Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
1
Replies

SSL cert error on non-WWW URL on ACE 4710

cbregeripr
Level 1
Level 1

‎08-31-2010 11:52 AM

I have a problem, with an https redirect on my ACE.  Users are recieving a Certificate error if they browse to the link https://mysite.com, if they accept the error they are redirected to https://www.mysite.com.  The cert is setup for the URL www.mysite.com, which is why the error is generated.  I opened a TAC case they told me;

" I believe there is no way around it. This is because we decrypt the traffic first, then we do the redirect to https://www.mysite.com. So the user will see the certificate error before hitting the redirect. This has to do with the way or domain that was used to create the certificate."

Below is my config, let me know if you have any sugggestions.

Thanks,

Chris

class-map type http loadbalance match-all HOST1
  2 match http header Host header-value "mysite.com"


rserver redirect REDIRECT
  webhost-redirection https://www.mysite.com
  inservice

serverfarm redirect REDIRECT
  rserver REDIRECT
    inservice

Now in the loadbalance policy add the class and serverfarm before the default class:

policy-map type loadbalance first-match CM-MYSITE-COM-VIP-443-l7slb
  class HOST1
    serverfarm REDIRECT
  class class-default
    sticky-serverfarm MYSITE-COM-COOKIE
    action DELETE-CACHE

Labels:
0 Helpful
1 Reply 1

Pablo
Cisco Employee
Cisco Employee

‎08-31-2010 01:47 PM

Hi Chis,

The quote from the TAC engineer is right, the probblem is that when the user goes to https://mysite.com the request is first decrypted and then L7 inspected.

The cert error is expected, when you indicate the FQDN on your CSR that's the only domain you're buying the SSL certificate for. The workaround you're looking for is called SAN (Subject Alternative Name) certificate, this kind of certificate would allow you to add different flavors of your domain under the same SSL file with a little extra charge (around 50 bucks I think). You may want to get back at your certificate authority and check if they can re-sign the certificate but make it SAN this time. SAN certificates are compatible with the ACE app/module.

Here is a little info from the OpenSSL website:

http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

Hope this helps.


__ __

Pablo

0 Helpful
Customers Also Viewed These Support Documents