Forum Discussion

Pregunton's avatar
Pregunton
Icon for Nimbostratus rankNimbostratus
Oct 24, 2024

Redirect https to https virtual server Certificate question

Hi,
i have to redirect a https request to a https virtual server , i have in mind to use an irule as follows:

when HTTP_REQUEST {
    set url [HTTP::uri]
    if {[regexp {"STRING"} $url]} {
        virtual /Common/MyVirtual
    }
}


To do so , i have to set the HTTP profile (client) to http to be able to assing the corresponding Irule to the VS, but requests doesnt work as i have to select the SSL Profile , here the problem.

i created a new SSL client profile and tried to set the Certificate Key chain, but doesnt work ( i think i did it wrong)


The source https request is using a certificate, that i can see already stored at the F5 , inside file ca-bundle.crt , also from the source server i was able to get the certificate and tried to create a new certificate , but doesnt work , i think i'm missing the key or something.

 

When creating the certificate it's mandatory to generate it as Certificate Authority? or it can be self? 

 

Note: i'm not very good at certificates with F5 , i know how to create irules, manage the F5 and so on .. but i'm lost with the certificates part.

 

Thanks in advance.

Certifiacte
devops
f5
security
ssl
  • Mayur_Sutare's avatar
    Mayur_Sutare
    Icon for MVP rankMVP
    Oct 24, 2024

    When you configure Client SSL profile so, you are enabling F5 vServer to handle all the SSL/TLS transactions between the client and the vServer. Besically, you are decrypting the traffic on the vServer. When you configure client SSL profile, you need to have the certificate and its associated private key file which needs to be uploaded on the F5. Once those files are uploaded, you need to map it under the client SSL profile that will be mapped to F5 vServer. 

     

    Ideally for internet facing URLs/applications, you need to have CA signed certificates to be uploaded on the F5. So client will not get any error/warnings related to untrust/expired certificates.

    Now if you are testing the traffic internally, you can use self-signed certificates under client SSL profile. Basically whatever certificate is configured under client SSL profile, that certificate will be presented to the clients.

     

    Basic requirement for the client SSL profile is the certificate and associated private key file. With other default settings, it works well.

    As you go further in depth, you have more options to customize configuration like Custom ciphers suits, mTLS, etc.

     

    If you want to learn more about F5 Client SSL profiles, refer this .

     

    For now, with just certificates and private key, you should be fine.

     

    Can you confirm what error are you getting while accessing vServer or URL configured on F5?

    Are you getting any certificate warnings?

     

  • Pregunton's avatar
    Pregunton
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2024

    hi,

    i can see the following error:

    PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (root cause SunCertPathBuilderException: unable to find valid certification path to requested target)

    thanks

  • Pregunton's avatar
    Pregunton
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2024

    Hi,

    I answer myslef , i need to create a Certificate singed by a CA , yes or yes and create a new SSL profile with this signed certificate.

     

    • Aswin_mk's avatar
      Aswin_mk
      Icon for Cumulonimbus rankCumulonimbus
      Oct 28, 2024

      Yes, create a SSL signed certificate and add the key, certificate chain in SSL profile. If you server port is also SSL, please enable SSL bridging in F5(enabled server SSL). if you enable this thing, the SSL will work. we have to use correct bundle because, we need root and intermediate certificate in F5

      BR

      Aswin