Forum Discussion

GIRISH_BAMMANAW's avatar
GIRISH_BAMMANAW
Icon for Nimbostratus rankNimbostratus
Oct 25, 2018

iQuery failing : SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1128:

Hi F5 Team,

When we tried to connect the remote F5 DNS, we are getting an error as below.. Can you please help me to resolve this..

   iqdump output from MDC-GTM for XDC-GTM's IP address
    [user@DC1-GTM-01:Active:Standalone] ~  iqdump 208.90.73.204
    47880724300784:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1128:
    New, (NONE), Cipher is (NONE)
    SSL-Session:
     Protocol  : TLSv1
     Cipher    : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1533937199
     Timeout   : 7200 (sec)
application delivery
BIG-IP DNS

6 Replies

Sort By
  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Oct 25, 2018

    Looks like a trust has not been created between the F5 devices.

    If you just want to setup the trust to allow communication then you can run the 

    bigip_add
    command to swap certs and establish a trust.

    If you are trying to add a new F5 DNS/GTM into an existing DNS/GTM device group then you can use 

    gtm_add
    command which will generate the trust but also pull all the DNS/GTM configuration from the group and overwrite the local configuration

    WARNING: With 

    gtm_add
    Make sure you run the correct way around and are happy to overwrite local F5 DNS/GTM configuration

    See: K13312: Overview of the BIG-IP DNS big3d_install, bigip_add, and gtm_add utilities (11.x - 14.x)

    • GIRISH_BAMMANAW's avatar
      GIRISH_BAMMANAW
      Icon for Nimbostratus rankNimbostratus
      Feb 20, 2019

      Yes.. it's resolved.. We were using third party vendor ask certificate to establish the IQUERY connection.. we replace third party certificate with device self certificate .. then issue fixed