The 30-Second Version
Quick checks for most SSL issues:
- Is the chain configured? (Client SSL Profile → Certificate Key Chain → Chain)
- Is the profile assigned to the VS? (Virtual Server → SSL Profile Client)
- What does
openssl s_clientshow?
Enable debug logging:
tmsh modify sys db tmm.ssl.log level debugDisable when done:
tmsh modify sys db tmm.ssl.log level warningSymptom Index
Jump to your symptom:
| Symptom | Most Likely Cause | Jump To |
|---|---|---|
| "Certificate not trusted" | Missing chain | Section 2 |
| SSL handshake failure | Cipher/TLS mismatch | Section 3 |
| Wrong certificate showing | SNI or profile issue | Section 4 |
| Connection reset/timeout | Profile not assigned or VS issue | Section 5 |
| "Certificate expired" | Obvious, but check which cert | Section 6 |
| Intermittent SSL failures | HA sync or profile mismatch | Section 7 |
"Certificate Not Trusted"
Symptom: Some clients show certificate errors, often mobile apps or API clients, while browsers work fine.
Step 1: Check if Chain is Being Sent
# Count certificates in response (should be 2 or more) echo | openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN 2>/dev/null | \ grep -c "BEGIN CERTIFICATE"
| Result | Meaning | Action |
|---|---|---|
| 1 | Only server cert, no chain | Add chain to profile |
| 2+ | Chain is being sent | Check chain validity |
| 0 | SSL not working at all | Check profile assignment |
Step 2: Verify Chain in Profile
# Check profile configuration tmsh list ltm profile client-ssl YOUR-PROFILE cert-key-chain
Look for the chain field. If empty or missing, that's your problem.
Step 3: Add or Fix Chain
Path: Local Traffic → Profiles → SSL → Client → [Profile] → Certificate Key Chain
- Edit the Certificate Key Chain entry
- Set Chain to your intermediate certificate
- Click Update
Step 4: Verify Fix
# Should now show 2+ certificates echo | openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN 2>/dev/null | \ grep -c "BEGIN CERTIFICATE"
Still Not Working?
F5 silently drops the chain if it doesn't match your certificate's issuer. Verify:
# Your cert's issuer openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN 2>/dev/null | \ openssl x509 -noout -issuer # Your chain cert's subject (should match above) tmsh list sys crypto cert YOUR-CHAIN-CERT | grep subject
If they don't match, download the correct intermediate from your CA.
SSL Handshake Failures
Symptom: Connection fails before page loads. Errors like "SSL handshake failed," "no common cipher," or "protocol version" errors.
Step 1: Enable Debug Logging
# Enable SSL debug logging tmsh modify sys db tmm.ssl.log level debug # Watch the logs tail -f /var/log/ltm | grep -i ssl
Remember to disable when done:
tmsh modify sys db tmm.ssl.log level warningStep 2: Test with OpenSSL
# Basic connection test openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN # Test specific TLS version openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN -tls1_2 openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN -tls1_3 # Test specific cipher openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN -cipher 'ECDHE-RSA-AES256-GCM-SHA384'
Step 3: Check Cipher Configuration
# See what ciphers your profile allows tmsh list ltm profile client-ssl YOUR-PROFILE ciphers # See what that cipher string actually produces tmm --clientciphers 'YOUR-CIPHER-STRING'
Common Cipher Issues
| Error in Log | Cause | Fix |
|---|---|---|
| "no shared cipher" | Client and F5 have no ciphers in common | Expand cipher list in profile |
| "wrong version number" | TLS version mismatch | Check Options setting for TLS versions |
| "certificate verify failed" | Server SSL profile can't verify backend | Set Server Authentication to Ignore, or add CA |
Step 4: Check TLS Versions
# See enabled TLS versions tmsh list ltm profile client-ssl YOUR-PROFILE options
Common Options settings:
no-tlsv1- Disable TLS 1.0no-tlsv1.1- Disable TLS 1.1no-tlsv1.3- Disable TLS 1.3 (don't do this usually)
Wrong Certificate Showing
Symptom: Clients receive a certificate for the wrong domain, or receive the F5's default certificate.
Step 1: Check SNI Behavior
# Test with specific SNI openssl s_client -connect YOUR-VIP:443 -servername www.example.com # Test without SNI (might get default cert) openssl s_client -connect YOUR-VIP:443
Step 2: Check Virtual Server Profile Assignment
tmsh list ltm virtual YOUR-VS profiles
Look for:
context clientside= Client SSL profile- The correct profile name
Step 3: Multiple Profiles on Same VS (SNI)
If you have multiple Client SSL profiles on the same virtual server for SNI:
# List all profiles on the VS tmsh list ltm virtual YOUR-VS profiles # Check Default SSL Profile for SNI tmsh list ltm profile client-ssl YOUR-PROFILE sni-default
One profile should have sni-default true - this is served when SNI doesn't match.
Step 4: Check Certificate Matches Domain
# See what domain the certificate covers tmsh list sys crypto cert YOUR-CERT subject-alternative-name tmsh list sys crypto cert YOUR-CERT common-name
Connection Reset/Timeout
Symptom: Connection times out or resets. No SSL handshake even starts.
