Last Modified: Sep 24, 2024
Affected Product(s):
BIG-IP AVR, LTM
Known Affected Versions:
15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5
Opened: Oct 26, 2021 Severity: 3-Major
When the DST Root CA X3 is expired, any HTTP agent request fails with the error: err tmm2[19302]: Rule /Common/my_rule <HTTP_REQUEST>: Client - <address>, failure :proxyInterstitialPage: FetchError: request to <url> failed, reason: certificate has expired.
ILX plugins that reply on outbound HTTP client/agent requests to remote servers fail.
The DST Root CA X3 certificate is expired, see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.
Create a /var/tmp/isrgrootx1.pem with contents of https://letsencrypt.org/certs/isrgrootx1.pem.txt. The Node.js script: # cat /var/tmp/CustomCA-2.js var fs = require('fs'); var https = require('https'); var options = { hostname: 'letsencrypt.org', port: 443, path: '/', method: 'GET', ca: fs.readFileSync('/var/tmp/isrgrootx1.pem') <<<<<<<<<<<<<<< incorporated CA thus bypassing the CA embedded in the EOL version of Node.js }; var req = https.request(options, function(res) { res.on('data', function(data) { console.log("PASS"); }); }); req.end();
None