Forum Discussion
Fabou_139732
Nimbostratus
NimbostratusSSL Certificate Testing while servers not configured
I have setup an HTTPS VIP and I can see that all the servers are green (connectivity is OK) hence the VIP is showing green as well. The issue is that Apache has not been confgured yet so in theory th...
Yes, it is normal, because the BigIP is a full proxy.
Your client will establish a connection to the bigIP independently, and then the bigip will establish a connection to the backend server. The two are independent, and the client connection will have to complete before bigip establishes a server connection.
Since you have an SSL profile on the VIP, then the client is going the whole length to complete the SSL handshake, and then send the GET request. So you get the ssl certificate warning because you need to trust the certificate in order for the handshake to complete.
Yes, it is normal, because the BigIP is a full proxy.
Your client will establish a connection to the bigIP independently, and then the bigip will establish a connection to the backend server. The two are independent, and the client connection will have to complete before bigip establishes a server connection.
Since you have an SSL profile on the VIP, then the client is going the whole length to complete the SSL handshake, and then send the GET request. So you get the ssl certificate warning because you need to trust the certificate in order for the handshake to complete.
Fabou_139732Ok, I see what you mean. The SSL certificate used on the profile is from Entrust (https://www.entrust.com/ssl-certificates/) and they are trusted by all browsers I beleive which is why I am surprised to see that error. So you anwer seem to confirm that I should not see that error message. I will try to investigate this. Thanks again.- YOu can check the issuer of the certificate you are seeing in the browser; it it matches what you got from Entrust, then it likely means that your browser does not have a complete chain of trust leading up to a root CA which the browser itself trusts. For such cases, you are supposed to also configure an intermediate certificate chain on the ssl profile; you might have received an "intermediate" certificate from Entrust, or they may have provided you with instructions on how to download one, or you can contact them and ask them to give you one. Then you simply add it to your bigip as the Chain certificate and this should help allow more browsers to validate it.
AJ_01_135899Cirrostratus
Are you sure on your first answer? The SSL connection is made from the browser to the VIP. The subsequent proxy connection is made from the F5 to the web server. If the web server connection is not able to be made, in my experience there's a failure to connect. This can be verified with OpenSSL or Fiddler, you should still see an SSL handshake with the VIP even with an invalid cert installed on the web server. Your intermediate cert answer makes much more sense to me.- Regarding my first answer, please see: https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html?sr=51758587 The client side connection standard TCP virtual server is independent of the server-side connection. Of course, if the server-side connection fails, the BigIP will in turn terminate the client-side connection by default, but the server side connection is only established after the client-side connection has already been established. Then depending on whether there is a Layer 7 profile, the bigip will either wait for some application data first, or immediately establish server-side connection; in all cases that are not FastL4, the client side will complete before there is even a SYN sent on server-side. If there is a layer 7 profile, then this means that the SSL handshake will complete clientside before server connection is established. You will never see the server-certificate on the clientside on this kind of setup (unless you are using the same server certificate on your VIP clientssl profile).