For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Russell_77729's avatar
Russell_77729
Icon for Nimbostratus rankNimbostratus
14 years ago

f5.http iApp needs certificate chain

I am using the f5.http iApp to create a simple web service. I am using SSL, however I got a certificate error because the chain was not specified. I had to turn off strict mode and modify the ssl prof...
automation
devops
iApps
management
TMSH
Brent_Blood_768's avatar
Brent_Blood_768
Historic F5 Account
14 years ago
Hi Russel,

 

 

Sorry this didn't get an answer sooner. Not sure how that happened.

 

 

The current f5.http iApp does not expose a way to configure a chain cert when configuring SSL termination. The steps you took are one way (probably the easiest) to solve the problem. The other would be to "fork" the template by making a copy of it and changing its code to allow for this configuration.

 

 

An upcoming version of this same iApp will have an enhancement to allow you to specify a clientssl profile created and managed outside of the iApp as a way to allow for using parameters not exposed by the iApp (such as a chain certificate) in the event that the iApp doesn't suffice. It'll actually offer similar options for all of the profiles that a user might want to use with it. This is a compromise between making a concise and focused template and allowing for the use of some of the more rarely used configuration options. However, it's going to be some time until that template is available.

 

 

I was able to modify the f5.http template in two places to get the functionality that you're after, but the two changes were somewhat ugly. First, I introduced a new "section" in the presentation with a single question in it that had a small bit of TCL to build a list of ssl certificates. That isn't very clean because it's not part of the SSL section with the rest of the related config - but that section is defined in a library of code used by many templates, and so changing it would impact much more than this one template. Secondly, I had to modify the implementation to modify the client-ssl profile after it was created (again, by a chunk of common code which should be left alone). I would normally just post that iApp, but it's ugly and would make your deployment unsupportable by F5 support should you need to call in about it - and it's just not the right way to fix your problem.

 

 

Sorry I couldn't help you more - we're working on a fix for this issue already, but it's just not quite ready yet and the only quick/easy fixes I can offer aren't really appropriate for running in production. What you did for now is probably the best solution at this time.

 

 

Cheers,

 

-Brent