Forum Discussion

Sanal_Babu's avatar
Sanal_Babu
Icon for Nimbostratus rankNimbostratus
Jan 01, 2018

2 URL's on same vip with wildcard certificate

Here is the existing setup. VIP and pool members listening on 443. Wild card certificate on the client ssl. In server profile "abc.com as server name.

 

Requirement:

 

One more URL to be added as "xyx.abc.com in the same vip. Certificate would be the same wild card.What should be the client and server ssl profile. Please help.

 

application delivery
LTM

8 Replies

Sort By
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jan 01, 2018

    If all works with 

    abc.com
    right now, and you already terminate clientssl with 
    *.abc.com
    certificate, no changes on BigIP LTM are required to add support for 
    xyx.abc.com
    . They just create new DNS A record to point xyx.abc.com to same VIP as abc.com and voila!

    Serverssl profile has no domain-aware significance. It is used to enable BigIP act as a SSL/TLS client so the traffic to Pool Member will be encrypted before it's forwarded downstream.

    • Sanal_Babu's avatar
      Sanal_Babu
      Icon for Nimbostratus rankNimbostratus
      Jan 01, 2018

      The VIP works when i attach a server profile with server name abc.com . But not for xyz.abc.com

       

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Jan 01, 2018

      if i do not misremember, serverssl profile does not forward server name indicated from clientside to serverside. so, can you try something like this?

       

      Modifying serverside SSL profile based on hostname for SNI (Kai Wilke's comment) https://devcentral.f5.com/s/feed/0D51T00006i7eN3SAI

       

    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      Jan 01, 2018

      No server name should be specified in serverssl profile unless your external web address URLs do not match with listener configurations in web servers. If the web server is configured to listen on 

      abc.com:443
      , either add 
      xyx.abc.com:443
      as second VirtualHost listener, or make it a wildcard listener that matches both. I see no good justification to use TLS SNI or any other F5 workaround for something as basicas this. Refer to Apache docs for help and use serverssl profile with DEFAULT settings, don't customize anything. If you specify abc.com as server name in serverssl profile, you are explicitly forcing all xyx.abc.com requests to abc.com listener and for obvious reasons this can't work.

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jan 01, 2018

    If all works with 

    abc.com
    right now, and you already terminate clientssl with 
    *.abc.com
    certificate, no changes on BigIP LTM are required to add support for 
    xyx.abc.com
    . They just create new DNS A record to point xyx.abc.com to same VIP as abc.com and voila!

    Serverssl profile has no domain-aware significance. It is used to enable BigIP act as a SSL/TLS client so the traffic to Pool Member will be encrypted before it's forwarded downstream.

    • Sanal_Babu's avatar
      Sanal_Babu
      Icon for Nimbostratus rankNimbostratus
      Jan 01, 2018

      The VIP works when i attach a server profile with server name abc.com . But not for xyz.abc.com

       

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      Jan 01, 2018

      No server name should be specified in serverssl profile unless your external web address URLs do not match with listener configurations in web servers. If the web server is configured to listen on 

      abc.com:443
      , either add 
      xyx.abc.com:443
      as second VirtualHost listener, or make it a wildcard listener that matches both. I see no good justification to use TLS SNI or any other F5 workaround for something as basicas this. Refer to Apache docs for help and use serverssl profile with DEFAULT settings, don't customize anything. If you specify abc.com as server name in serverssl profile, you are explicitly forcing all xyx.abc.com requests to abc.com listener and for obvious reasons this can't work.