Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Questions and Answers



f5.http iApp needs certificate chain

I am using the f5.http iApp to create a simple web service. I am using SSL, however I got a certificate error because the chain was not specified. I had to turn off strict mode and modify the ssl profile. I am missing someplace in the iApp to specify the certificate chain, or does someone have an http iApp that will let me specify the certificate chain?v

2 Answer(s):

Hi Russel,

Sorry this didn't get an answer sooner. Not sure how that happened.

The current f5.http iApp does not expose a way to configure a chain cert when configuring SSL termination. The steps you took are one way (probably the easiest) to solve the problem. The other would be to "fork" the template by making a copy of it and changing its code to allow for this configuration.

An upcoming version of this same iApp will have an enhancement to allow you to specify a clientssl profile created and managed outside of the iApp as a way to allow for using parameters not exposed by the iApp (such as a chain certificate) in the event that the iApp doesn't suffice. It'll actually offer similar options for all of the profiles that a user might want to use with it. This is a compromise between making a concise and focused template and allowing for the use of some of the more rarely used configuration options. However, it's going to be some time until that template is available.

I was able to modify the f5.http template in two places to get the functionality that you're after, but the two changes were somewhat ugly. First, I introduced a new "section" in the presentation with a single question in it that had a small bit of TCL to build a list of ssl certificates. That isn't very clean because it's not part of the SSL section with the rest of the related config - but that section is defined in a library of code used by many templates, and so changing it would impact much more than this one template. Secondly, I had to modify the implementation to modify the client-ssl profile after it was created (again, by a chunk of common code which should be left alone). I would normally just post that iApp, but it's ugly and would make your deployment unsupportable by F5 support should you need to call in about it - and it's just not the right way to fix your problem.

Sorry I couldn't help you more - we're working on a fix for this issue already, but it's just not quite ready yet and the only quick/easy fixes I can offer aren't really appropriate for running in production. What you did for now is probably the best solution at this time.

Hi again Russel,

The upcoming changes that Brent mentions above still apply, but in the meantime, I built a new template based on F5.HTTP that enables the chain certificate field as well as pre-defined client profiles. You can download this template at https://devcentral.f5.com/wiki/iApp.HTTP-with-Arbitrary-Client-SSL-Profile.ashx.


Your answer: