Hello, Up until now using the F5 has been fairly straight forward. Adding HTTPS certificate support for incoming IE connections however has got me stumped. I have watched the online webinar and tried many variations to get it working without success. What I am trying to do is to take a working HTTP connection through the F5 to a pool consisting of a pair of Tomcat servers and convert the virtual server connection from HTTP to HTTPS. Wireshark traces show the F5 and the Tomcat communicating with each other and all of the status balls are green. How do I go about debugging my problem? Where do I look to find out what is not happening? Regards, Mark

MarkM, Quick question, are you talking about putting SSL on the front side of the connection or the back side: Client ---> Virtual server (front side) Virtual Server ------> Apache pool members (back side) Joshm

Front side, client to F5. Not F5 to the balanced server in the pool.

Sweet! Alright, here's my favorite way to do it, everyone has a flavor of it I'm sure. 1. Create a new virtual server, a clone of the port 80 Virtual server. For this example, I'll call it clone-https --Key difference: This one listens on port 443. 2. Import the certificate and key into the F5. Local Traffic -> certificate list ->import 3 . Create a client SSL profile , local traffic ->profiles -> ssl -> client (http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=18888170) . That is where you are going to define the certificate and key. For the example, I'll call the profile coolssl 4. Assign the client ssl profile to the Virtual server clone-https. Go into the virtual server properties, change it from basic to advanced, and there you should see the client ssl profile option. Click update... and boom. Try to hit the ssl version of the site. workie? hopefully. joshm

Hello Josh, Thank you for the clear instructions. Unfortunately, no workie. I even created a new certificate using openssl. I get the following error "Internet Explorer cannot display the webpage". If I change the service port back to 80 and then remove the ssl client profile, then it works. I need some advice on how to debug this one. I installed wireshark on my backend tomcat 6 server and it shows tcp connections going between the tomcat server and the F5. Mark

MarkM, Huh. So when I am troubleshooting ssl, I typically use openssl to see if the certificate is being handed out: openssl s_client -connect VIPIP:443 If the client is being handed out, then the front end connection is most likely good, and there is just an issue with the pool. For further checking, you can run tcpdump on the F5 unit itself. tcpdump -s0 -ni 0.0:nnn host and port 443 -w /var/tmp/external.pcap That file can be openned in wireshark. Does the openssl connection work? -Josh

HTTPS Problem | DevCentral

34 Replies

jwham20
Nimbostratus
Jan 23, 2012
MarkM,

Quick question, are you talking about putting SSL on the front side of the connection or the back side:

Client ---> Virtual server (front side)

Virtual Server ------> Apache pool members (back side)

Joshm
MarkM_63051
Nimbostratus
Jan 23, 2012
Front side, client to F5. Not F5 to the balanced server in the pool.
jwham20
Nimbostratus
Jan 23, 2012
Sweet! Alright, here's my favorite way to do it, everyone has a flavor of it I'm sure.

1. Create a new virtual server, a clone of the port 80 Virtual server. For this example, I'll call it clone-https

--Key difference: This one listens on port 443.

2. Import the certificate and key into the F5. Local Traffic -> certificate list ->import

3 . Create a client SSL profile , local traffic ->profiles -> ssl -> client (http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=18888170) . That is where you are going to define the certificate and key. For the example, I'll call the profile coolssl

4. Assign the client ssl profile to the Virtual server clone-https. Go into the virtual server properties, change it from basic to advanced, and there you should see the client ssl profile option.

Click update... and boom. Try to hit the ssl version of the site.

workie? hopefully.

joshm
MarkM_63051
Nimbostratus
Jan 24, 2012
Hello Josh,

Thank you for the clear instructions. Unfortunately, no workie. I even created a new certificate using openssl. I get the following error "Internet Explorer cannot display the webpage". If I change the service port back to 80 and then remove the ssl client profile, then it works.

I need some advice on how to debug this one. I installed wireshark on my backend tomcat 6 server and it shows tcp connections going between the tomcat server and the F5.

Mark
jwham20
Nimbostratus
Jan 24, 2012
MarkM,

Huh. So when I am troubleshooting ssl, I typically use openssl to see if the certificate is being handed out:

openssl s_client -connect VIPIP:443

If the client is being handed out, then the front end connection is most likely good, and there is just an issue with the pool.

For further checking, you can run tcpdump on the F5 unit itself.

tcpdump -s0 -ni 0.0:nnn host and port 443 -w /var/tmp/external.pcap

That file can be openned in wireshark.

Does the openssl connection work?

-Josh
nathe
Cirrocumulus
Jan 24, 2012
MarkM,

Not an answer, more of a pointer for you. BTW, I agree with josh m's setup.

