We've just upgraded an IVE to 7.1R1 to 7.1R2 but ever since none of our iOS devices can do clientless activesync with certificate authentication any more. We keep seeing an error message in the logs that we've never seen before:
Failed to authenticate client certificate, issuer='O=xxxx, OU=xxxx, CN=xxxxx'; subject='[email protected], CN=xxxxx, OU=xxxx, O=xxxxx', on the virtual port with IP address 'y.y.y.y' due to the following reason: Unknown certificate error, error code=24
We've tried re-importing the CA certificate, checking all of the trust settings, checking the clientless activesync config, SSL options etc but to no avail. This seems like a bug introduced in 7.1R2 as this setup has been working perfectly for the past few months on 7.1R1.
One error that we've noticed when re-importing the CA certificate that may have something to do with it:
"ERR23036 Invalid certificate purpose on \'O=xxxx OU=xxxx, CN=xxxxx\"
Has anyone else run across this problem with 7.1R2?
It sounds as though you might be missing an intermediate CA cert, just a thought though.
The enforcement of 'purpose check' before importing a certificate has been removed in IVE OS versions 4.2R1 and above.
The 'purpose check' could have been reintroduced in 7.1R2 ?
If you don't use the virtual port, does it work?
We've done some more testing and it looks like this isn't just affecting ActiveSync - cert auth in Junos Pulse for iOS isn't working either. It's definitely looking like a generic issue with this build verifying and authenticating our certificates.
I'd be interested to know if anyone else has run into this. One possibility is that it's the CA we're using isn't issuing certificates with the correct purpose flags set. There doesn't appear to be any documentation, configuration or log messages that make this clear so I'm wondering if anyone else has successfully used certificate auth in 7.1R2? If so, which CA are you using and what purpose are your certificates provisioned for (IPSec, Client Authentication, Smart Card etc)?
Using an internal CA I am able to have cert auth work without an issue in Pulse.
The purpose is "client authentication" on the certificate.
Are you seeing failure on all ports (internal, external, and virtual on either)?
We currently use 7.0R4_ with Self-signed certificate for client auth.
We tried to upgrade to 7.1R2.0 and out of nowhere it is not possible to log-in anymore.
We only get "WrongCert" error in the log. We re-imported the TrustedClient-CA and there is no error.
We rolled-back to 7.0R4 and instantly login worked again.
Then we tried 7.1R1.0 with same result. Roll-Back.
We tried 7.0R6.0 : Same result, roll back.
We tried 7.0R5.1 : Same result, roll back.
We checked all settings. Added new auth server and realms, compared all settings. Imported settings+certs from backup.
But nothing. We are really cluless here.
Maybe someone can solve the riddle ?
We upgraded to 7.1 R2 and now all of our client certs are broke, opening call with support.
Support tier one = no idea, having me reboot my cluster. Did that problem still exists. Ahh the good old days when a "reboot" actually fixed a problem.
Hopefully they can find the problem. Our clients are asking for Firefox 4 Support all the time now and we are unable to
upgrade to 7.1R2 :-(