Forum Discussion

wanderingadmin_'s avatar
wanderingadmin_
Icon for Nimbostratus rankNimbostratus
Mar 31, 2017

Certificate error from F5 virtual server

"Certificate error on F5 Load Balancing" Hello, We have a virtual server configured on the F5 with URL easysite.com with 3 load balancing pool members. The 3 members are running IIS7.5 and individually have their own easysite1.com, easysite2.com and easysite3.com URL with certificate installed. We would like to make sure that end users will never know that the individual web servers are accessible by their own individual URL. The virtual server is masking the URL correctly and the end user can only see easysite.com but the problem is the certificate. When you view the certificate installed fro the browser, we see the certificate that is installed on the individual load balancing member we are connected to. For example, you go to easysite.com and there is a cert error, when you view the cert we see easysite1.com cert. Are we missing anything in our configuration? (NOTE: I am the application owner of the web servers but I will try to provide info on the F5 as much as I can)

 

1 Reply

  • Sounds like you are passing SSL through to the server, so the server is presenting it's certificate when the client connects. Of course, with only the 'individual' certificates on the servers then that is what the user will see when they try to connect.

     

    A few starter options:

     

    1) Replace cert/key on all servers with new certificate for 'easysite.com'. Sounds like you want individual certs on each server when you connect directly, though.

     

    2) Get a new certificate for 'easysite.com' and use it in a client-ssl profile on the BIGIP. Associate the client-ssl profile with the virtual server, as well as a server-ssl profile to re-encrypt traffic to the servers. In this scenario the BIGIP is terminating client SSL and presenting the easysite.com certificate to the client. By default the server-ssl profile doesn't verify the server certificate, so no changes needed on the pool members.

     

    3) Get a new certificate for 'easysite.com', load it (and key) on all of your web servers alongside existing cert/key, and configure them to use SNI to determine which certificate to present to the client.