Forum Discussion

chic_cat_324145's avatar
chic_cat_324145
Icon for Altocumulus rankAltocumulus
Sep 18, 2018

SSL Proxy

Hello, I have multiple puppet masters behind f5 and would like to offload ssl on F5 and encrypt it again and pass to backend server. I created: a) client ssl profile (uploaded cert + private key from...
application delivery
devops
LTM
  • chic_cat_324145's avatar
    chic_cat_324145
    Sep 20, 2018

    This helped. Thanks everyone, I finally made it work!

     

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 19, 2018

So just to be clear from Philip's last post, you also MUST set the Trusted Certificate Authorities option. This is what the BIG-IP uses to validate the client certificate, and will fail without it. Minimally this is a single self-signed root CA, but in reality should be a text file containing the entire PKI CA chain in PEM format.

----- BEGIN CERTIFICATE -----
...stuff...
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
...stuff...
----- END CERTIFICATE -----

So is it that [X509::subject [SSL::cert 0]] doesn't work because client cert auth is failing? If you insert a log statement, does the log return the correct value?

log local0. "cert = [X509::subject [SSL::cert 0]]"

It looks like you're getting all the way through a first TLS handshake, then failing on a second, and you're definitely passing a certificate, so an improvement. An ssldump will still be helpful.

And last, what are you trying to do once you've set the variable? And how does puppet expect to receive the client cert? Can it consume an HTTP header? Or does puppet strictly require the client cert in a TLS handshake?