Error "SSL Client CA chain cannot be verified" is seen when CRL is configured on Edge LB
search cancel

Error "SSL Client CA chain cannot be verified" is seen when CRL is configured on Edge LB

book

Article ID: 309115

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • Edge LB has been configured to terminate SSL.
  • Client authentication as required has been configured. Clients are authenticated successfully.
  • However after CRL is configured, no clients are authenticated anymore.
  • In Edge logs, you see SSL failures like below;
    #.#.#.#:# [22/Jun/2018:06:50:50.590] http01/1: SSL client CA chain cannot be verified

Environment

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

Cause

When CRL is configured on Edge LB for client authentication, CRL is required for all the CA in the certificate chain, including RootCA and intermediate CA.
If CRL is configured only for intermediate CA, client authentication fails.

Resolution

CRLs need to be configured for all the CAs in the certificate chain.
If there is no CRL for any of the CA in the certificate chain, this error will show up. Need to get the CRL from CA administrator.
Note that CRL for root CAs are sometimes called ARL.