Forum Discussion
Lee_Sutcliffe
Nacreous
NacreousPage not available after replacing SSL certificate
Hi,
I've recently updated an SSL certificate, I've done this many times in the past and not had any issues but I'm seeing some odd behaviour now.
We had 4096 bit SSL certs on our LTMs running 10.2.2, however some clients had issues with the size of the key. These were replaced with 2048 bit certs.
I added the new certificate and key to the SSL profile but now I can't view the site. I've ran TCP dump and can see SSL communication between the VIP and my PC but the page hangs and doesn't show any pages.
I've added the same certificate on to the web server directly and I can get to the page fine.
Interestingly, I have tried putting the old certificate back and I now get the same error.
Any help would be greatly appreciated.
Thanks
nitassEmployee
it might not relate; anyway, have you clicked "update" button in clientssl profile after updating certificate?- Lee_SutcliffeYep, I've clicked update, sync'd the config and failed back and forth the active and standby LTMs
- nitasshave you cleared browser cache? or can you try another browser?
would it be possible to decrypt ssl traffic? so, we will be able to see if content is sent to client or not.
sol10209: Overview of packet tracing with the ssldump utility
http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html - Lee_SutcliffeI've tried various browsers.
Interestingly, I've set up the VIP so it is just http, again I can see the traffic flow between my PC and VIP.. HTTP GET / etc
But nothing seems to be sent back to the web servers.
I can see health monitor traffic from the LTM to the web server and a I can do a curl from the LTM to web server. It's as if the LTM isn't proxying the TCP traffic - nitasscan you post your configuration i.e. virtual server, pool?
- Lee_Sutcliffe
- Lee_Sutcliffe
virtual CT-www.xxx.co.uk-https-vip { pool CT_www.xxx-pool fallback persist www.xxx_source_addr destination 10.128.0.3:any ip protocol tcp rules { ct_xxx_rule soapfault_rule ccred_headerclean_rule } persist www.xxx.co.uk_cookie profiles { SOAPfault_profile {} xxx-wildcard-ssl-profile { clientside } http {} oneconnect {} tcp {} } vlans web_LTM_external enable pool CT_www.xxx.co.uk-pool { lb method member predictive monitor all cc_http_81_mon members { 10.x.x.21:hosts2-ns {} 10.x.x.22:hosts2-ns {} } - Lee_SutcliffeIt looks to be specific to the SSL client profile.
When I configure the VIP for HTTP and remove the ssl profile I get the page.
I'll try re-create the SSL profile - Lee_SutcliffeOk, I've run ssldump and I'm seeing a lot of
Unknown SSL content type 7228 2 0.0020 (0.0008) S>CShort record28 0.0020 (0.0000) S>C TCP FIN28 3 0.0031 (0.0010) C>S Alert level fatal value protocol_version28 0.0038 (0.0006) C>S TCP RST - nitass28 0.0038 (0.0006) C>S TCP RSTwho is client (C)? is it client or bigip?