Forum Discussion

Russell_77729's avatar
Russell_77729
Icon for Nimbostratus rankNimbostratus
Apr 06, 2012

f5.http iApp needs certificate chain

I am using the f5.http iApp to create a simple web service. I am using SSL, however I got a certificate error because the chain was not specified. I had to turn off strict mode and modify the ssl profile. I am missing someplace in the iApp to specify the certificate chain, or does someone have an http iApp that will let me specify the certificate chain?v
  • Brent_Blood_768's avatar
    Brent_Blood_768
    Historic F5 Account
    Hi Russel,

     

     

    Sorry this didn't get an answer sooner. Not sure how that happened.

     

     

    The current f5.http iApp does not expose a way to configure a chain cert when configuring SSL termination. The steps you took are one way (probably the easiest) to solve the problem. The other would be to "fork" the template by making a copy of it and changing its code to allow for this configuration.

     

     

    An upcoming version of this same iApp will have an enhancement to allow you to specify a clientssl profile created and managed outside of the iApp as a way to allow for using parameters not exposed by the iApp (such as a chain certificate) in the event that the iApp doesn't suffice. It'll actually offer similar options for all of the profiles that a user might want to use with it. This is a compromise between making a concise and focused template and allowing for the use of some of the more rarely used configuration options. However, it's going to be some time until that template is available.

     

     

    I was able to modify the f5.http template in two places to get the functionality that you're after, but the two changes were somewhat ugly. First, I introduced a new "section" in the presentation with a single question in it that had a small bit of TCL to build a list of ssl certificates. That isn't very clean because it's not part of the SSL section with the rest of the related config - but that section is defined in a library of code used by many templates, and so changing it would impact much more than this one template. Secondly, I had to modify the implementation to modify the client-ssl profile after it was created (again, by a chunk of common code which should be left alone). I would normally just post that iApp, but it's ugly and would make your deployment unsupportable by F5 support should you need to call in about it - and it's just not the right way to fix your problem.

     

     

    Sorry I couldn't help you more - we're working on a fix for this issue already, but it's just not quite ready yet and the only quick/easy fixes I can offer aren't really appropriate for running in production. What you did for now is probably the best solution at this time.

     

     

    Cheers,

     

    -Brent
  • Fred_Slater_856's avatar
    Fred_Slater_856
    Historic F5 Account
    Hi again Russel,

     

     

    The upcoming changes that Brent mentions above still apply, but in the meantime, I built a new template based on F5.HTTP that enables the chain certificate field as well as pre-defined client profiles. You can download this template at https://devcentral.f5.com/wiki/iApp.HTTP-with-Arbitrary-Client-SSL-Profile.ashx.

     

     

    Best,

     

    -Fred