SSL Certificate Testing while servers not configured

Question

I have setup an HTTPS VIP and I can see that all the servers are green (connectivity is OK) hence the VIP is showing green as well. The issue is that Apache has not been confgured yet so in theory the server wont return anything.  &nbsp;
Is it normal that I get a certificate error from the browser when I try to connecto the SSL VIP? The certificate is installed and is from Untrust and the VIP is configured to terminate SSL (client) then re-initiate SSL to the server.&nbsp;
I was kind of hoping to get a page not found error since Apache is not configured on the server but not the certificate error.&nbsp;
Can you please advise?&nbsp;

binarycanary_19 · Accepted Answer

Yes, it is normal, because the BigIP is a full proxy.&nbsp;

Your client will establish a connection to the bigIP independently, and then the bigip will establish a connection to the backend server. The two are independent, and the client connection will have to complete before bigip establishes a server connection. &nbsp;

Since you have an SSL profile on the VIP, then the client is going the whole length to complete the SSL handshake, and then send the GET request. So you get the ssl certificate warning because you need to trust the certificate in order for the handshake to complete.&nbsp;

fabou_139732 · Answer

Ok, I see what you mean.

The SSL certificate used on the profile is from Entrust (https://www.entrust.com/ssl-certificates/) and they are trusted by all browsers I beleive which is why I am surprised to see that error.

So you anwer seem to confirm that I should not see that error message. I will try to investigate this. Thanks again.

binarycanary_19 · Answer

YOu can check the issuer of the certificate you are seeing in the browser; it it matches what you got from Entrust, then it likely means that your browser does not have a complete chain of trust leading up to a root CA which the browser itself trusts.

For such cases, you are supposed to also configure an intermediate certificate chain on the ssl profile; you might have received an "intermediate" certificate from Entrust, or they may have provided you with instructions on how to download one, or you can contact them and ask them to give you one.

Then you simply add it to your bigip as the Chain certificate and this should help allow more browsers to validate it.

aj_01_135899 · Answer

Are you sure on your first answer?  The SSL connection is made from the browser to the VIP.  The subsequent proxy connection is made from the F5 to the web server.  If the web server connection is not able to be made, in my experience there's a failure to connect.  This can be verified with OpenSSL or Fiddler, you should still see an SSL handshake with the VIP even with an invalid cert installed on the web server.

Your intermediate cert answer makes much more sense to me.

binarycanary_19 · Answer

Regarding my first answer, please see: https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html?sr=51758587

The client side connection standard TCP virtual server is independent of the server-side connection.

Of course, if the server-side connection fails, the BigIP will in turn terminate the client-side connection by default, but the server side connection is only established after the client-side connection has already been established.

Then depending on whether there is a Layer 7 profile, the bigip will either wait for some application data first, or immediately establish server-side connection; in all cases that are not FastL4, the client side will complete before there is even a SYN sent on server-side.

If there is a layer 7 profile, then this means that the SSL handshake will complete clientside before server connection is established.

You will never see the server-certificate on the clientside on this kind of setup (unless you are using the same server certificate on your VIP clientssl profile).

Forum Discussion

SSL Certificate Testing while servers not configured

5 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Certificate Expiry Email alert configuration

Khoros article scheduling test

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP