Forum Discussion

appmandan_5823's avatar
appmandan_5823
Icon for Nimbostratus rankNimbostratus
Jan 07, 2011

https to https redirect

I've been researching this and have been having a hard time finding a definite answer. I am load balancing to a web server that has https content on it. I own 2 TLDs for my domain, .com and .net. My server's certificate is certified to .com, so when you try to go to .net, you get a certificate warning. In DNS, .net and .com point to the same IP address, so if you go to https://www.xyz.com or https://www.xyz.net, you get the same content from the same physical servers. Anyway, I've used the redirect generator to write the iRule off devcentral, but my question is will this work redirecting one https to another https? How does the F5 manipulate the packet?

 

 

I did read a post that said you would still get a cert warning when redirecting https to https with the cert on the F5. Our certs are on the physical servers if that makes a difference.

 

 

Thanks,

 

Dan

 

application delivery
dev
devops
iRules
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 07, 2011
    The best way to think of it is that 1 Cert = 1 IP. While you can use wildcard certs for more flexibility, that doesn't help if you're talking .com and .net.

     

     

    With that said, are you simply using A records in DNS? I wonder how this would go if you were to CNAME www.xyz.com to www.xyz.net and have a www.xyz.net cert on your boxes. Might be worth a shot...

     

     

    Worst case scenario - you'd need to have Virtual Servers with 2 different IPs, 1 for each Domain. I suspect though that redirecting will trigger a cert warning.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 07, 2011
    Just tested out the CNAME option and it also triggers a cert warning. Your only option to avoid cert warnings might be to support both sites with different certs. If I think of something else, I'll post it.
  • Steve_Brown_882's avatar
    Steve_Brown_882
    Historic F5 Account
    Jan 07, 2011
    You could create a certificate with a subject alternate name for the .net domain which would allow both domains to be served by the same vs.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jan 07, 2011
    Posted By stjbrown on 01/07/2011 07:10 AM

     

    You could create a certificate with a subject alternate name for the .net domain which would allow both domains to be served by the same vs.

     

    Have to make sure all your clients support this.

     

     

    Generally, looks like most support it:

     

     

     

    https://www.digicert.com/subject-al...bility.htm

     

     

     

    I ran into an issue with phones when I last tried.

     

  • Steve_Brown_882's avatar
    Steve_Brown_882
    Historic F5 Account
    Jan 07, 2011
    I agree in the past SANs were a bit hit or miss, but I believe they are more acceptable these days. There is a good article on ask.f5.com about generating a CSR with multiple SANs.

     

     

    http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438.html?sr=12002221