Bug ID 1057501: Expired DST Root CA X3 resulting in http agent request failing.

Last Modified: Apr 17, 2024

Affected Product(s):
BIG-IP AVR, LTM(all modules)

Known Affected Versions:, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,

Opened: Oct 26, 2021

Severity: 3-Major


When the DST Root CA X3 is expired, any HTTP agent request fails with the error: err tmm2[19302]: Rule /Common/my_rule <HTTP_REQUEST>: Client - <address>, failure :proxyInterstitialPage: FetchError: request to <url> failed, reason: certificate has expired.


ILX plugins that reply on outbound HTTP client/agent requests to remote servers fail.


The DST Root CA X3 certificate is expired, see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.


Create a /var/tmp/isrgrootx1.pem with contents of https://letsencrypt.org/certs/isrgrootx1.pem.txt. The Node.js script: # cat /var/tmp/CustomCA-2.js var fs = require('fs'); var https = require('https'); var options = { hostname: 'letsencrypt.org', port: 443, path: '/', method: 'GET', ca: fs.readFileSync('/var/tmp/isrgrootx1.pem') <<<<<<<<<<<<<<< incorporated CA thus bypassing the CA embedded in the EOL version of Node.js }; var req = https.request(options, function(res) { res.on('data', function(data) { console.log("PASS"); }); }); req.end();

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips