As part of our welcoming Juniper Elevate community members into Airheads Community, we're bringing over some of the latest conversations to continue the discussions here.
We are experiencing an issue on an SRX345 when using a wildcard certificate with Juniper Secure Connect for SSL VPN access.
When users attempt to connect, the client fails during certificate validation and returns the following error: "HTTPS Post request failed. 2002 – unable to get issuer certificate"
The problem occurs only when we use a wildcard certificate (*.domain.com) issued by a trusted public CA. If we replace it with a self-signed certificate generated directly on the SRX345, the VPN connection works correctly.
The wildcard certificate and private key were successfully imported on the device and correctly associated with the SSL VPN gateway. The certificate is valid and not expired, and the FQDN used by clients matches the certificate CN/SAN. When accessing the same FQDN via a web browser, there are no certificate warnings.
Do the intermediate CA certificates need to be manually imported and bound, or are there specific requirements for installing the certificate chain for SSL VPN on the SRX345?
We followed the instructions in the following article to upload the certificate on the SRX345: CEC Juniper Community
Another member shared this solution:
This usually happens when the full certificate chain isn't installed on the SRX. Even though the wildcard cert works fine in a browser, the Juniper Secure Connect client doesn't fetch intermediate certificates automatically like browsers do. If the intermediate CA certs aren't imported and properly linked on the SRX345, you'll get the "unable to get issuer certificate" error. Since the self-signed cert works, your VPN config is probably fine. I'd recheck that the intermediate CA certificate(s) are manually imported and that the SRX is presenting the full chain during the SSL handshake. That's almost always the cause in this scenario.
Let's continue discussing SRX! Welcome Juniper Elevate members to Airheads Community.
Member data has been omitted from this post. Post content may have been modified to update links, formatting, or relevant details.
-------------------------------------------