I came across a strange behaviour while performing a SSL certificate renewal for a VIP. My VIP have two service ports 2040 and HTTPS. The HTTPS vip is not accessible via the browser. Both VIPs are configured client and server ssl profiles and both profiles are using the same cert/key pair.
Once I have performed the certificate renewal on the F5 and when I did the test on the qualys ssl labs I was still seeing the old certificate. But on the 2040 VIP when I access it via the browser I can see the new certificate there already. Generally when I perform a certificate renewal on a VIP it will reflect immediately on browser/qualys ssl labs. I have tried all the possibilities in qualys ssl labs such as clearing the cache but the results were same until the backend server team updated the certificate on their end as well.
I still don’t understand how this is possible as in once we have the client ssl profile configured on a VIP the client will always see the certificate on the F5 only.
is there any things I’m missing in F5 configuration to check?
there is a chance you are not doing SSL offloading on the BIG-IP, you say you do, but if what you describe is true then that is an option for sure.
another might be the that the port 443 IP might be directly on the backup server and skip the BIG-IP somehow.
i would not focus on the F5 configuration but determine if you really see the SSL Labs request hit the BIG-IP and if it responds with the old or new certificate.