Error "SSL Client CA chain cannot be verified" is seen when CRL is configured on Edge LB
book
Article ID: 309115
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
Edge LB has been configured to terminate SSL.
Client authentication as required has been configured. Clients are authenticated successfully.
However after CRL is configured, no clients are authenticated anymore.
In Edge logs, you see SSL failures like below; #.#.#.#:# [22/Jun/2018:06:50:50.590] http01/1: SSL client CA chain cannot be verified
Environment
VMware NSX for vSphere 6.4.x VMware NSX for vSphere 6.3.x VMware NSX for vSphere 6.2.x
Cause
When CRL is configured on Edge LB for client authentication, CRL is required for all the CA in the certificate chain, including RootCA and intermediate CA. If CRL is configured only for intermediate CA, client authentication fails.
Resolution
CRLs need to be configured for all the CAs in the certificate chain. If there is no CRL for any of the CA in the certificate chain, this error will show up. Need to get the CRL from CA administrator. Note that CRL for root CAs are sometimes called ARL.