Forum Discussion

Satriaji's avatar
Satriaji
Icon for Cirrus rankCirrus
Sep 30, 2021

UNTRUST CERTIFICATE DNS https://www.poinplus.bni.co.id

Hii Everyone,

 

I have a case about DNS.

I have 2 DNS: poinplus.bni.co.id & www.poinplus.bni.co.id . they pointing with 1 VS (VS_Poinplus) that using SSL Asterisk (*bni.co.id) and the path is different, 1 via CDN and 1 direct to IP public.

 

When access DNS poinplus.bni.co.id the cert is trusted (normal), but if access DNS www.poinplus.bni.co.id the certificate UNTRUSTED or error certificate because its read *.poinplus.bni.co.id.

 

Can every request using "www" (www.poinplus.bni.co.id) be re-written? So if access https://www.poinplus.bni.co.id TRUSTED like poinplus.bni.co.id (without www).

 

Can using irules like redirect path ?

 

 

Thankyou....

 

  • Mayur_Sutare's avatar
    Mayur_Sutare
    Icon for MVP rankMVP
    Sep 30, 2021

    Hi  ,

     

    Normally this is how wildcard certificates works! Wildcard certs won’t work for second level subdomain and due to same reason it’s not working in your case.

    As for url www.poinplus.bni.co.id , www part becomes second level subdomain when using wildcard certificate of CN - *bni.co.id . This certificate will cover only URLs with first level subdomain i.e. your working URL - poinplus.bni.co.id.

     

    The options like redirect or rewrite will come post successful SSL/TLS handshake with the vServer. So as per my understanding, if you apply these settings, still you will get the SSL warning error and post doing the continue then that irule will be executed.

     

    There are few options for you to fix this issue-

     

    1.     You can modify the affected URL/dns to adjust it according to the wildcard cert CN

    2.      Have new certificate for the affected domain; or use SAN option which allows you to use combinations of domain; subdomains in single cert.

     

     

    Hope it helps!

    • Satriaji's avatar
      Satriaji
      Icon for Cirrus rankCirrus
      Oct 02, 2021

      Thank for your information, Mayur ... So, we cannot using iRules because www.poinplus.bni.co.id is subdomain and not using cert *bni.co.id right ? So if wanna to TRUSTED for access https://www.poinplus.bni.co.id must be buy the certificate right .

  • Mayur_Sutare's avatar
    Mayur_Sutare
    Icon for MVP rankMVP
    Oct 02, 2021

    Exactly! Either you can have separate certificate for the required domain or you can have single certificate with SAN options as said earlier.

    • Satriaji's avatar
      Satriaji
      Icon for Cirrus rankCirrus
      Oct 02, 2021

      Thanks so much Mayurr, its so help. Can I ask one question again mayur .. but its about persistence.

       

      I just wanna know about implementation of persistence type like a cookies , source address affinity, destination affinity, SSL etc. I know if cookies persistence suitable for web application server. But i dont really understand about when we must using that each type of persistence. Are you have experience in your environtment about case, problem, or case study that using each persiistence type ?

       

      Thanks so much ....

  • Mayur_Sutare's avatar
    Mayur_Sutare
    Icon for MVP rankMVP
    Oct 04, 2021

    Hi  , Glad to know that it helped you!

     

    Coming to your second question related to selecting type of persistence. The type of persistence profile depends on how and where you want to store the session/client information. Kindly go through below articles which may give you some clarity on this.

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-5-1/11.html

    https://devcentral.f5.com/s/articles/back-to-basics-the-many-faces-of-load-balancing-persistence