SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX LetsEncrypt Re-newed Cert causes Juniper Secure Connect failure - Errors 2002 and 2104

    Posted 7 days ago
    Edited by bkamen 7 days ago

    Hey all,

     One of the SRX300's I help someone with renewed its LetsEncrypt cert this weekend and promptly Juniper Secure Connect stopped working.

    The two errors that the client show are:
       2002: unable to get issuer certificate
       2104: unable to get ca issuer certificate

    So I completely re-enrolled a new cert from scratch - switched the SRX web management to that cert.... REstarted the web-management and tried again. (didn't help) and then rebooted the SRX300 -- also didn't help. 

    Both certificates (recently enrolled and newly created cert) both seem to work fine when pointing a browser @ SRX HTTPS interface -- and upon inspection show expected information for validity.

    Searching for JSC 2002 error gives me a KB article that doesn't help.  (https://supportportal.juniper.net/s/article/SRX-JSC-client-unable-to-get-issuer-certificate)
    Searching for JSC 2104 error yields no results. (anything points back to the 2002 error which already didn't help)

    So I'm stuck. Can't tell if this is an SRX issue or JSC issue. 

    (I'd open a JTAC case, but client's JTAC recently renewed but was delayed and I'm in the between space of the renewal.)

    Thanks!

    ------------------------------
    Ben Kamen
    ------------------------------



  • 2.  RE: SRX LetsEncrypt Re-newed Cert causes Juniper Secure Connect failure - Errors 2002 and 2104

    Posted 2 days ago

    If you're manually copying cert files to the SRX, have you tried including the entire certificate chain (device cert, intermediate cert, root cert) in the file as opposed to just the device cert? I don't remember what order they were supposed to go in though ... maybe root at the bottom ... or was it at the top ... not sure ...



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 3.  RE: SRX LetsEncrypt Re-newed Cert causes Juniper Secure Connect failure - Errors 2002 and 2104

    Posted 2 days ago

    This is all being done on the SRX using the JunOS built-in method for handling ACME/LE certs. 

    I have a ticket open with Juniper now... so they can figure out what broke. 

    (I've literally followed the step-by-step out of the knowledgebase that got me here. Gah)

    Anyway - I'll post the fix when we figure it out. 



    ------------------------------
    Ben Kamen
    ------------------------------



  • 4.  RE: SRX LetsEncrypt Re-newed Cert causes Juniper Secure Connect failure - Errors 2002 and 2104

    Posted 2 days ago

    The client side does not use the machine cert store.  You need to add the cert chain to the app, see: https://www.juniper.net/documentation/us/en/software/secure-connect/secure-connect-user-guide/topics/topic-map/overview-juniper-secure-connect-client.html

    Under your client type it will tell you the directory the very chain needs to be in...



    ------------------------------
    David Divins
    ------------------------------