Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
1
Replies

HTTPS TO HTTPS rewrite error with Wilcard Cert

cbregeripr
Level 1
Level 1

‎01-20-2012 04:51 PM

I have a wildcard cert installed on my ACE and a HTTP redirect for any http traffic.  The redirect works fine for all http traffic and HTTPS traffic.  I am recieving an error when users try to connect to https://domain.com.  If they connect to Https://www.domain.com, https://mail.domain.com, etc. it works fine.  I only get errors when the www or any specific host name is left off and https request.  I am receiving the error the domain does not mach the cert.  The cert is configured for *.domian.com.  Below is my config.  Any Ideas?

rserver redirect HTTPS-REDIR

  webhost-redirection https://%h%p 301

  inservice

rserver redirect HTTPS-REDIR-domain

  webhost-redirection https://www.domain.com 301

  inservice

rserver host WEBSERVER-01

  ip address 10.50.20.132

  inservice

rserver host WEBSERVER-02

  ip address 10.50.20.133

  inservice

action-list type modify http ADD-HTTPS

  ssl url rewrite location ".*"

serverfarm host ALGINE-SERVERFARM-80

  probe PING

  fail-on-all

  rserver WEBSERVER-01 80

    inservice

  rserver WEBSERVER-02 80

    inservice

serverfarm redirect HTTP-HTTPS-REDIR

  description Redirection from Port 80 to 443

  rserver HTTPS-REDIR-domain

    inservice

ssl-proxy service domain-domain-COM

  key *.domain.com-KEY-2011

  cert *-domain-com.cer

  chaingroup TEST-CHAIN

  ssl advanced-options PARAM-RSA-SSL1

sticky http-cookie ALG-LB ALG-COOKIE-01

  cookie insert

  timeout 120

  replicate sticky

  serverfarm DOMAIN-SERVERFARM-80

class-map match-any CM-domain-COM-http

  2 match virtual-address 11.11.11.11 tcp eq www

class-map match-any CM-domain-COM-https

  2 match virtual-address 11.11.11.11 tcp eq https

class-map match-any CM-TEST-MAP

class-map type management match-any remote_access

  2 match protocol xml-https any

  3 match protocol icmp any

  4 match protocol telnet any

  5 match protocol ssh any

  6 match protocol http any

  7 match protocol https any

  8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy

  class remote_access

    permit

policy-map type loadbalance first-match CM-domain-COM

  class class-default

    sticky-serverfarm ALG-COOKIE-01

policy-map type loadbalance first-match CM-domain-COM-http

  class class-default

    serverfarm HTTP-HTTPS-REDIR

policy-map multi-match INT-VLAN229-VIPS

  class CM-domain-COM-http

    loadbalance vip inservice

    loadbalance policy CM-domain-COM-http

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options HTTP-OPTIONS_1

    connection advanced-options TCP-CONN-OPTIONS

  class CM-domain-COM-https

    loadbalance vip inservice

    loadbalance policy CM-domain-COM

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options HTTP-OPTIONS_1

    ssl-proxy server domain-domain-COM

    connection advanced-options TCP-CONN-OPTIONS

Labels:
0 Helpful
1 Reply 1

Borys Berlog
Cisco Employee
Cisco Employee

‎01-23-2012 01:19 AM

Hi Chris

ACE can't cause such type of problems, as this check is a simple check done on browser side.

The problem seems to be that wilcard certificate for *.domain.net matchs e.g. these domains : a.domain.net, b.domain.net, c.domain.net but doesn't match domain.net

http://wiki.cacert.org/WildcardCertificates

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card