Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
5
Replies

what cert do I need ssl_ca_certs_file very confusing......

rjhwebconsulting
Level 1
Level 1

‎10-08-2025 01:48 PM - edited ‎10-08-2025 01:52 PM

Have 5 AD domain controllers behing an F5 load balancer......

The current PEM file in the ssl_ca_certs_file is not aligning with any of the cers that I can see using the acert tool 

currently the PEM file we are using only has one Begin/End block which is suspect because I thought you need the "full chain" CA and ROOT certs.

When I run the ACERT tool against the F5 I get 4 BEGIN/END sections.. think there are to intermediates and a root and the server cert it self....

If I run it against the Domain Controllers themselves I get one Begin/End Block and 

I couldn't verify this connection.
I got the error: 'x509: certificate signed by unknown authority'

Not sure where to go from here.... need to update the current ssl_ca_certs_file and I'm not sure where it came from.

thanks
R

Labels:
0 Helpful
5 Replies 5

charlie-krux
Level 1
Level 1

‎10-08-2025 10:08 PM

Hi,

I think your PEM file is missing the full certificate chain. Try exporting the complete chain (root + intermediates + server cert) from the F5 and replace the current ssl_ca_certs_file with that updated version.

Also, which certificate you are using? Make sure your cert is from a trusted CA (Let's Encrypt, Comodo, Certera) 

0 Helpful

rjhwebconsulting
Level 1
Level 1
In response to charlie-krux

‎10-09-2025 12:35 PM

It is from the trusted source Sectigo...will try that... thanks

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to rjhwebconsulting

‎10-09-2025 01:20 PM - edited ‎10-09-2025 01:22 PM

Yeah, we don't need the leaf certs at all (the certs actually issues to your domain controllers) in the ssl_ca_certs_file file. We want the full chain of the CA that issued the certs to your DCs to verify the cert presented by your DCs when the proxy tries to make the SSL connection to them.

https://support.sectigo.com/articles/Knowledge/Sectigo-Chain-Hierarchy-and-Intermediate-Roots

You'll know you have the right PEM file contents if you run...

acert -host your.dchostnameorthef5lb.foo -port 636 -roots path/to/your/ssl_ca_certs_file/whatever.pem

https://help.duo.com/s/article/2222 might also help.

ETA: the one exception to not needing the cert actually issued to your DC is when it's self-signed i.e. the issuer is also the issued to.

Duo, not DUO.
0 Helpful

rjhwebconsulting
Level 1
Level 1
In response to DuoKristina

‎10-09-2025 02:13 PM

We are behind the F5 so the cert would have to be from the F5 and not the DC itself....

Because of LINUX incompatibilities I had to run the ACERT off a different box... 

I point it to the F5 port 636 and get back

ServerCert
INterm 1
INTERM 2
ROOT
not any of those seem to work as the ssl_ca_certs_file.... very bizarre indeed...

I opened up a support ticket with DUO Cast 01705005



0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to rjhwebconsulting

‎10-09-2025 03:05 PM

OK, they will ask you for the support bundle output (https://duo.com/docs/authproxy-reference#using-the-support-tool) and also should ask you for the output of the acert command I suggested so you could be proactive and send that into in to your case.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents