While configuring an HTTPS probe I observe that if the certificate on the target server is expired, the ACE marks the server as PROBE-FAILED. A Wireshark trace shows that the ACE refuses an expired certificate. Here is the probe configuration :
probe https NCL_PROBE_HTTPS
description *** Server Health Probe ***
passdetect interval 5
passdetect count 2
ssl version all
request method get url /monitor/
expect status 200 200
header User-Agent header-value "Cisco ACE-4710"
expect regex "PROBE_OK"
I can disable the expiration date validation check with an ssl parameter-map, but such a map is only applicable to the backend session (on a ssl-proxy service), but not on a https probe...
How do I make sure that my https probe can bypass the certificate validation check ?
Thank you for any help
With ACE 1.x code this probe wouldn't have failed.
With ACE 2.x code, https probe check the validity of the certificate
send by server.
I don't think there is a way to change this behavior.
Syed Iftekhar Ahmed