey Seth,

Always appreciate your help. Unfortunately the above steps did not resolve the issue. I do agree it is probably a client issue. I am just puzzled as these are my isolated machines and I know all changes I've ever made, we're made to the entire section. I was expecting to see failure in the logs, but it appear all came back successful and positive.

2015-03-25,15:49:15:795, 1308,4244,, 48,,,, current log level = 63
2015-03-25,15:49:15:795, 1308,4244,, 48, , 39, ::DllMain, ActiveX control location: "C:\Windows\Downloaded Program Files\f5certchk.dll"
2015-03-25,15:49:16:296, 1308,4244,, 48, , 73, CCertCheckCtrl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:0, RootCertInfo:IS_TRUSTED:0, Nonce: d0RTVXplUDA3cHlzQTZPaDFxRkY=
2015-03-25,15:49:16:296, 1308,4244,, 48, , 96, CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"0", Allow elevation UI:"1", Serial number(HEX):"", Issuer:"", SubjectAltName:""
2015-03-25,15:49:16:297, 1308,4244,, 48, \certinfo.cpp, 1152, CCertInfo::MatchCertificate, fqdn:
2015-03-25,15:49:16:297, 1308,4244,, 48, \certinfo.cpp, 1302, CCertInfo::FindCertificateInStoreExt: , Total certs tested: 1
2015-03-25,15:49:16:297, 1308,4244,, 48, \certinfo.cpp, 1306, CCertInfo::FindCertificateInStoreExt: ,   found matched certificate.

2015-03-25,15:49:16:297, 1308,4244,, 48, \m_uac_helpers.cpp, 77, uGetProcessIntegrityLevel(), Running on high integrity level

2015-03-25,15:49:16:300, 1308,4244,, 48,,,, CCertInfo::IsPrivateKeyPresent: CryptAcquireCertificatePrivateKey succeeded: found private key.
2015-03-25,15:49:16:300, 1308,4244,, 48, , 343, CCertCheckCtrl::CheckPrivateKey, The machine certificate has private key on this machine
2015-03-25,15:49:16:302, 1308,4244,, 48,,,, CCertInfo::SignHash: CryptAcquireCertificatePrivateKey succeeded: found private key.
2015-03-25,15:49:16:305, 1308,4244,, 48, , 369, CCertCheckCtrl::CheckPrivateKey, Signing message succeeded
2015-03-25,15:49:16:305, 1308,4244,, 48, , 266, CCertCheckCtrl::Verify, Succesfully found the certificate and verified the private key

Do you by chance have multiple certificates? From the logs and data you have provided it appears it is finding a certificate but when that certificate was sent back to the APM the APM couldn't verify it against the CA certificate.

If you add the check for issuer or something other than just the defaults does it find the correct cert?

Seth

I did, that worked perfect! Thanks so much!

Great! The logs can be a little bit tricky to read and we have RFE IDs created to clarify the logging on both the client and server side regarding machine certificates. The logging should get better in the next few releases.

Glad you got it working.

Seth