. The only way to see where the SSL negotiation is failing is capturing traffic at various points. I run F5 load balancers which similarly handle SSL offload. In situations like this I've often had to resort to capturing traffic on the load balancers themselves in order to be able to see where it's failing.
It's not unusual to have one particular type of client (browser, platform etc) fail SSL negotiation. Successful negotiation relies on the correct root and chain certs being present on the client, either because the client already has them, or by the client being sent these certs (especially the correct chain cert if needed) by the server (or load balancer).
I've often solved issues like this by forcing my load balancer to furnish the specific root and chain needed for the cert I'm using, rather than serving out whichever certs the load balancer and/or client think are needed from the load balancer's cert bundle (a big bundle of miscellaneous certs usually included by default on load balancers).
Alternately, if you have Cisco TAC support on that CSS it might be time to pick up the phone.
08-02-2022 02:47 AM
Please note: Firefox ships with it's own certificate store, whereas IE and Chrome (IIRC) will use Microsoft's certificate store. If the original issue was discovered using IE, trying firefox will likely result in no errors.
The firefox certificate store can be found by going to Options -> Advanced -> Encryption -> View Certificates. (Trusted root certificates are in the "Authorities" tab).
The microsoft certificate store can be found by launching command prompt. Type "certmgr.msc" will launch the certificate manager, and the trusted root certificates can be found in the "Trusted Root Certificate Authorities" subfolder.
https://blog.hubspot.com/website/fix-ssl-certificate-error /echatrandom
08-09-2022 04:41 AM