Step 1: Verify Virtual Server is Listening
# Check VS status tmsh show ltm virtual YOUR-VS # Look for: # - State: enabled # - Availability: available
Step 2: Check Profile is Assigned
tmsh list ltm virtual YOUR-VS profiles # Should show a client-ssl profile with "context clientside"
If no SSL profile is assigned, HTTPS won't work.
Step 3: Check Port and IP
# Verify VS is on port 443 tmsh list ltm virtual YOUR-VS destination # Test connectivity nc -zv YOUR-VIP 443
Step 4: Check Pool Status
# If pool members are down, VS might not respond tmsh show ltm pool YOUR-POOL members
Certificate Expired
Symptom: Certificate expiration warnings or errors.
Step 1: Check Certificate Dates
# From outside echo | openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN 2>/dev/null | \ openssl x509 -noout -dates # From F5 tmsh list sys crypto cert YOUR-CERT expiration-string
Step 2: List All Certificates with Expiration
# tmsh - shows all certs tmsh list sys crypto cert | grep -E "(sys crypto cert|expiration)" # Or check specific cert tmsh run sys crypto check-cert cert name YOUR-CERT
Step 3: Check Which Cert is Actually Expired
Sometimes it's the intermediate, not your certificate:
# See full chain with dates openssl s_client -connect YOUR-VIP:443 -servername YOUR-DOMAIN -showcerts 2>/dev/null | \ openssl x509 -noout -dates
Intermittent SSL Failures
Symptom: SSL works sometimes, fails other times. Inconsistent behavior.
Step 1: Check HA Sync
If you have an HA pair:
# Check sync status tmsh show cm sync-status # Force sync if needed tmsh run cm config-sync to-group YOUR-DEVICE-GROUP
Certificates and profiles might not be synced between units.
Step 2: Check for Multiple Profiles
# List all profiles on the VS tmsh list ltm virtual YOUR-VS profiles
Multiple Client SSL profiles can cause inconsistent behavior.
Step 3: Check Traffic Distribution
If you have multiple F5 units, verify certificate is installed on ALL units.
Essential Debug Commands
Quick Diagnostics
# Check virtual server status tmsh show ltm virtual YOUR-VS # Check profile assignment tmsh list ltm virtual YOUR-VS profiles # List certificates tmsh list sys crypto cert # Check specific certificate details tmsh list sys crypto cert YOUR-CERT all-properties # View profile configuration tmsh list ltm profile client-ssl YOUR-PROFILE all-properties
SSL Logging
# Enable debug logging tmsh modify sys db tmm.ssl.log level debug # Watch SSL events tail -f /var/log/ltm | grep -i ssl # IMPORTANT: Disable when done (very verbose!) tmsh modify sys db tmm.ssl.log level warning
Testing from F5
# Test outbound SSL (for Server SSL issues) curl -vk https://BACKEND-SERVER:443 # Test certificate validity tmsh run sys crypto check-cert cert name YOUR-CERT
Packet Capture
# Capture SSL traffic tcpdump -i 0.0:nnn -nn -Xs0 -vv -w /var/tmp/ssl-capture.pcap host YOUR-VIP and port 443 # Analyze with ssldump ssldump -nr /var/tmp/ssl-capture.pcap -H -S crypto > /var/tmp/ssl-analysis.txt
Common Error Messages Reference
| Error Message | Meaning | Fix |
|---|---|---|
| "no shared cipher" | No cipher overlap between client and server | Expand cipher list in profile |
| "certificate verify failed" | Chain validation failure | Check chain or set Ignore |
| "unknown ca" | Client doesn't trust your CA | Add chain certificate |
| "certificate has expired" | Certificate past validity date | Renew certificate |
| "wrong version number" | TLS version incompatibility | Check Options in profile |
| "handshake failure" | Generic - enable debug logging | Check logs for specific cause |
| "sslv3 alert handshake failure" | SSL/TLS negotiation failed | Usually cipher or protocol issue |
| "connection reset by peer" | Server rejected connection | Check profile assignment, VS status |
Troubleshooting Flowchart
START: SSL Not Working │ ├── Can you connect on port 443? │ └── NO → Check VS status, IP, port, firewall │ ├── YES → Does SSL handshake start? │ └── NO → Check Client SSL profile assigned to VS │ ├── YES → Does handshake complete? │ └── NO → Enable debug logging, check ciphers/TLS versions │ ├── YES → Is certificate trusted? │ └── NO → Check chain configuration │ ├── YES → Is it the correct certificate? │ └── NO → Check profile assignment, SNI configuration │ └── YES → Everything working!
Troubleshooting Checklist
- Virtual server is enabled and available
- Client SSL profile is assigned to virtual server
- Certificate is not expired
- Certificate key chain includes cert, key, AND chain
- Chain certificate matches certificate's issuer
- Cipher string allows common ciphers
- TLS versions align with client requirements
- For HA: configuration is synced to both units
- Debug logging disabled after troubleshooting
Frequently Asked Questions
Related Resources
F5 Certificate Chain Configuration
Deep dive on fixing chain issues - the #1 cause of certificate not trusted errors.
F5 SSL Profiles Explained
Understand Client SSL and Server SSL profiles before troubleshooting.
Get an A+ on SSL Labs
Optimize your F5 configuration for the best security grade.
Chain Builder Demo
Interactive tool to validate certificate chains before deployment.
How TLS Works
Understand TLS handshakes to debug connection failures effectively.
Cipher Suite Decoder
Decode cipher suite errors and find compatible configurations.