Forum Discussion

Fabou_139732's avatar
Fabou_139732
Icon for Nimbostratus rankNimbostratus
Feb 24, 2016

SSL Certificate Testing while servers not configured

I have setup an HTTPS VIP and I can see that all the servers are green (connectivity is OK) hence the VIP is showing green as well. The issue is that Apache has not been confgured yet so in theory the server wont return anything.

 

Is it normal that I get a certificate error from the browser when I try to connecto the SSL VIP? The certificate is installed and is from Untrust and the VIP is configured to terminate SSL (client) then re-initiate SSL to the server.

 

I was kind of hoping to get a page not found error since Apache is not configured on the server but not the certificate error.

 

Can you please advise?

 

  • Yes, it is normal, because the BigIP is a full proxy.

     

    Your client will establish a connection to the bigIP independently, and then the bigip will establish a connection to the backend server. The two are independent, and the client connection will have to complete before bigip establishes a server connection.

     

    Since you have an SSL profile on the VIP, then the client is going the whole length to complete the SSL handshake, and then send the GET request. So you get the ssl certificate warning because you need to trust the certificate in order for the handshake to complete.

     

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account

    Yes, it is normal, because the BigIP is a full proxy.

     

    Your client will establish a connection to the bigIP independently, and then the bigip will establish a connection to the backend server. The two are independent, and the client connection will have to complete before bigip establishes a server connection.

     

    Since you have an SSL profile on the VIP, then the client is going the whole length to complete the SSL handshake, and then send the GET request. So you get the ssl certificate warning because you need to trust the certificate in order for the handshake to complete.

     

    • Fabou_139732's avatar
      Fabou_139732
      Icon for Nimbostratus rankNimbostratus
      Ok, I see what you mean. The SSL certificate used on the profile is from Entrust (https://www.entrust.com/ssl-certificates/) and they are trusted by all browsers I beleive which is why I am surprised to see that error. So you anwer seem to confirm that I should not see that error message. I will try to investigate this. Thanks again.
    • BinaryCanary_19's avatar
      BinaryCanary_19
      Historic F5 Account
      YOu can check the issuer of the certificate you are seeing in the browser; it it matches what you got from Entrust, then it likely means that your browser does not have a complete chain of trust leading up to a root CA which the browser itself trusts. For such cases, you are supposed to also configure an intermediate certificate chain on the ssl profile; you might have received an "intermediate" certificate from Entrust, or they may have provided you with instructions on how to download one, or you can contact them and ask them to give you one. Then you simply add it to your bigip as the Chain certificate and this should help allow more browsers to validate it.
    • AJ_01_135899's avatar
      AJ_01_135899
      Icon for Cirrostratus rankCirrostratus
      Are you sure on your first answer? The SSL connection is made from the browser to the VIP. The subsequent proxy connection is made from the F5 to the web server. If the web server connection is not able to be made, in my experience there's a failure to connect. This can be verified with OpenSSL or Fiddler, you should still see an SSL handshake with the VIP even with an invalid cert installed on the web server. Your intermediate cert answer makes much more sense to me.