HTTPS Virtual Server return "This page is unavailable"

Have you added a server SSL profile to the vs? Looks like you're re-encrypting on the backend.

N

As I understand from your configuration you need configure ssl server profile and associate it to virtual server.

No, I added only a client SSL profile.

Hi nathan,

from some reason is not work also with the default serverssl. the thing is, that I want this environment will work the same as it's work in my production environment. what I don't get it's why when I try to create an serverssl and chose the on Key and Certificate the Certificate&Key that I added... it tell me that my key and Certificate don't match. but if I create an clientssl it's succeeded.

As the others have stated, the client SSL profile is for the configuration of the client side SSL session, between the client and the F5. The server SSL profile is for the configuration of the server side SSL session, between the F5 and the server. To offload client side SSL, you need a client SSL profile. To re-encrypt to the server, you also need a server SSL profile. In most cases, you don't need to use anything other than the default serverssl profile. Consider in this case the F5 is the client in the SSL handshake to the server. The client says CLIENTHELLO and passes a list of acceptable ciphers. The server says SERVERHELLO and SERVERCERTIFICATE to both choose a cipher from that list and send its server certificate to the client, respectively. If this were happening on the client side, the server cert sent to the client by the F5 would need to be validated by the client, against its explicit CA trust bundle. If the request host didn't match the cert's subject value, the certificate was expired, or the client had no CAs to be able to validate a full chain of trust, the user would see that familiar certificate trust warning message. On the server side, that same thing is happening, the serverssl profile is designed by default to ignore this error. You can instruct it to do otherwise in the Server Authentication section of the profile, but that's rarely a requirement. Now, if the server is attempting to do mutual authentication by requesting a client certificate, that (client) certificate must come form the serverssl profile, statically embedded in the certificate and key values of the serverssl profile.

If you have all of the correct settings in place as descried above, I would recommend the following actions:

1. Review the LTM log for additional SSL-related errors.

2. Are you specifying a different cipher list in either profile?

3. Does the server require a client certificate in the SSL handshake?

4. Perform an SSL dump on both the client side SSL session, and on the server side SSL session and look for errors within.

   ssldump -k [path to private key] -AdNn -i 0.0 port 443 [and any additional filters]
   

HI Kevin,

Thank you for you reply, but the issue here is that i cant even create an server sll profile with my CA certificate.

bring the error: "01070317:3: profile /Common/UK-S's key and certificate do not match"

That error would indicate that the certificate and private key you're attempting to apply to the server SSL profile are not a pair. Further, the certificate and key options in the server SSL profile are NOT for a CA certificate, nor would you ever usually have the private key of a CA. Those fields are for a client certificate that you may need to pass to the server in a mutual SSL authentication handshake. I would still contend, that unless your web server is requiring a client certificate, you shouldn't need to add any of these certificates/keys/CAs to the profile.

Hi,

Thanks for you help, I succeeded to apply it.