Folks, We have a wild card certificate configured on the F5 and this certificate caters to a VIP which listens to all ports. i.e. http://hostname.externaldomain.com:**. For some reasons the certificate does not work for all ports and the behavior we see is wired. It may work for one port and not for the other. When we reboot the F5 it may work for another port but not for the port it worked earlier. Any suggestion? Note, this VIP has many node behind it and moves requests based on a configured iRule. This iRule work fine for non-https based requests. Thanks!!! N.

Please put here the output of tmsh list /ltm virtual command, and your iRule.

Hi Faruk, Please see below(for sake of sensitive information I have change some names) [root@ltm-dmz-slo-01:Active:In Sync] config tmsh list /ltm virtual noname.com ltm virtual noname.com { address-status no description "for SSL" destination 1.2.3.10:any ip-protocol tcp mask 255.255.255.255 profiles { noname.com { context clientside } http { } tcp { } } rules { non_https } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port disabled vlans { SRV_SIDE VIP_SIDE } vlans-enabled vs-index 14 } [root@ltm-dmz-slo-01:Active:In Sync] config

Hi N., You have the setting "translate-port disabled" this mean that the F5 will not translate the destination port. If clients are connecting to 443 it will open connection on pool_member:443If clients are connecting to 8080 it will open connection on pool_member:8080 When the "translate-port enabled" it will translate the port like the following : If clients are connecting to 443 and you pool_member are listening on 80, F5 will translate the destination port, from 443 to 80. So it will open a connection on pool_member:80 So are you sure that is your need ?

F5 certificate not working for all ports.

22 Replies

Jad_Tabbara__J1
Cirrostratus
Sep 19, 2017
Could you share the output of curl commands :

curl -k https://hostname.noname.com:4545 -v

curl -k https://hostname.noname.com:other_port -v
N__197982
Nimbostratus
Sep 19, 2017
Attached is the output.....does this mean some SSL path issue? But that works fine if a static port is used. i.e. if I use 8110 only.

[root@dhcp-172-29-141-96 ~] curl -k https://noname-01.domain.com:8110 -v * About to connect() to noname-01.domain.com port 8110 (0) * Trying 1.2.3.10... connected * Connected to noname-01.domain.com (1.2.3.10) port 8110 (0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Unable to initialize NSS database * Initializing NSS with certpath: none * Unable to initialize NSS * NSS error -5925 * Closing connection 0 * Problem with the SSL CA cert (path? access rights?) curl: (77) Problem with the SSL CA cert (path? access rights?)

[root@dhcp-172-29-141-96 ~] curl -k https://noname-02.domain.com:8200 -v * About to connect() to noname-02.domain.com port 8200 (0) * Trying 1.2.3.10... connected * Connected to noname-02.domain.com (1.2.3.10) port 8200 (0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Unable to initialize NSS database * Initializing NSS with certpath: none * Unable to initialize NSS * NSS error -5925 * Closing connection 0 * Problem with the SSL CA cert (path? access rights?) curl: (77) Problem with the SSL CA cert (path? access rights?) [root@dhcp-172-29-141-96 ~]
Jad_Tabbara__J1
Cirrostratus
Sep 19, 2017
You mean that it is working fine if you use your browser

when accessing https://noname-01.domain.com:8110 ?
and not working when accessing https://noname-01.domain.com:8200 ?
N__197982
Nimbostratus
Sep 19, 2017
not working with both..
Jad_Tabbara__J1
Cirrostratus
Sep 19, 2017
So what do mean by "But that works fine if a static port is used. i.e. if I use 8110 only."

Do you have any log /var/log/ltm when you try to access the following

https://noname-01.domain.com:8110
https://noname-01.domain.com:8200
N__197982
Nimbostratus
Sep 19, 2017
Hey JTI, I believe we have figured out the challenges here. The URL's are not working because the request comes back from the inside server on http which damages the iRules.

Thanks for the all the help from your end.

I am closing this thread and marking a separate one to discuss the other issues.
N__197982
Nimbostratus
Sep 19, 2017
Hey Faruk, I believe we have figured out the challenges here. The URL's are not working because the request comes back from the inside server on http which damages the iRules.

Thanks for the all the help from your end.

I am closing this thread and marking a separate one to discuss the other issues.
N__197982
Nimbostratus
Sep 19, 2017
How do I accept the answers from you folks?
PeteWhite
Employee
Sep 19, 2017
I think the SSL error you show is probably client-related. Maybe try a different client and also manually add the Host header as appropriate. You don't have a default pool assigned to your virtual server and there is no else clause in the iRule in which case without the required Host header it will send a reset.

Maybe add more logging to your iRule and possibly other events like LB_FAILED and CLIENT_CONNECTED. You can also use the SSL events. This will show you more information for debugging and probably lead you right to the issue.
Jad_Tabbara__J1
Cirrostratus
Sep 19, 2017
Hey JTI, I believe we have figured out the challenges here.The URL's are not working because the request comes back from the inside server on http which damages the iRules.

Thanks for the all the help from your end.

I am closing this thread and marking a separate one to discuss the other issues.

If backend server sends back URL with http, you will need to rewrite HTTP to HTTPs.

Now you can accept ;)

Regard