SSL cert error on non-WWW URL on ACE 4710

Unanswered Question
Aug 31st, 2010

I have a problem, with an https redirect on my ACE.  Users are recieving a Certificate error if they browse to the link https://mysite.com, if they accept the error they are redirected to https://www.mysite.com.  The cert is setup for the URL www.mysite.com, which is why the error is generated.  I opened a TAC case they told me;

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} " I believe there is no way around it. This is because we decrypt the traffic first, then we do the redirect to https://www.mysite.com. So the user will see the certificate error before hitting the redirect. This has to do with the way or domain that was used to create the certificate."

Below is my config, let me know if you have any sugggestions.

Thanks,

Chris

class-map type http loadbalance match-all HOST1
  2 match http header Host header-value "mysite.com"


rserver redirect REDIRECT
  webhost-redirection https://www.mysite.com
  inservice

serverfarm redirect REDIRECT
  rserver REDIRECT
    inservice

Now in the loadbalance policy add the class and serverfarm before the default class:

policy-map type loadbalance first-match CM-MYSITE-COM-VIP-443-l7slb
  class HOST1
    serverfarm REDIRECT
  class class-default
    sticky-serverfarm MYSITE-COM-COOKIE
    action DELETE-CACHE

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pablo Tue, 08/31/2010 - 13:47

Hi Chis,

The quote from the TAC engineer is right, the probblem is that when the user goes to https://mysite.com the request is first decrypted and then L7 inspected.

The cert error is expected, when you indicate the FQDN on your CSR that's the only domain you're buying the SSL certificate for. The workaround you're looking for is called SAN (Subject Alternative Name) certificate, this kind of certificate would allow you to add different flavors of your domain under the same SSL file with a little extra charge (around 50 bucks I think). You may want to get back at your certificate authority and check if they can re-sign the certificate but make it SAN this time. SAN certificates are compatible with the ACE app/module.

Here is a little info from the OpenSSL website:

http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

Hope this helps.


__ __

Pablo

Actions

This Discussion