Forum Discussion

Javier_Somoza_3's avatar
Javier_Somoza_3
Icon for Nimbostratus rankNimbostratus
Sep 18, 2017

Publishing a website with SSL using an internal certificate

Hi all

 

Im using F5 BIGIP v13 as reverse proxy to publish some websites. When publishing using SSL with a 3rd party certificate it works. But now im trying to publish an internal site with a certificate signed with my local CA, and no way to make it work.

 

I have created two VS. One for HTTP and another for HTTPS. Publishing the site as HTTP works: client --http--> F5 --http--> server

 

Publishing the same site as HTTPS, does not work: client --https--> F5 --https--> server

 

The server responds correctly to both HTTP and HTTPS.

 

The certificate with the full chain (the internal CA root cert) is imported. The VS is configured with a client ssl profile with the certficate, key and chain. The VS is configured with the default serverssl profile.

 

Firefox shows an error: "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."

 

openssl command seems to return no errors:

 

openssl s_client -connect 192.168.206.70:443 -cert /config/filestore/files_d/LAN_d/certificate_d/:LAN:WILDCARD_mydomain.lan.crt_160529_1 -key /config/filestore/files_d/LAN_d/certificate_key_d/:LAN:WILDCARD_mydomain.lan.key_160527_1

 

CONNECTED(00000003)depth=1 DC = lan, DC = mydomain, CN = myou verify error:num=19:self signed certificate in certificate chainverify return:0...No client certificate CA names sent...Verify return code: 19 (self signed certificate in certificate chain)

 

Am I doing something wrong? What would be the correct way to configure this?

 

Thanks!

 

18 Replies

  • Hi Javier,

     

    How are you accessing the virtual server? ; or

     

    Make your browser trust your internal CA certificate. Shows that the cert is self-signed.

     

    CN = myou? this should be a fully qualified domain name.

     

    • Javier_Somoza_3's avatar
      Javier_Somoza_3
      Icon for Nimbostratus rankNimbostratus

      Hi eben Thanks for your answer.

       

      Im accesing using the domain-name because the ltm profile (and the backend server configuration) is based on the hostheader.

       

      True, my firefox does not trust the CA cert. Anyway, my chrome and explorer do trust but does not work either...

       

      Don worry about that CN, i have changed it when sending the post to show a fake name

       

      Thanks!

       

    • eben_259100's avatar
      eben_259100
      Icon for Cirrostratus rankCirrostratus

      What error do you get from Chrome or IE? Please be more specific.

       

      Also switch the serverssl profile to the one that has secure-incompatible.

       

      Regards

       

    • Javier_Somoza_3's avatar
      Javier_Somoza_3
      Icon for Nimbostratus rankNimbostratus

      The browser simply returns ERR_CONNECTION_RESET

       

      I havent explained correctly, but the correct connection flow would be:

       

      Client --> F5 (VS Rev.Proxy) --> F5 (VS Balanced Web Servers) --> Web Server nodes

       

      I think the problem is not at the serverssl profile level because i cannot see any packet using tcpdump destinated to the second VS (the balancing one) when causing the problem in the browser. Anyway tried the serverssl profile insecure-compatible but no success.

       

  • eben's avatar
    eben
    Icon for Nimbostratus rankNimbostratus

    Hi Javier,

     

    How are you accessing the virtual server? ; or

     

    Make your browser trust your internal CA certificate. Shows that the cert is self-signed.

     

    CN = myou? this should be a fully qualified domain name.

     

    • Javier_Somoza_3's avatar
      Javier_Somoza_3
      Icon for Nimbostratus rankNimbostratus

      Hi eben Thanks for your answer.

       

      Im accesing using the domain-name because the ltm profile (and the backend server configuration) is based on the hostheader.

       

      True, my firefox does not trust the CA cert. Anyway, my chrome and explorer do trust but does not work either...

       

      Don worry about that CN, i have changed it when sending the post to show a fake name

       

      Thanks!

       

    • eben's avatar
      eben
      Icon for Nimbostratus rankNimbostratus

      What error do you get from Chrome or IE? Please be more specific.

       

      Also switch the serverssl profile to the one that has secure-incompatible.

       

      Regards

       

    • Javier_Somoza_3's avatar
      Javier_Somoza_3
      Icon for Nimbostratus rankNimbostratus

      The browser simply returns ERR_CONNECTION_RESET

       

      I havent explained correctly, but the correct connection flow would be:

       

      Client --> F5 (VS Rev.Proxy) --> F5 (VS Balanced Web Servers) --> Web Server nodes

       

      I think the problem is not at the serverssl profile level because i cannot see any packet using tcpdump destinated to the second VS (the balancing one) when causing the problem in the browser. Anyway tried the serverssl profile insecure-compatible but no success.

       

  • TechT's avatar
    TechT
    Icon for Nimbostratus rankNimbostratus

    Hi Javier,

     

    I would also recommend you to check the certificate is imported on the backend real server since you are using serverssl profile to re-encrypt the traffic to real server.

     

    -Maneesh