Forum Discussion
Altostratus2 URL's on same vip with wildcard certificate
Here is the existing setup. VIP and pool members listening on 443. Wild card certificate on the client ssl. In server profile "abc.com as server name.
Requirement:
One more URL to be added as "xyx.abc.com in the same vip. Certificate would be the same wild card.What should be the client and server ssl profile. Please help.
8 Replies
Hannes_Rapp_162Nacreous
If all works with
right now, and you already terminate clientssl withabc.com
certificate, no changes on BigIP LTM are required to add support for*.abc.com
. They just create new DNS A record to point xyx.abc.com to same VIP as abc.com and voila!xyx.abc.comServerssl profile has no domain-aware significance. It is used to enable BigIP act as a SSL/TLS client so the traffic to Pool Member will be encrypted before it's forwarded downstream.
Sanal_BabuThe VIP works when i attach a server profile with server name abc.com . But not for xyz.abc.com
- nitass
Employee
if i do not misremember, serverssl profile does not forward server name indicated from clientside to serverside. so, can you try something like this?
 
Modifying serverside SSL profile based on hostname for SNI (Kai Wilke's comment) https://devcentral.f5.com/s/feed/0D51T00006i7eN3SAI
 
- Hannes_Rapp_162
No server name should be specified in serverssl profile unless your external web address URLs do not match with listener configurations in web servers. If the web server is configured to listen on
, either addabc.com:443
as second VirtualHost listener, or make it a wildcard listener that matches both. I see no good justification to use TLS SNI or any other F5 workaround for something as basicas this. Refer to Apache docs for help and use serverssl profile with DEFAULT settings, don't customize anything. If you specify abc.com as server name in serverssl profile, you are explicitly forcing all xyx.abc.com requests to abc.com listener and for obvious reasons this can't work.xyx.abc.com:443
Hannes_RappNimbostratus
If all works with
right now, and you already terminate clientssl withabc.com
certificate, no changes on BigIP LTM are required to add support for*.abc.com
. They just create new DNS A record to point xyx.abc.com to same VIP as abc.com and voila!xyx.abc.comServerssl profile has no domain-aware significance. It is used to enable BigIP act as a SSL/TLS client so the traffic to Pool Member will be encrypted before it's forwarded downstream.
- Sanal_Babu
The VIP works when i attach a server profile with server name abc.com . But not for xyz.abc.com
- nitass
if i do not misremember, serverssl profile does not forward server name indicated from clientside to serverside. so, can you try something like this?
Modifying serverside SSL profile based on hostname for SNI (Kai Wilke's comment) https://devcentral.f5.com/questions/modifying-serverside-ssl-profile-based-on-hostname-for-sni-48452
- Hannes_Rapp
No server name should be specified in serverssl profile unless your external web address URLs do not match with listener configurations in web servers. If the web server is configured to listen on
, either addabc.com:443
as second VirtualHost listener, or make it a wildcard listener that matches both. I see no good justification to use TLS SNI or any other F5 workaround for something as basicas this. Refer to Apache docs for help and use serverssl profile with DEFAULT settings, don't customize anything. If you specify abc.com as server name in serverssl profile, you are explicitly forcing all xyx.abc.com requests to abc.com listener and for obvious reasons this can't work.xyx.abc.com:443
