UNTRUST CERTIFICATE DNS https://www.poinplus.bni.co.id

Question

Hii Everyone,&nbsp;I have a case about DNS. I have 2 DNS: poinplus.bni.co.id &amp; www.poinplus.bni.co.id . they pointing with 1 VS (VS_Poinplus) that using SSL Asterisk (*bni.co.id) and the path is different, 1 via CDN and 1 direct to IP public.&nbsp;When access DNS poinplus.bni.co.id the cert is trusted (normal), but if access DNS www.poinplus.bni.co.id the certificate UNTRUSTED or error certificate because its read *.poinplus.bni.co.id.&nbsp;Can every request using "www" (www.poinplus.bni.co.id) be re-written? So if access https://www.poinplus.bni.co.id TRUSTED like poinplus.bni.co.id (without www).&nbsp;Can using irules like redirect path ?&nbsp;&nbsp;Thankyou....&nbsp;

mayur_sutare · Answer

Hi &nbsp;,&nbsp;Normally this is how wildcard certificates works! Wildcard certs won’t work for second level subdomain and due to same reason it’s not working in your case.As for url www.poinplus.bni.co.id , www part becomes second level subdomain when using wildcard certificate of CN - *bni.co.id . This certificate will cover only URLs with first level subdomain i.e. your working URL - poinplus.bni.co.id.&nbsp;The options like redirect or rewrite will come post successful SSL/TLS handshake with the vServer. So as per my understanding, if you apply these settings, still you will get the SSL warning error and post doing the continue then that irule will be executed.&nbsp;There are few options for you to fix this issue-&nbsp;1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;You can modify the affected URL/dns to adjust it according to the wildcard cert CN2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Have new certificate for the affected domain; or use SAN option which allows you to use combinations of domain; subdomains in single cert.&nbsp;&nbsp;Hope it helps!

satriaji · Answer

Thank for your information, Mayur ... So, we cannot using iRules because www.poinplus.bni.co.id is subdomain and not using cert *bni.co.id right ? So if wanna to TRUSTED for access https://www.poinplus.bni.co.id must be buy the certificate right .

mayur_sutare · Answer

Exactly! Either you can have separate certificate for the required domain or you can have single certificate with SAN options as said earlier.

satriaji · Answer

Thanks so much Mayurr, its so help. Can I ask one question again mayur .. but its about persistence.

I just wanna know about implementation of persistence type like a cookies , source address affinity, destination affinity, SSL etc. I know if cookies persistence suitable for web application server. But i dont really understand about when we must using that each type of persistence. Are you have experience in your environtment about case, problem, or case study that using each persiistence type ?

Thanks so much ....

mayur_sutare · Answer

Hi &nbsp;, Glad to know that it helped you!&nbsp;Coming to your second question related to selecting type of persistence. The type of persistence profile depends on how and where you want to store the session/client information. Kindly go through below articles which may give you some clarity on this.&nbsp;https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-5-1/11.htmlhttps://devcentral.f5.com/s/articles/back-to-basics-the-many-faces-of-load-balancing-persistence

Forum Discussion

UNTRUST CERTIFICATE DNS https://www.poinplus.bni.co.id

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

My Security+ Certification Journey

Certifications for security professionals