The only time I've had this issue when setting up a https VIP was with the client ssl profile itself so I'd double check your work here. If I remember correctly I made a mistake / or it didn't like the Chain setting I added and I got a "Page Cannot Display the Webpage" error too. Sorting the Chain setting sorted the issue.

I'm not too familiar with openssl so this bit may in effect be repeating what josh has suggested but I'd run a wireshark on a client and see if you get the tcp / ssl handshakes completed.

Good Luck

N
MarkM_63051
Nimbostratus
Jan 24, 2012
Hello Nathan,

Thank you for responding. I have done my best to follow Josh's setup, but I still get the dreaded "Internet Explorer cannot display the webpage" error. I did set up wireshark on my Tomcat server and there is communication between Tomcat and the F5. The capture did not show anything wrong. What I need is advice on how to debug my problem. I attempted to open a support case, but those seem to take quite a while to get resolved. I sent support the wireshark captures and an F5 dump. If I can't get this going soon, I will have to log it as a bug and move on to other work I have pending.

Mark
MarkM_63051
Nimbostratus
Jan 24, 2012
Josh,

Thank you for the troubleshooting suggestions. Here are the openssl check results:

D:\workspace\F5>openssl s_client -connect 16.124.133.211:443 Loading 'screen' into random state - done CONNECTED(0000011C) depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAd dress=root@localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAd dress=root@localhost.localdomain verify return:1 --- Certificate chain 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddre ss=root@localhost.localdomain i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddre ss=root@localhost.localdomain --- Server certificate -----BEGIN CERTIFICATE----- MIIDrDCCApSgAwIBAgICAukwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x MjAxMTYyMzM3MzRaFw0yMjAxMTMyMzM3MzRaMIGYMQswCQYDVQQGEwJVUzELMAkG A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcEil+9x9bTq9nz3SskYtAixSQ03hVjrNY 8f0/tf1IudJesxqJdRSbfe3xKW5FcTsGEQhUq+6lNj5CCKU95Iemw4pjud4YPPlO fZcvbYVdiGg2D4rDiXz5GyPADZQNwAOygox7qHzoq6IELWGOwPcqo14fiL12Owq4 oMtHr4xRpYuGtF7bJunxEG9MqwISuP0XKfDGyHJzLI9XdaHUUG/aQEYu9/I/1w8Y tCya9g8HX0pJp/GdCiUlprTeP9T37+e875RYF/Xs4EXF+BgSKqeXhj0O1WXQf6iY P0VTiYSDv8Qf5YBOYfVJN1CG3M4tprvftJwZGwJ/pBIUU84bdK0TAgMBAAEwDQYJ KoZIhvcNAQEFBQADggEBAE49a8CVK+/lMqqc8d4rBAxbsK7F/D55E8BCqjOqG6DY qNyHOHWYUNnu7FNEwdH8PI0+mvex8d/lsTaRbS2L65Cq0w7pmO38F6GH059W9ggB D8ZUCSeg3QLOwLQxQ2xKZWXQg2/peS0eATX/X1kk9DgURltu59kfzqHWRLiyDf01 gpAfZkiBfth5XQ+YCDg5DhkRJag1cU+nZJO3p9m+RoXq+3ZFjUov0RYkfuHZ3FLW 9fmc4PHQvCMRWgpxb5Obx3RHvRmaggNt/iAhgV+LiXzyElDUYicxqBjERljlIzHJ JavGZBelQ2cGke2LZ53X1PX5uDhlRhWZS/EZa/R9eqY= -----END CERTIFICATE----- subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAd dress=root@localhost.localdomain issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAdd ress=root@localhost.localdomain --- No client certificate CA names sent --- SSL handshake has read 1094 bytes and written 438 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: D9A0D60F9E9CB02B365E80D1FD202CF5B624EE69A6C966F0BD1D64584A5EF0D0 Session-ID-ctx: Master-Key: B1355D7EE08AC2875F4B70B06C932CA7855157A8D6C148BE1D1E90209C9A6DC9 0CBDE196A3C4E99F318AF92A112B77E0 Key-Arg : None Start Time: 1327424988 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- read:errno=0 D:\workspace\F5>
nitass
Employee
Jan 24, 2012
from the openssl s_client output, i think clientssl profile is okay.

can you post output of the following commands?

b virtual virtual_server_name list

b pool pool_name list

curl -Ik https://16.124.133.211/

curl -I http://pool_member_ip/
MarkM_63051
Nimbostratus
Jan 24, 2012
What are the tmsh equivalent commands?. I am using LTM version 11.1 with Hotfix HF1.