11-09-2010 03:25 AM
Hi all,
herei is my conf/version :
Software
loader: Version 12.2[123]
system: Version A2(3.2) [build 3.0(0)A2(3.2)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_2.bin
installed license: no feature license is installed
crypto chaingroup myurl.chain
cert myurl.chain
ssl-proxy service MYURL
key myurl.key
cert myurl.cert
chaingroup myurl.chain
----
yesterday :
# sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
myurl.cert 16346 PEM Yes CERT
myurl.key 1679 PEM Yes KEY
myurl.chain 4972 PEM Yes CERT
$ curl https://myurl.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
--
today, no problem with curl :
# sh crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
myurl.cert 16253 PEM Yes CERT
myurl.key 1675 PEM Yes KEY
myurl.chain 4972 PEM Yes CERT
Is there an issue with cert or key size ?
11-09-2010 04:25 AM
did you reload the box ?
Or remove and upload the cert/key again ?
They could have been corrupted previously.
Always check with "crypto verify" that key and cert are ok after being loaded.
Gilles.
11-09-2010 10:06 AM
i can't reload the box as i want :/
i removed and uploaded again and again but i still had the problem
crypto verify show no problem
i have a new cert every day so i will see next day if it depends on size ...
11-10-2010 01:11 AM
Sorry, the question was "how did you fix it the first time ?"
Or are you talking about different devices ?
Also, be aware that ACE loads your key/cert in memory and stops using the one in flash.
Even if you modify the files in flash, that does not mean ACE update the info it has in memory.
So if the files got corrupted and you upload new ones using the same name, it is possible that ACE kept using the old ones it has in memory.
I usually recommend to use different names and update the ssl-proxy config with the new names in order to force to reload the new info.
Or remove completely the ssl-proxy config, upload new files and reconfigure the proxy.
Gilles.
11-15-2010 07:17 AM
the first time. i got another cert from my dealer that fix the problem.
but since this, i got another one and i got the problem back.
moreover, now, i had to remove chain otherwise i got connection RST when i visit my ssl web site ...
very very strange. i had ten others ssl cert with same conf without any problem at all.
the only difference i see is about cert size.
11-15-2010 08:12 AM
Ok.
You have a problem with the cert.
But the size can't be used to determine if there is a problem or what the problem could be.
Gilles.
11-15-2010 08:28 AM
i will make some test on another context with the same cert/key/chain with logging debug.
tx for your help
11-15-2010 10:26 AM
i made some mistake in my test.
i erase my firefox profile and in fact :
without chain : i got a warning. i have to make an exception.
with chain : the connection is reset by ace.
the chain is used on others ssl-proxy service with differents cert/key without any problem.
11-15-2010 10:39 AM
something that can help :
Maximum size of a certificate file => 8192 bytes
11-16-2010 03:03 AM
i made some capture :
10:56:43.888969 x:x:x:x:x:x y:y:y:y:y:y 0800 58: X.X.X.X.443 > Y.Y.Y.Y.40819: S [bad tcp cksum 5f96!] 3053947049:3053947049(0) ack 4213357574 win 32768
10:56:43.892972 y:y:y:y:y:y x:x:x:x:x:x 0800 60: Y.Y.Y.Y.40819 > X.X.X.X.443: . [tcp sum ok] ack 1 win 5840 (DF) (ttl 58, id 264, len 40)
10:56:43.893130 x:x:x:x:x:x y:y:y:y:y:y 0800 54: X.X.X.X.443 > Y.Y.Y.Y.40819: R [bad tcp cksum 774f!] 1:1(0) ack 1 win 32768 (ttl 255, id 41712, len 40, bad cksum 6556!)
nothing is forwarded to rserver
11-17-2010 02:50 AM
today i got no warning and no rst : cert size = 16245
11-17-2010 04:36 PM
Hey guys, not sure if this is revlevant but we had a VERY similiar situation as noted above and what it turned out to be w
as an incorrect MTU setting on the router. Like I said not sure if it is relevant but does sound simil
ar. I apologize in advance if this isn't pertaining to the same issue. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide