Nimbostratus
EmployeeSo let's understand what is going on with the server-ssl profile and compare it to the curl command ...
curl --cacert ca-ocp.pem https://app1.openshift.testSend a ClientHello to the SSL server app1.openshift.test.
When the ServerHello returns the certificate, validate it against the Certificate Authority defined in ca-ocp.pem before connecting.
With a server-ssl profile, we validate the returned certificate against the settings set in the Server Authentication section - the servers (pool members) are specifically defined, and may be configured with self-signed or non-public certificates, so we usually just trust them.
This is the equivalent of
curl -k https://app1.openshift.testBut the server-ssl profile also does not know the name of the target server - the pool member is specified by IP.
curl -k https://192.168.1.1Here is where you probably fail - the target server needs a Server Name Indication (SNI) to identify the correct service to respond with. This is specified in the Server Name field of the server-ssl profile.
You also need to use an irule/Local Traffic Policy to select the correct server-ssl profile or pass-through the request SNI to the server-side ssl request: