HTTPS TO HTTPS rewrite error with Wilcard Cert

cbregeripr — Sat, 21 Jan 2012 00:51:45 GMT

I have a wildcard cert installed on my ACE and a HTTP redirect for any http traffic. The redirect works fine for all http traffic and HTTPS traffic. I am recieving an error when users try to connect to https://domain.com. If they connect to Https://www.domain.com, https://mail.domain.com, etc. it works fine. I only get errors when the www or any specific host name is left off and https request. I am receiving the error the domain does not mach the cert. The cert is configured for *.domian.com. Below is my config. Any Ideas?

rserver redirect HTTPS-REDIR

webhost-redirection https://%h%p 301

inservice

rserver redirect HTTPS-REDIR-domain

webhost-redirection https://www.domain.com 301

inservice

rserver host WEBSERVER-01

ip address 10.50.20.132

inservice

rserver host WEBSERVER-02

ip address 10.50.20.133

inservice

action-list type modify http ADD-HTTPS

ssl url rewrite location ".*"

serverfarm host ALGINE-SERVERFARM-80

probe PING

fail-on-all

rserver WEBSERVER-01 80

inservice

rserver WEBSERVER-02 80

inservice

serverfarm redirect HTTP-HTTPS-REDIR

description Redirection from Port 80 to 443

rserver HTTPS-REDIR-domain

inservice

ssl-proxy service domain-domain-COM

key *.domain.com-KEY-2011

cert *-domain-com.cer

chaingroup TEST-CHAIN

ssl advanced-options PARAM-RSA-SSL1

sticky http-cookie ALG-LB ALG-COOKIE-01

cookie insert

timeout 120

replicate sticky

serverfarm DOMAIN-SERVERFARM-80

class-map match-any CM-domain-COM-http

2 match virtual-address 11.11.11.11 tcp eq www

class-map match-any CM-domain-COM-https

2 match virtual-address 11.11.11.11 tcp eq https

class-map match-any CM-TEST-MAP

class-map type management match-any remote_access

2 match protocol xml-https any

3 match protocol icmp any

4 match protocol telnet any

5 match protocol ssh any

6 match protocol http any

7 match protocol https any

8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

policy-map type loadbalance first-match CM-domain-COM

class class-default

sticky-serverfarm ALG-COOKIE-01

policy-map type loadbalance first-match CM-domain-COM-http

class class-default

serverfarm HTTP-HTTPS-REDIR

policy-map multi-match INT-VLAN229-VIPS

class CM-domain-COM-http

loadbalance vip inservice

loadbalance policy CM-domain-COM-http

loadbalance vip icmp-reply active

appl-parameter http advanced-options HTTP-OPTIONS_1

connection advanced-options TCP-CONN-OPTIONS

class CM-domain-COM-https

loadbalance vip inservice

loadbalance policy CM-domain-COM

loadbalance vip icmp-reply active

appl-parameter http advanced-options HTTP-OPTIONS_1

ssl-proxy server domain-domain-COM

connection advanced-options TCP-CONN-OPTIONS

HTTPS TO HTTPS rewrite error with Wilcard Cert

Borys Berlog — Mon, 23 Jan 2012 09:19:12 GMT

Hi Chris

ACE can't cause such type of problems, as this check is a simple check done on browser side.

The problem seems to be that wilcard certificate for *.domain.net matchs e.g. these domains : a.domain.net, b.domain.net, c.domain.net but doesn't match domain.net

http://wiki.cacert.org/WildcardCertificates

topic HTTPS TO HTTPS rewrite error with Wilcard Cert in Application Networking

HTTPS TO HTTPS rewrite error with Wilcard Cert

HTTPS TO HTTPS rewrite error with Wilcard Cert