01-20-2012 04:51 PM
I have a wildcard cert installed on my ACE and a HTTP redirect for any http traffic. The redirect works fine for all http traffic and HTTPS traffic. I am recieving an error when users try to connect to https://domain.com. If they connect to Https://www.domain.com, https://mail.domain.com, etc. it works fine. I only get errors when the www or any specific host name is left off and https request. I am receiving the error the domain does not mach the cert. The cert is configured for *.domian.com. Below is my config. Any Ideas?
rserver redirect HTTPS-REDIR
webhost-redirection https://%h%p 301
inservice
rserver redirect HTTPS-REDIR-domain
webhost-redirection https://www.domain.com 301
inservice
rserver host WEBSERVER-01
ip address 10.50.20.132
inservice
rserver host WEBSERVER-02
ip address 10.50.20.133
inservice
action-list type modify http ADD-HTTPS
ssl url rewrite location ".*"
serverfarm host ALGINE-SERVERFARM-80
probe PING
fail-on-all
rserver WEBSERVER-01 80
inservice
rserver WEBSERVER-02 80
inservice
serverfarm redirect HTTP-HTTPS-REDIR
description Redirection from Port 80 to 443
rserver HTTPS-REDIR-domain
inservice
ssl-proxy service domain-domain-COM
key *.domain.com-KEY-2011
cert *-domain-com.cer
chaingroup TEST-CHAIN
ssl advanced-options PARAM-RSA-SSL1
sticky http-cookie ALG-LB ALG-COOKIE-01
cookie insert
timeout 120
replicate sticky
serverfarm DOMAIN-SERVERFARM-80
class-map match-any CM-domain-COM-http
2 match virtual-address 11.11.11.11 tcp eq www
class-map match-any CM-domain-COM-https
2 match virtual-address 11.11.11.11 tcp eq https
class-map match-any CM-TEST-MAP
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match CM-domain-COM
class class-default
sticky-serverfarm ALG-COOKIE-01
policy-map type loadbalance first-match CM-domain-COM-http
class class-default
serverfarm HTTP-HTTPS-REDIR
policy-map multi-match INT-VLAN229-VIPS
class CM-domain-COM-http
loadbalance vip inservice
loadbalance policy CM-domain-COM-http
loadbalance vip icmp-reply active
appl-parameter http advanced-options HTTP-OPTIONS_1
connection advanced-options TCP-CONN-OPTIONS
class CM-domain-COM-https
loadbalance vip inservice
loadbalance policy CM-domain-COM
loadbalance vip icmp-reply active
appl-parameter http advanced-options HTTP-OPTIONS_1
ssl-proxy server domain-domain-COM
connection advanced-options TCP-CONN-OPTIONS
01-23-2012 01:19 AM
Hi Chris
ACE can't cause such type of problems, as this check is a simple check done on browser side.
The problem seems to be that wilcard certificate for *.domain.net matchs e.g. these domains : a.domain.net, b.domain.net, c.domain.net but doesn't match domain.net
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide