Bug ID 1057501: Expired DST Root CA X3 resulting in http agent request failing.

Last Modified: Jan 10, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP AVR, LTM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1

Opened: Oct 26, 2021
Severity: 3-Major

Symptoms

When the DST Root CA X3 is expired, any HTTP agent request fails with the error: err tmm2[19302]: Rule /Common/my_rule <HTTP_REQUEST>: Client - <address>, failure :proxyInterstitialPage: FetchError: request to <url> failed, reason: certificate has expired.

Impact

ILX plugins that reply on outbound HTTP client/agent requests to remote servers fail.

Conditions

The DST Root CA X3 certificate is expired, see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.

Workaround

Create a /var/tmp/isrgrootx1.pem with contents of https://letsencrypt.org/certs/isrgrootx1.pem.txt. The Node.js script: # cat /var/tmp/CustomCA-2.js var fs = require('fs'); var https = require('https'); var options = { hostname: 'letsencrypt.org', port: 443, path: '/', method: 'GET', ca: fs.readFileSync('/var/tmp/isrgrootx1.pem') <<<<<<<<<<<<<<< incorporated CA thus bypassing the CA embedded in the EOL version of Node.js }; var req = https.request(options, function(res) { res.on('data', function(data) { console.log("PASS"); }); }); req.end();

Fix Information

None

Behavior Change