Forum Discussion
jwckauman
Altostratus
AltostratusRenewed & Overwritten certificate not being used by some clients
We renewed our primary SSL Certificate for the bulk of our SSL Profiles and overwrote the existing cert (which was expiring). In our testing, we see most of our internal clients using the new certif...
CA_Valli
MVP
MVPHello, existing connections continue to use the old SSL certificate until the connections complete or are renegotiated or until the Traffic Management Microkernel (TMM) is restarted.
I see you also mentioned all "external" clients seem to have this problem. Is there another device that external clients might meet before F5 that also inspects SSL traffic? Something like a third party WAF.. in that case what you might be seeing is third party cert which might not have been updated. This would be pretty easy to confirm with a traffic dump, if you see F5 presents the correct certificate in SSL handshake it means the problem is somewhere else.
jwckaumanThank you! Do u happen to know what causes the connections to complete or renegotiate? And what effect does restarting the Traffic Management Microkernel (TMM) have on existing connections?
I don't know for sure if it's all external connections. I know some external connections use the new cert on some of our virtual servers but not others. It's a mixed bag.
- CA_Valli
Connections complete when they either time out or get TCP-FIN packets. This means that when you renew the certifiacte, there's no impact on existing connections (don't need to renegotiate) while all new connections should be able to see new cert already.
Restarting TMM causes traffic disruption and should be done in a maintenance window.
If the problem is on some VS's and not others you might want to take a look at clientSSL profile as well, to confirm that they're correctly referencing the new crt/key pair (which they should if you have overwritten them as you said) and the correct intermediate/root certificates in the trust chain.
- jwckauman
Thank you. Is there any way to force a time-out from the client-side? I happen to have one of the external clients (my home laptop) which shows the new cert on four of our six sites (i.e. virtual servers) but not the other two. (my internal work laptop shows the new cert on all six sites).
If there isn't a way to force a time-out from the client-side, can we do it from the F5 for a specific client session? Or is there a way to generate/force a TCP-FIN packet either at the client or F5? I would like to confirm that my test client (home laptop) can eventually see the new cert on those two remaining sites, without having to restart the TMM.