SRX

Hey all,

 One of the SRX300's I help someone with renewed its LetsEncrypt cert this weekend and promptly Juniper Secure Connect stopped working.

The two errors that the client show are:
   2002: unable to get issuer certificate
   2104: unable to get ca issuer certificate

So I completely re-enrolled a new cert from scratch - switched the SRX web management to that cert.... REstarted the web-management and tried again. (didn't help) and then rebooted the SRX300 -- also didn't help. 

Both certificates (recently enrolled and newly created cert) both seem to work fine when pointing a browser @ SRX HTTPS interface -- and upon inspection show expected information for validity.

Searching for JSC 2002 error gives me a KB article that doesn't help.  (https://supportportal.juniper.net/s/article/SRX-JSC-client-unable-to-get-issuer-certificate)
Searching for JSC 2104 error yields no results. (anything points back to the 2002 error which already didn't help)

So I'm stuck. Can't tell if this is an SRX issue or JSC issue. 

(I'd open a JTAC case, but client's JTAC recently renewed but was delayed and I'm in the between space of the renewal.)

Thanks!

------------------------------
Ben Kamen
------------------------------

If you're manually copying cert files to the SRX, have you tried including the entire certificate chain (device cert, intermediate cert, root cert) in the file as opposed to just the device cert? I don't remember what order they were supposed to go in though ... maybe root at the bottom ... or was it at the top ... not sure ...

Hey all,

 One of the SRX300's I help someone with renewed its LetsEncrypt cert this weekend and promptly Juniper Secure Connect stopped working.

The two errors that the client show are:
   2002: unable to get issuer certificate
   2104: unable to get ca issuer certificate

So I completely re-enrolled a new cert from scratch - switched the SRX web management to that cert.... REstarted the web-management and tried again. (didn't help) and then rebooted the SRX300 -- also didn't help. 

Both certificates (recently enrolled and newly created cert) both seem to work fine when pointing a browser @ SRX HTTPS interface -- and upon inspection show expected information for validity.

Searching for JSC 2002 error gives me a KB article that doesn't help.  (https://supportportal.juniper.net/s/article/SRX-JSC-client-unable-to-get-issuer-certificate)
Searching for JSC 2104 error yields no results. (anything points back to the 2002 error which already didn't help)

So I'm stuck. Can't tell if this is an SRX issue or JSC issue. 

(I'd open a JTAC case, but client's JTAC recently renewed but was delayed and I'm in the between space of the renewal.)

Thanks!

------------------------------
Ben Kamen
------------------------------

If you're manually copying cert files to the SRX, have you tried including the entire certificate chain (device cert, intermediate cert, root cert) in the file as opposed to just the device cert? I don't remember what order they were supposed to go in though ... maybe root at the bottom ... or was it at the top ... not sure ...

Hey all,

 One of the SRX300's I help someone with renewed its LetsEncrypt cert this weekend and promptly Juniper Secure Connect stopped working.

The two errors that the client show are:
   2002: unable to get issuer certificate
   2104: unable to get ca issuer certificate

So I completely re-enrolled a new cert from scratch - switched the SRX web management to that cert.... REstarted the web-management and tried again. (didn't help) and then rebooted the SRX300 -- also didn't help. 

Both certificates (recently enrolled and newly created cert) both seem to work fine when pointing a browser @ SRX HTTPS interface -- and upon inspection show expected information for validity.

Searching for JSC 2002 error gives me a KB article that doesn't help.  (https://supportportal.juniper.net/s/article/SRX-JSC-client-unable-to-get-issuer-certificate)
Searching for JSC 2104 error yields no results. (anything points back to the 2002 error which already didn't help)

So I'm stuck. Can't tell if this is an SRX issue or JSC issue. 

(I'd open a JTAC case, but client's JTAC recently renewed but was delayed and I'm in the between space of the renewal.)

Thanks!

------------------------------
Ben Kamen
------------------------------

It turns out - what you mentioned was a derivative of this. (no thanks to JTAC - they were still scratching their heads when I figured this out)

So - LetsEncrypt ADDED some sub-CA servers in the path. 

Those needed to be added to the SRX... but then also to the JSC client. 

What bothers me is that originally when all set up - 2 of the upstream cert (.DER) files automagically ended up on the JSC Client's ProgramData folder (in 'cacerts').

I didn't do that. JSC did. 

I stepped through adding the sub-CAs to the SRX first to see if they propagated to the JSC client -- they don't seem to. 

JTAC seems to agree - that's a problem. I should be able to do all the work on the SRX and have it propagate. 

Oh well. 

It's working now -- but it's also annoying because the SRX LetsEncrypt documentation is fair at best and when running into items like this, the KB info falls far short of properly informing the admin. JTAC is going to fix that. 

And so that's what it was.... 

Problem solved.

