LTM VIP FQDN Node CURL issue

Question

Hi all&nbsp;can someone please provide some guidance as i have two VIP's both working but one present incorrect cert when i do curl to VIP and correct cert when i do curl to pool member directly (with setting source and without setting source address SNAT in curl)i also set correct header via --header option in curl but when i point it to VIP on same LTM it present invalid cert and when i point it to FQDN pool member of same VIP works and present correct cert, any idea? thanksregardsf

simon_blakely · Answer

If you connect to the virtual, the certificate presented should be the certificate specified in the client-ssl profile.

Is that the correct certificate?

Do you have multiple client-ssl profiles assigned to the virtual?

any · Answer

Thanks, so client ssl is presenting cert but ssh handshake is failing straight after server hello is done ... the trust store for server has different cert then the one it presenting so its failing and wireshark clearly shows wrong cert presenting so ssh handshake terminates

any · Answer

curl is successful because it ignore incorrect cert but browser connectivity is failing when server side cert check is enable and working when serverside cert check is disabled.....dont have multiple client ssl profile one profile only... somehow when i do curl to vip request lands on correct host but then doesnt get redirected to correct resource and cert presented is wrong ... but when i do same curl to pool member which is fqdn then i see ssl completing when accessed via browser and correct cert is presented too

simon_blakely · Answer

I am struggling to understand the problem.

If curl -k to the vip works but the browser fails the TLS/SSL negotiation on the client-side after the ServerHello, then the issue is probably with the client-ssl profile and the Intermediate certificate chain between the certificate and the Root certificate.

Can you provide the output of

curl -vk https://<vip fqdn>/ --resolve <vip fqdn>:443:<vip IP address>

which shows the certificate and the intermediate certificates?

any · Answer

Thanks and sure i will provide detailsproblem is browser is relevant or depandant on client ssl profile which is working fine as correct cert is presented...curl is intiated from ltm itself to and to vip and fqdn pool member of vip...the url from browser is nlt working so when i did ran tcpdump and analyzed in wireshark reset was being sent by ltm to client because ssl handshake was failing after server hello done....only thing different was cert presented by server was different to the one we had in trust store of server ssl profile..server ssl profille had vendor c cert and cert presented was different

Forum Discussion

LTM VIP FQDN Node CURL issue

6 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Create a fqdn node in CLI

Creating FQDN Nodes via iControl REST

Regex issue

Dynamic FQDN Node DNS Resolution based on URI with Route Domains and Caching iRule

LTM : FQDN based node addition with Route Domain