Forum Discussion

Zainal_Abidin_1's avatar
Zainal_Abidin_1
Icon for Nimbostratus rankNimbostratus
Feb 11, 2014

SSL Certificate Issue

Hi,

 

We have system that accessing by public using. The system have SSL. We have renew our cert on Dec 2013. After renew, public using having problem when login to system. After a few minute idle on system when public click link in system, it's logout automatically. I have tried to use SSL that not verified and it's working good. Thus we think something need to configure on F5. We put SSL cert on F5 only. We redirect all http request to https using iRule. Do we need to put SSL cert on apache web server? Please advice.

 

Thanks.

 

ssl

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 11, 2014

    Strictly speaking, to do SSL offloading you only need a client SSL profile applied to the virtual server. You only need a server SSL profile if you're re-encrypting to the (Apache) web server. Your client SSL profile needs, at a minimum, the server certificate AND private key. In most cases you can leave all other values at their defaults.

     

  • Zainal_Abidin_1's avatar
    Zainal_Abidin_1
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2014

    I already create client SSL and put on virtual server. From cert, i create CSR key and CRT key.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 11, 2014

    So did you ONLY renew/replace the certificate used in the client SSL profile? Does the Apache server require SSL, and if so do you have a server SSL profile applied to the VIP?

     

  • Zainal_Abidin_1's avatar
    Zainal_Abidin_1
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2014

    I only renew/replace old cert with new cert only. Apache does not required SSL because at backend apache use port 80 only. We direct port 80 to 443 at F5.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 13, 2014

    Can I also assume that you renewed the public certificate from the original private key? If so, given that 1) you only replaced the certificate in the client SSL profile, 2) and a generic unverified certificate does work (though the browser likely gets a certificate mismatch error), then I'd start looking at the certificate itself.

    1. From the BIG-IP command line (SSH) view the certificate properties:

      openssl x509 -in [path to certificate] -noout -text

Example:

openssl x509 -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:iis1.domain.com.crt_180580_1 -noout -text

    2. If that looks good, then review what you're seeing in the browser. Do you get a security warning in the browser? If so, what does it say?

    3. If you don't ever get past the SSL handshake, the next thing I'd look at is the SSL handshake itself. From the BIG-IP command line (ssh) run an SSLDUMP capture:

      ssldump -k [path to private key] -AdNn -i 0.0 port 443 [and any other filters]

      where [path to private key] is the physical path to the private key assigned to the client SSL profile that is assigned to the VIP. You need this to be able to decrypt the SSL in the capture. The [and any other filter] part is any other filters that you may need to limit what you see in the capture. SSLDUMP absolutely needs at least one filter, so I added the "port 443", but then you might also want to limit traffic to a particular VIP "and host 10.10.10.1", or perhaps a specific client "and src 10.70.0.1". Ultimately you'll be able to see the full SSL handshake and any SSL-related issues will be visible in this capture.