If you're manually copying cert files to the SRX, have you tried including the entire certificate chain (device cert, intermediate cert, root cert) in the file as opposed to just the device cert? I don't remember what order they were supposed to go in though ... maybe root at the bottom ... or was it at the top ... not sure ...

Hey all,

 One of the SRX300's I help someone with renewed its LetsEncrypt cert this weekend and promptly Juniper Secure Connect stopped working.

The two errors that the client show are:
   2002: unable to get issuer certificate
   2104: unable to get ca issuer certificate

So I completely re-enrolled a new cert from scratch - switched the SRX web management to that cert.... REstarted the web-management and tried again. (didn't help) and then rebooted the SRX300 -- also didn't help. 

Both certificates (recently enrolled and newly created cert) both seem to work fine when pointing a browser @ SRX HTTPS interface -- and upon inspection show expected information for validity.

Searching for JSC 2002 error gives me a KB article that doesn't help.  (https://supportportal.juniper.net/s/article/SRX-JSC-client-unable-to-get-issuer-certificate)
Searching for JSC 2104 error yields no results. (anything points back to the 2002 error which already didn't help)

So I'm stuck. Can't tell if this is an SRX issue or JSC issue. 

(I'd open a JTAC case, but client's JTAC recently renewed but was delayed and I'm in the between space of the renewal.)

Thanks!

------------------------------
Ben Kamen
------------------------------

Sounds like a nasty surprise, especially if you have many clients... Glad you got it working, and thanks for posting the update.

It turns out - what you mentioned was a derivative of this. (no thanks to JTAC - they were still scratching their heads when I figured this out)

So - LetsEncrypt ADDED some sub-CA servers in the path. 

Those needed to be added to the SRX... but then also to the JSC client. 

What bothers me is that originally when all set up - 2 of the upstream cert (.DER) files automagically ended up on the JSC Client's ProgramData folder (in 'cacerts').

I didn't do that. JSC did. 

I stepped through adding the sub-CAs to the SRX first to see if they propagated to the JSC client -- they don't seem to. 

JTAC seems to agree - that's a problem. I should be able to do all the work on the SRX and have it propagate. 

Oh well. 

It's working now -- but it's also annoying because the SRX LetsEncrypt documentation is fair at best and when running into items like this, the KB info falls far short of properly informing the admin. JTAC is going to fix that. 

And so that's what it was.... 

Problem solved.

If you're manually copying cert files to the SRX, have you tried including the entire certificate chain (device cert, intermediate cert, root cert) in the file as opposed to just the device cert? I don't remember what order they were supposed to go in though ... maybe root at the bottom ... or was it at the top ... not sure ...

Hey all,

 One of the SRX300's I help someone with renewed its LetsEncrypt cert this weekend and promptly Juniper Secure Connect stopped working.

The two errors that the client show are:
   2002: unable to get issuer certificate
   2104: unable to get ca issuer certificate

So I completely re-enrolled a new cert from scratch - switched the SRX web management to that cert.... REstarted the web-management and tried again. (didn't help) and then rebooted the SRX300 -- also didn't help. 

Both certificates (recently enrolled and newly created cert) both seem to work fine when pointing a browser @ SRX HTTPS interface -- and upon inspection show expected information for validity.

Searching for JSC 2002 error gives me a KB article that doesn't help.  (https://supportportal.juniper.net/s/article/SRX-JSC-client-unable-to-get-issuer-certificate)
Searching for JSC 2104 error yields no results. (anything points back to the 2002 error which already didn't help)

So I'm stuck. Can't tell if this is an SRX issue or JSC issue. 

(I'd open a JTAC case, but client's JTAC recently renewed but was delayed and I'm in the between space of the renewal.)

Thanks!

------------------------------
Ben Kamen
------------------------------

Hey all,

 One of the SRX300's I help someone with renewed its LetsEncrypt cert this weekend and promptly Juniper Secure Connect stopped working.

The two errors that the client show are:
   2002: unable to get issuer certificate
   2104: unable to get ca issuer certificate

So I completely re-enrolled a new cert from scratch - switched the SRX web management to that cert.... REstarted the web-management and tried again. (didn't help) and then rebooted the SRX300 -- also didn't help. 

Both certificates (recently enrolled and newly created cert) both seem to work fine when pointing a browser @ SRX HTTPS interface -- and upon inspection show expected information for validity.

Searching for JSC 2002 error gives me a KB article that doesn't help.  (https://supportportal.juniper.net/s/article/SRX-JSC-client-unable-to-get-issuer-certificate)
Searching for JSC 2104 error yields no results. (anything points back to the 2002 error which already didn't help)

So I'm stuck. Can't tell if this is an SRX issue or JSC issue. 

(I'd open a JTAC case, but client's JTAC recently renewed but was delayed and I'm in the between space of the renewal.)

Thanks!

------------------------------
Ben Kamen
------------------------------