This is all being done on the SRX using the JunOS built-in method for handling ACME/LE certs.
I have a ticket open with Juniper now... so they can figure out what broke.
(I've literally followed the step-by-step out of the knowledgebase that got me here. Gah)
Anyway - I'll post the fix when we figure it out.
------------------------------
Ben Kamen
------------------------------
Original Message:
Sent: 09-06-2024 14:11
From: Nikolay Semov
Subject: SRX LetsEncrypt Re-newed Cert causes Juniper Secure Connect failure - Errors 2002 and 2104
If you're manually copying cert files to the SRX, have you tried including the entire certificate chain (device cert, intermediate cert, root cert) in the file as opposed to just the device cert? I don't remember what order they were supposed to go in though ... maybe root at the bottom ... or was it at the top ... not sure ...
------------------------------
Nikolay Semov
Original Message:
Sent: 09-01-2024 14:35
From: bkamen
Subject: SRX LetsEncrypt Re-newed Cert causes Juniper Secure Connect failure - Errors 2002 and 2104
Hey all,
One of the SRX300's I help someone with renewed its LetsEncrypt cert this weekend and promptly Juniper Secure Connect stopped working.
The two errors that the client show are:
2002: unable to get issuer certificate
2104: unable to get ca issuer certificate
So I completely re-enrolled a new cert from scratch - switched the SRX web management to that cert.... REstarted the web-management and tried again. (didn't help) and then rebooted the SRX300 -- also didn't help.
Both certificates (recently enrolled and newly created cert) both seem to work fine when pointing a browser @ SRX HTTPS interface -- and upon inspection show expected information for validity.
Searching for JSC 2002 error gives me a KB article that doesn't help. (https://supportportal.juniper.net/s/article/SRX-JSC-client-unable-to-get-issuer-certificate)
Searching for JSC 2104 error yields no results. (anything points back to the 2002 error which already didn't help)
So I'm stuck. Can't tell if this is an SRX issue or JSC issue.
(I'd open a JTAC case, but client's JTAC recently renewed but was delayed and I'm in the between space of the renewal.)
Thanks!
------------------------------
Ben Kamen
------------------------------