Forum Discussion

shadow82's avatar
shadow82
Icon for Cirrus rankCirrus
Aug 02, 2023

F5 redirect

Hi!

I have 2 F5s active standby cluster BIG-IP 16.1.3 build 0.0.12 and I have a VServer called: xyz.acme.com:443.
It's public internet facing, with public cert imported as a server profile - works fine.
Now I got a request to have this VServer under 2 urls:

xyz.acme.com
z.acme.com

We did DNS alias - this works fine but I have cert only for the first one.
The business does not want to buy another cert for the 2nd url if possible (let's encrypt, and other like this are out of the question).

Is it possible to do redirect from z.acme.com to xyz.acme.com without buying new cert?

  • I don't think it will work ,as you said you have a cert only for the first domain.

    You probably need a wildcard cert for *.acme.com

    or a SAN certificate.

    • I agree with other MVP's here, SSL will see SNI mismatch at handshake time and return a warning. 
      You need to import a wildcard certificate (which you might already have bought) , or to renew xyz.acme.com with z.acme.cm as the SAN, or to request z.acme.com cert (and in this case, you also need to configure two clientSSL profiles on the BIG-IP) 

  • shadow82 If the connection you are attempting to redirect will arrive on HTTPS then you have no way of redirecting this connection without an SSL error being displayed to the end user for the FQDN missmatch in the SSL certificate that you have installed on the F5.