For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

wanderingadmin_'s avatar
wanderingadmin_
Icon for Nimbostratus rankNimbostratus
Mar 31, 2017

Certificate error from F5 virtual server

"Certificate error on F5 Load Balancing" Hello, We have a virtual server configured on the F5 with URL easysite.com with 3 load balancing pool members. The 3 members are running IIS7.5 and individual...
application delivery
BIG-IP
Ed_Summers's avatar
Ed_Summers
Icon for Nimbostratus rankNimbostratus
Mar 31, 2017

Sounds like you are passing SSL through to the server, so the server is presenting it's certificate when the client connects. Of course, with only the 'individual' certificates on the servers then that is what the user will see when they try to connect.

 

A few starter options:

 

1) Replace cert/key on all servers with new certificate for 'easysite.com'. Sounds like you want individual certs on each server when you connect directly, though.

 

2) Get a new certificate for 'easysite.com' and use it in a client-ssl profile on the BIGIP. Associate the client-ssl profile with the virtual server, as well as a server-ssl profile to re-encrypt traffic to the servers. In this scenario the BIGIP is terminating client SSL and presenting the easysite.com certificate to the client. By default the server-ssl profile doesn't verify the server certificate, so no changes needed on the pool members.

 

3) Get a new certificate for 'easysite.com', load it (and key) on all of your web servers alongside existing cert/key, and configure them to use SNI to determine which certificate to present to the client.