08-31-2010 11:52 AM
I have a problem, with an https redirect on my ACE. Users are recieving a Certificate error if they browse to the link https://mysite.com, if they accept the error they are redirected to https://www.mysite.com. The cert is setup for the URL www.mysite.com, which is why the error is generated. I opened a TAC case they told me;
" I believe there is no way around it. This is because we decrypt the traffic first, then we do the redirect to https://www.mysite.com. So the user will see the certificate error before hitting the redirect. This has to do with the way or domain that was used to create the certificate."
Below is my config, let me know if you have any sugggestions.
Thanks,
Chris
class-map type http loadbalance match-all HOST1
2 match http header Host header-value "mysite.com"
rserver redirect REDIRECT
webhost-redirection https://www.mysite.com
inservice
serverfarm redirect REDIRECT
rserver REDIRECT
inservice
Now in the loadbalance policy add the class and serverfarm before the default class:
policy-map type loadbalance first-match CM-MYSITE-COM-VIP-443-l7slb
class HOST1
serverfarm REDIRECT
class class-default
sticky-serverfarm MYSITE-COM-COOKIE
action DELETE-CACHE
08-31-2010 01:47 PM
Hi Chis,
The quote from the TAC engineer is right, the probblem is that when the user goes to https://mysite.com the request is first decrypted and then L7 inspected.
The cert error is expected, when you indicate the FQDN on your CSR that's the only domain you're buying the SSL certificate for. The workaround you're looking for is called SAN (Subject Alternative Name) certificate, this kind of certificate would allow you to add different flavors of your domain under the same SSL file with a little extra charge (around 50 bucks I think). You may want to get back at your certificate authority and check if they can re-sign the certificate but make it SAN this time. SAN certificates are compatible with the ACE app/module.
Here is a little info from the OpenSSL website:
http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
Hope this helps.
__ __
Pablo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide