Forum Discussion

ALFA_IS_267676's avatar
ALFA_IS_267676
Icon for Nimbostratus rankNimbostratus
Sep 25, 2018

Postman SSL Verification Failing

We've deployed a Windows 2016 Web Server that is hosting a mobile app, and have configured routes through our F5. The F5 iApp is currently configured to use SSL Bridging using a wildcard certificate - which we can verify is good by using any browser to navigate to our application and see a "good" certificate. We're using Postman to check our login process which when working returns a token; however, when we enable SSL Verification in Postman, it returns an error as if the certificate is self-signed (which we know is not true as it was purchased from a trusted CA). When we circumvent the F5, Postman's SSL Verification is successful. What are we missing?

 

  • svs's avatar
    svs
    Icon for Cirrostratus rankCirrostratus

    Hi,

     

    your description is confusing, because you say, that have configured the VS to do SSL Bridging, what means, that the SSL Hanshake is not terminated on the BIG-IP. This would mean, that the BIG-IP is only terminating the connection up to Layer 4 (TCP). In this case the Pool Member/Node (Backend Server) is handling the SSL Handshake and provide the certificate (chain).

     

    I assume that you have configured the BIG-IP to handle the SSL Handshake as well, by assigning SSL Client (and Server) profiles. In this case please check if the certificate chain is fully configured in the SSL client profile. You need to select the intermediate certificate as chain certificate within the certificate selection option. If there are more than one intermediate certificate, you need to create a chain file, containing all the intermediates (use the Bundle Manager).

     

    Now to your issue regarding Postman. I've seen many times, that customers have imported the intermediate certificates into the users certificate store. In this case the configuration on the server is still wrong, but the client wouldn't see any issue, because the chain certificates are in the certificate store and the chain can be fully resolved. I thought that Postman would use the users certificate store as well, so this is confusing. Do you connect using a name or IP address, that is matching the certificates CN or any of the SANs?

     

    Cheers, svs

     

    • ALFA_IS_267676's avatar
      ALFA_IS_267676
      Icon for Nimbostratus rankNimbostratus

      In the iApp, we are using SSL bridging ("Terminate SSL from clients, re-encrypt to servers") which gives us the option for assigning an intermediate certificate (3 drop downs - cert, key, and intermediate). When we posted our question, we were not using the intermediate option (it was set to "Do not use..."). Once we added the CA's intermediate, the issue was resolved.

       

      Hope this helps!