Bug ID 1057501: Expired DST Root CA X3 resulting in http agent request failing.

Last Modified: Dec 13, 2023

Affected Product(s):
BIG-IP AVR, LTM(all modules)

Known Affected Versions:
15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3

Opened: Oct 26, 2021

Severity: 3-Major

Symptoms

When the DST Root CA X3 is expired, any HTTP agent request fails with the error: err tmm2[19302]: Rule /Common/my_rule <HTTP_REQUEST>: Client - <address>, failure :proxyInterstitialPage: FetchError: request to <url> failed, reason: certificate has expired.

Impact

ILX plugins that reply on outbound HTTP client/agent requests to remote servers fail.

Conditions

The DST Root CA X3 certificate is expired, see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.

Workaround

Create a /var/tmp/isrgrootx1.pem with contents of https://letsencrypt.org/certs/isrgrootx1.pem.txt. The Node.js script: # cat /var/tmp/CustomCA-2.js var fs = require('fs'); var https = require('https'); var options = { hostname: 'letsencrypt.org', port: 443, path: '/', method: 'GET', ca: fs.readFileSync('/var/tmp/isrgrootx1.pem') <<<<<<<<<<<<<<< incorporated CA thus bypassing the CA embedded in the EOL version of Node.js }; var req = https.request(options, function(res) { res.on('data', function(data) { console.log("PASS"); }); }); req.end();

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips