Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

F5: SSL certificate renewal problem

Hi to F5 DevCentral,

 

The SSL certificate (configured in our F5 load balancer) of one of our F5-hosted websites will be expiring soon.

 

After I configured a new SSL certificate in F5 for that website, browsing the website (using Google Chrome) displays the following error message:

 

This site can't provide a secure connection.

 

<the website's domain name> uses an unsupported protocol.

 

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

Does this mean that something is wrong with the new SSL certificate?

 

Regards,

Michael Feliciano

8 REPLIES 8

Satoshino
Cirrus
Cirrus

Hi,

 

This message indicates that the SSL version or the Cipher list supported by the F5 and its peer (the client) doesn't match.

You should do a tcpdump on the client or on the F5 system to check the ssl handshake. You may see that there is no matching ciphers between the browser and the VS.

 

regards

Thanks for your feedback, Satoshino. 🙂

Daniel_Wolf
Nacreous
Nacreous

If there are any doubts on the procedure of how to renew existing SSL certificates and keys, there's a video that got you covered: https://youtu.be/WU3C8W25vvE

Thanks for sharing the SSL certificate renewal guide, Daniel. 🙂

boneyard
MVP
MVP

did you get this solved Michael Feliciano?

Yes, thanks for following up, boneyard. 🙂

It turned out that the F5-hosted website had some existing configurations in a Palo Alto firewall. (i.e. an SSL certificate, and a decryption rule) 

 

Browsing the website finally worked, after I used its new SSL certificate to update the relevant configurations in both the Palo Alto firewall and the F5 load balancer.

ronaldgevern
Nimbostratus
Nimbostratus

This issue usually involves a problem with your web browser or your site’s SSL certificate. The browser’s telling you that because it’s trying to tell you there’s a problem with the certificate the website is using for HTTPS, so “this site can't provide a secure connection”. In all cases the end-to-end encryption is still going to work just because HTTPS can’t function without it. There is no definite guide for managing this error.

Two possible options to get rid of this issue

  1. Use Self Sign certificate
  2. Remove domain security policy:

Steps for Chrome :

  • Go to : chrome://net-internals/#hsts
  • Query HSTS/PKP domain for localhost
  • Use Delete domain security policies option to delete configuration for localhost

This error is because of the following problems:

  • Invalid SSL or SSL is untrusted (self-signed)
  • SSL Not installed properly
  • Old Technology or SSL/TLS version for encryption