Forum Discussion

chin_15339's avatar
chin_15339
Icon for Nimbostratus rankNimbostratus
Apr 14, 2017
Solved

2 way ssl not working with open ssl generated certificates

Jan 1 19:13:56 bigip1 warning tmm[11040]: 01260006:4: Peer cert verify error: certificate is not yet valid (depth 0; cert /C=IN/ST=KTK/O=Chase/OU=IT/CN=testing141) Jan 1 19:13:56 bigip1 warning tmm[11040]: 01260009:4: Connection error: ssl_shim_vfycerterr:4530: certificate is not yet valid (45) Jan 1 19:13:56 bigip1 info tmm[11040]: 01260013:6: SSL Handshake failed for TCP 192.168.166.1:39596 -> 192.168.166.20:443 Jan 1 19:13:57 bigip1 warning tmm[11040]: 01260006:4: Peer cert verify error: certificate is not yet valid (depth 0; cert /C=IN/ST=KTK/O=Chase/OU=IT/CN=testing141) Jan 1 19:13:57 bigip1 warning tmm[11040]: 01260009:4: Connection error: ssl_shim_vfycerterr:4530: certificate is not yet valid (45) Jan 1 19:13:57 bigip1 info tmm[11040]: 01260013:6: SSL Handshake failed for TCP 192.168.166.1:39598 -> 192.168.166.20:443

 

application delivery
LTM
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Apr 15, 2017

    The problem is Connection error: ssl_shim_vfycerterr:4530: certificate is not yet valid

    If you are seeing this then its likely the time on you BIG-IP needs to synchronised.

    Set a DNS server

    System -> Configuration -> Device -> DNS add 8.8.8.8

    Set an NTP Server

    System -> Configuration -> Device -> NTP add pool.ntp.org

    If the time does not update within a minute check you can reach your DNS server. From the command line 

    ping 8.8.8.8

    If the system has never been synced before then run the following... 

    service ntpd stop
ntpdate pool.ntp.org
service ntpd start

    This will force time to sync no matter the time difference.

4 Replies

Sort By
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Apr 15, 2017

    The problem is Connection error: ssl_shim_vfycerterr:4530: certificate is not yet valid

    If you are seeing this then its likely the time on you BIG-IP needs to synchronised.

    Set a DNS server

    System -> Configuration -> Device -> DNS add 8.8.8.8

    Set an NTP Server

    System -> Configuration -> Device -> NTP add pool.ntp.org

    If the time does not update within a minute check you can reach your DNS server. From the command line 

    ping 8.8.8.8

    If the system has never been synced before then run the following... 

    service ntpd stop
ntpdate pool.ntp.org
service ntpd start

    This will force time to sync no matter the time difference.

    • chin_15339's avatar
      chin_15339
      Icon for Nimbostratus rankNimbostratus
      Apr 15, 2017

      Thanks Kevin for the update. This is our lab device so we dont have a DNS as such, when you say time sync does that mean the Certificate Authority issued issued certificates and the LTM device clock should be in sync or the end machine which is accessing the URL should be in sync

       

    • Kevin_Davies_40's avatar
      Kevin_Davies_40
      Icon for Nacreous rankNacreous
      Apr 15, 2017

      They all need to be in sync. Real time or your own time, all of then need to have the same time. When they are too far out SSL will not work.

       

    • chin_15339's avatar
      chin_15339
      Icon for Nimbostratus rankNimbostratus
      Apr 15, 2017

      Thanks Kevin it really works Sync is required.

       

      Thanks a ton :-)