SRX

Hello,

we are experiencing an issue on an SRX345 when using a wildcard certificate with Juniper Secure Connect for SSL VPN access.

When users attempt to connect, the client fails during certificate validation and returns the following error:

"HTTPS Post request failed. 2002 – unable to get issuer certificate"

The problem occurs only when we use a wildcard certificate (*.domain.com) issued by a trusted public CA. If we replace it with a self-signed certificate generated directly on the SRX345, the VPN connection works correctly.

The wildcard certificate and private key were successfully imported on the device and correctly associated with the SSL VPN gateway. The certificate is valid and not expired, and the FQDN used by clients matches the certificate CN/SAN. When accessing the same FQDN via a web browser, there are no certificate warnings.

Do the intermediate CA certificates need to be manually imported and bound, or are there specific requirements for installing the certificate chain for SSL VPN on the SRX345?

We followed the instructions in the following article to upload the certificate on the SRX345:

https://supportportal.juniper.net/s/article/SRX-How-to-load-a-PKI-X-509-certificate-using-J-Web-for-secure-web-access

Thank you in advance.

It's been a while since I've had anything web-based enabled on the SRX but if I recall correctly, for publicly-trusted certs, I'd the entire chain in the same PEM file. I certainly don't remember the sequence though -- either the root cert is on top, following by the intermediary and then the device, or the device, then intermediary and then the root.

Also, I'm pretty sure I cheated a little bit -- importing only the device certificate to avoid errors, and then editing the PEM in shell manually to make it include the entire chain. After thrashing around with different configuration manuals and recommendations, that's how I was able to get the web server in the SRX to provide the full cert chain to clients. Check out https://www.ssllabs.com/ssltest/ for testing.

Hello,

we are experiencing an issue on an SRX345 when using a wildcard certificate with Juniper Secure Connect for SSL VPN access.

When users attempt to connect, the client fails during certificate validation and returns the following error:

"HTTPS Post request failed. 2002 – unable to get issuer certificate"

The problem occurs only when we use a wildcard certificate (*.domain.com) issued by a trusted public CA. If we replace it with a self-signed certificate generated directly on the SRX345, the VPN connection works correctly.

The wildcard certificate and private key were successfully imported on the device and correctly associated with the SSL VPN gateway. The certificate is valid and not expired, and the FQDN used by clients matches the certificate CN/SAN. When accessing the same FQDN via a web browser, there are no certificate warnings.

Do the intermediate CA certificates need to be manually imported and bound, or are there specific requirements for installing the certificate chain for SSL VPN on the SRX345?

We followed the instructions in the following article to upload the certificate on the SRX345:

https://supportportal.juniper.net/s/article/SRX-How-to-load-a-PKI-X-509-certificate-using-J-Web-for-secure-web-access

Thank you in advance.

I'm also seeing this issue for secure connect VPN  - HTTPS Post request failed. 2002  - if I use a self signed it works fine...  ( for the https) but not for a  3rd party signed cert  - any input as this subject seems to very light on the Juniper site...  

It's been a while since I've had anything web-based enabled on the SRX but if I recall correctly, for publicly-trusted certs, I'd the entire chain in the same PEM file. I certainly don't remember the sequence though -- either the root cert is on top, following by the intermediary and then the device, or the device, then intermediary and then the root.

Also, I'm pretty sure I cheated a little bit -- importing only the device certificate to avoid errors, and then editing the PEM in shell manually to make it include the entire chain. After thrashing around with different configuration manuals and recommendations, that's how I was able to get the web server in the SRX to provide the full cert chain to clients. Check out https://www.ssllabs.com/ssltest/ for testing.

Hello,

we are experiencing an issue on an SRX345 when using a wildcard certificate with Juniper Secure Connect for SSL VPN access.

When users attempt to connect, the client fails during certificate validation and returns the following error:

"HTTPS Post request failed. 2002 – unable to get issuer certificate"

The problem occurs only when we use a wildcard certificate (*.domain.com) issued by a trusted public CA. If we replace it with a self-signed certificate generated directly on the SRX345, the VPN connection works correctly.

The wildcard certificate and private key were successfully imported on the device and correctly associated with the SSL VPN gateway. The certificate is valid and not expired, and the FQDN used by clients matches the certificate CN/SAN. When accessing the same FQDN via a web browser, there are no certificate warnings.

Do the intermediate CA certificates need to be manually imported and bound, or are there specific requirements for installing the certificate chain for SSL VPN on the SRX345?

We followed the instructions in the following article to upload the certificate on the SRX345:

https://supportportal.juniper.net/s/article/SRX-How-to-load-a-PKI-X-509-certificate-using-J-Web-for-secure-web-access

Thank you in advance.

Hello,

we are experiencing an issue on an SRX345 when using a wildcard certificate with Juniper Secure Connect for SSL VPN access.

When users attempt to connect, the client fails during certificate validation and returns the following error:

"HTTPS Post request failed. 2002 – unable to get issuer certificate"

The problem occurs only when we use a wildcard certificate (*.domain.com) issued by a trusted public CA. If we replace it with a self-signed certificate generated directly on the SRX345, the VPN connection works correctly.

The wildcard certificate and private key were successfully imported on the device and correctly associated with the SSL VPN gateway. The certificate is valid and not expired, and the FQDN used by clients matches the certificate CN/SAN. When accessing the same FQDN via a web browser, there are no certificate warnings.

Do the intermediate CA certificates need to be manually imported and bound, or are there specific requirements for installing the certificate chain for SSL VPN on the SRX345?

We followed the instructions in the following article to upload the certificate on the SRX345:

https://supportportal.juniper.net/s/article/SRX-How-to-load-a-PKI-X-509-certificate-using-J-Web-for-secure-web-access

Thank you in advance.