Forum Discussion
mwi
Cirrus
CirrusProblem with lets encrypt and redirect after update
Hi, we have updated our BigIP last week from 15.x to 17.1.1.4, since then we are not able to get certificates from lets encrypt, if there is the _sys_https_redirect iRule active on the Virtual Serve...
Juergen_Mang
MVP
MVPGeneral: It is not a good idea to add two iRules without explicit priorities and without response guards.
I assume this is your problem: https://my.f5.com/manage/s/article/K000137608
I would merge the two iRules.
when HTTP_REQUEST {
if { [HTTP::path] starts_with "/.well-known/acme-challenge/" } {
set token [lindex [split [HTTP::path] "/"] end]
set response [class match -value -- $token equals acme_responses]
if { "$response" == "" } {
log local0. "Responding with 404 to ACME challenge $token"
HTTP::respond 404 content "Challenge-response token not found."
} else {
log local0. "Responding to ACME challenge $token with response $response"
HTTP::respond 200 content "$response" "Content-Type" "text/plain; charset=utf-8"
}
} else {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
}
mwiI cant merge them together, because not every Server needs an redirect, but i made a new redirect rule with if {[HTTP::has_responded]} and this fixed my problem.
I would like to understand why this happens, in my head the server get an request, checks if the path starts with "/.well-known/acme-challenge/", if this is true, it tries to respond with the token. Then it tries to redirect, but fails because an response has already sent.
But why does the server respond with an connection reset by peer?
- Juergen_Mang
If an iRule throws an error the connections are reset by LTM. This is a default behavior of LTM. The iRule error is logged in /var/log/ltm and if you enable RST cause logging you should see the RST-Packet send from the F5.