Forum Discussion
NimbostratusPublishing a website with SSL using an internal certificate
Hi all
Im using F5 BIGIP v13 as reverse proxy to publish some websites. When publishing using SSL with a 3rd party certificate it works. But now im trying to publish an internal site with a certificate signed with my local CA, and no way to make it work.
I have created two VS. One for HTTP and another for HTTPS. Publishing the site as HTTP works: client --http--> F5 --http--> server
Publishing the same site as HTTPS, does not work: client --https--> F5 --https--> server
The server responds correctly to both HTTP and HTTPS.
The certificate with the full chain (the internal CA root cert) is imported. The VS is configured with a client ssl profile with the certficate, key and chain. The VS is configured with the default serverssl profile.
Firefox shows an error: "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."
openssl command seems to return no errors:
openssl s_client -connect 192.168.206.70:443 -cert /config/filestore/files_d/LAN_d/certificate_d/:LAN:WILDCARD_mydomain.lan.crt_160529_1 -key /config/filestore/files_d/LAN_d/certificate_key_d/:LAN:WILDCARD_mydomain.lan.key_160527_1
CONNECTED(00000003)depth=1 DC = lan, DC = mydomain, CN = myou verify error:num=19:self signed certificate in certificate chainverify return:0...No client certificate CA names sent...Verify return code: 19 (self signed certificate in certificate chain)
Am I doing something wrong? What would be the correct way to configure this?
Thanks!
eben_259100Cirrostratus
Hi Javier,
How are you accessing the virtual server? ; or
Make your browser trust your internal CA certificate. Shows that the cert is self-signed.
CN = myou? this should be a fully qualified domain name.
Javier_Somoza_3Hi eben Thanks for your answer.
Im accesing using the domain-name because the ltm profile (and the backend server configuration) is based on the hostheader.
True, my firefox does not trust the CA cert. Anyway, my chrome and explorer do trust but does not work either...
Don worry about that CN, i have changed it when sending the post to show a fake name
Thanks!
- eben_259100
What error do you get from Chrome or IE? Please be more specific.
Also switch the serverssl profile to the one that has secure-incompatible.
Regards
- Javier_Somoza_3
The browser simply returns ERR_CONNECTION_RESET
I havent explained correctly, but the correct connection flow would be:
Client --> F5 (VS Rev.Proxy) --> F5 (VS Balanced Web Servers) --> Web Server nodes
I think the problem is not at the serverssl profile level because i cannot see any packet using tcpdump destinated to the second VS (the balancing one) when causing the problem in the browser. Anyway tried the serverssl profile insecure-compatible but no success.
ebenHi Javier,
How are you accessing the virtual server? ; or
Make your browser trust your internal CA certificate. Shows that the cert is self-signed.
CN = myou? this should be a fully qualified domain name.
- Javier_Somoza_3
Hi eben Thanks for your answer.
Im accesing using the domain-name because the ltm profile (and the backend server configuration) is based on the hostheader.
True, my firefox does not trust the CA cert. Anyway, my chrome and explorer do trust but does not work either...
Don worry about that CN, i have changed it when sending the post to show a fake name
Thanks!
- eben
What error do you get from Chrome or IE? Please be more specific.
Also switch the serverssl profile to the one that has secure-incompatible.
Regards
- Javier_Somoza_3
The browser simply returns ERR_CONNECTION_RESET
I havent explained correctly, but the correct connection flow would be:
Client --> F5 (VS Rev.Proxy) --> F5 (VS Balanced Web Servers) --> Web Server nodes
I think the problem is not at the serverssl profile level because i cannot see any packet using tcpdump destinated to the second VS (the balancing one) when causing the problem in the browser. Anyway tried the serverssl profile insecure-compatible but no success.
TechTHi Javier,
I would also recommend you to check the certificate is imported on the backend real server since you are using serverssl profile to re-encrypt the traffic to real server.
-Maneesh
Vicky007_333847I had the simillar SSL issue, and contacted a company, mysslonline. They fixed it within a single call. Amazing service for sure.