Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL cert error on non-WWW URL on ACE 4710

I have a problem, with an https redirect on my ACE.  Users are recieving a Certificate error if they browse to the link, if they accept the error they are redirected to  The cert is setup for the URL, which is why the error is generated.  I opened a TAC case they told me;

" I believe there is no way around it. This is because we decrypt the traffic first, then we do the redirect to So the user will see the certificate error before hitting the redirect. This has to do with the way or domain that was used to create the certificate."

Below is my config, let me know if you have any sugggestions.



class-map type http loadbalance match-all HOST1
  2 match http header Host header-value ""

rserver redirect REDIRECT

serverfarm redirect REDIRECT
  rserver REDIRECT

Now in the loadbalance policy add the class and serverfarm before the default class:

policy-map type loadbalance first-match CM-MYSITE-COM-VIP-443-l7slb
  class HOST1
    serverfarm REDIRECT
  class class-default
    sticky-serverfarm MYSITE-COM-COOKIE
    action DELETE-CACHE

Cisco Employee

Re: SSL cert error on non-WWW URL on ACE 4710

Hi Chis,

The quote from the TAC engineer is right, the probblem is that when the user goes to the request is first decrypted and then L7 inspected.

The cert error is expected, when you indicate the FQDN on your CSR that's the only domain you're buying the SSL certificate for. The workaround you're looking for is called SAN (Subject Alternative Name) certificate, this kind of certificate would allow you to add different flavors of your domain under the same SSL file with a little extra charge (around 50 bucks I think). You may want to get back at your certificate authority and check if they can re-sign the certificate but make it SAN this time. SAN certificates are compatible with the ACE app/module.

Here is a little info from the OpenSSL website:

Hope this helps.

__ __