Hello, Up until now using the F5 has been fairly straight forward. Adding HTTPS certificate support for incoming IE connections however has got me stumped. I have watched the online webinar and tried many variations to get it working without success. What I am trying to do is to take a working HTTP connection through the F5 to a pool consisting of a pair of Tomcat servers and convert the virtual server connection from HTTP to HTTPS. Wireshark traces show the F5 and the Tomcat communicating with each other and all of the status balls are green. How do I go about debugging my problem? Where do I look to find out what is not happening? Regards, Mark

MarkM, Quick question, are you talking about putting SSL on the front side of the connection or the back side: Client ---> Virtual server (front side) Virtual Server ------> Apache pool members (back side) Joshm

Front side, client to F5. Not F5 to the balanced server in the pool.

Sweet! Alright, here's my favorite way to do it, everyone has a flavor of it I'm sure. 1. Create a new virtual server, a clone of the port 80 Virtual server. For this example, I'll call it clone-https --Key difference: This one listens on port 443. 2. Import the certificate and key into the F5. Local Traffic -> certificate list ->import 3 . Create a client SSL profile , local traffic ->profiles -> ssl -> client (http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=18888170) . That is where you are going to define the certificate and key. For the example, I'll call the profile coolssl 4. Assign the client ssl profile to the Virtual server clone-https. Go into the virtual server properties, change it from basic to advanced, and there you should see the client ssl profile option. Click update... and boom. Try to hit the ssl version of the site. workie? hopefully. joshm

Hello Josh, Thank you for the clear instructions. Unfortunately, no workie. I even created a new certificate using openssl. I get the following error "Internet Explorer cannot display the webpage". If I change the service port back to 80 and then remove the ssl client profile, then it works. I need some advice on how to debug this one. I installed wireshark on my backend tomcat 6 server and it shows tcp connections going between the tomcat server and the F5. Mark

MarkM, Huh. So when I am troubleshooting ssl, I typically use openssl to see if the certificate is being handed out: openssl s_client -connect VIPIP:443 If the client is being handed out, then the front end connection is most likely good, and there is just an issue with the pool. For further checking, you can run tcpdump on the F5 unit itself. tcpdump -s0 -ni 0.0:nnn host and port 443 -w /var/tmp/external.pcap That file can be openned in wireshark. Does the openssl connection work? -Josh

HTTPS Problem | DevCentral

34 Replies

nitass
Employee
Jan 24, 2012
can you try Redirect Rewrite All under http profile?
MarkM_63051
Nimbostratus
Jan 24, 2012
What is your Server Side SSL set to in your VS?

Answer: No SSL Server Profile is selected = NONE

If you are not doing SSL on the Tomcat servers then you need to make sure it is set to None.

Answer: I am not performing an SSL setup to the Tomcat server in the pool.

When you look at your client profile drop down to advanced and what options are you customizing?

Answer: None, I have tried using both my own certificate and the default certificate

To troubleshoot this you need to keep in mind that it is not all one connection. You have an SSL connection coming to the VS on the F5 that is terminating and then the F5 will do its own socket to the server. So you need to troubleshoot each side independently, I would personally start with the client side (client to VS) and rule it out first before looking at the server side (VS to Tomcat server).

Client Side troubleshoot: Take a tcpdump on the F5 like Josh had stated, then run that through ssldump and see if the ssl handshake is completing successfully. ex: ssldump -r external.pcap If you want to decyrpt the session you will need to do this ssldump -d -A -k /config/ssl/ssl.key/(the name of the key for your site) -r external.pcap You basically want to confirm that the ssl handshake is completing and you see a GET request from the client. Another tool to use to troubleshoot the client side would Fiddler or HTTPWatch plugins for IE for Firefox, they will show you what the browser sees. From the server side, you keep saying you are seeing traffic in your wireshark trace, but what kind of traffic? Are you seeing a GET request to the web server? I ask because you should see traffic coming from the F5 in the form of whatever healthcheck you are doing on the pool to the web server, but that does not mean that it is actual client traffic. This should work, as simply doing an SSL VS is not something that is uncommon on an F5 device, I run roughly a dozen of them on some ASM units I manage.

Answer: This will take a little time to do, but I will try it. I did however perform a wireshart capture on the Tomcat server and it showed TCP connections to the F5.
MarkM_63051
Nimbostratus
Jan 24, 2012
can you try Redirect Rewrite All under http profile?

Answer: I need a little more information on how to perform this.
MarkM_63051
Nimbostratus
Jan 24, 2012
Would you please give me an example of using:

tcpdump -s0 -ni 0.0:nnn host and port 443 -w /var/tmp/external.pcap

nitass

Employee

Jan 24, 2012

can you create custom http profile similar to below and assign it to virtual server?

root@ve1100(Active)(/Common)(tmos) list ltm profile http myhttp
ltm profile http myhttp {
    app-service none
    redirect-rewrite all
}

MarkM_63051
Nimbostratus
Jan 24, 2012
root@f5-loadbalancer2(Active)(/Common)(tmos) list ltm profile http myhttp ltm profile http myhttp { app-service none redirect-rewrite all }

Syntax Error: "none" unknown property

root@f5-loadbalancer2(Active)(/Common)(tmos)

nitass

Employee

Jan 24, 2012

to create, can you try this?

root@ve1100(Active)(/Common)(tmos) create ltm profile http myhttp redirect-rewrite all

MarkM_63051
Nimbostratus
Jan 24, 2012
can you create custom http profile similar to below and assign it to virtual server?

Can you give me F5 GUI instructions. I executed the comand "create ltm profile http myhttp redirect-rewrite all" but I have no idea what it did or where the profile got stored.
nitass
Employee
Jan 24, 2012
it is under local traffic > profiles > services > http
MarkM_63051
Nimbostratus
Jan 24, 2012
Wahooooo ...

I found the myhttp profile and assigned it to my virtual server and petclinc is alive!

I've been chasing this one since noon Friday.

Would you please explain what I just did to make it work?

Thank you thank you,

Mark

Forum Discussion

HTTPS Problem

34 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

F5 HTTPS Redirect 2025

The State Of HTTP/2 With F5 LTM

HTTP Header responce problem

Application Study Tool: Make Grafana Listen on HTTPS

HTTP Multipart and Security Implications

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS