SSL cert error on non-WWW URL on ACE 4710

Unanswered Question
Aug 31st, 2010
User Badges:

I have a problem, with an https redirect on my ACE.  Users are recieving a Certificate error if they browse to the link, if they accept the error they are redirected to  The cert is setup for the URL, which is why the error is generated.  I opened a TAC case they told me;

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} " I believe there is no way around it. This is because we decrypt the traffic first, then we do the redirect to So the user will see the certificate error before hitting the redirect. This has to do with the way or domain that was used to create the certificate."

Below is my config, let me know if you have any sugggestions.



class-map type http loadbalance match-all HOST1
  2 match http header Host header-value ""

rserver redirect REDIRECT

serverfarm redirect REDIRECT
  rserver REDIRECT

Now in the loadbalance policy add the class and serverfarm before the default class:

policy-map type loadbalance first-match CM-MYSITE-COM-VIP-443-l7slb
  class HOST1
    serverfarm REDIRECT
  class class-default
    sticky-serverfarm MYSITE-COM-COOKIE
    action DELETE-CACHE

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Pablo Tue, 08/31/2010 - 13:47
User Badges:
  • Cisco Employee,

Hi Chis,

The quote from the TAC engineer is right, the probblem is that when the user goes to the request is first decrypted and then L7 inspected.

The cert error is expected, when you indicate the FQDN on your CSR that's the only domain you're buying the SSL certificate for. The workaround you're looking for is called SAN (Subject Alternative Name) certificate, this kind of certificate would allow you to add different flavors of your domain under the same SSL file with a little extra charge (around 50 bucks I think). You may want to get back at your certificate authority and check if they can re-sign the certificate but make it SAN this time. SAN certificates are compatible with the ACE app/module.

Here is a little info from the OpenSSL website:

Hope this helps.

__ __



This Discussion