-1

Configure Apache and F5 loadbalancer.

From Apache layer we generate CSR and get the trusted cer as:

1) .cer

2) .p7b

Then I convert the .cer and .p7b file to .crt file and configure in our apache as keyfile, certificate and chain.

We are facing some issue while configuring the SSL between F5 and Apache. Our flow is: 

Client(SSL) -> F5 (SSL drops ) -> (recreate ssl to apache layer) -> Apache webserver.

1) create CSR from apache web layer, get sign as trusted from the company (not external)

2) configure in ssl.conf and ciphersuite

Now initiate a request using openssl it is throwing:

depth = 1 
DC = net 
DC = racb 
CN = XXXXXX 

CA 1 verify error:num=20:unable to get local issuer certificate read from 0x1b9c8d0 [0x1ca04f3] (5 bytes => 5 (0x5))

In order to verify it I modified the /etc/hosts entry as xxx.xxx.xxx.net as 127.0.0.1 and move the chain certificate to /etc/pki/ca-trust/source/anchor and update-ca-trust extract and run the openssl which is return with error code=0 and waiting in SSL session.

What mistake we are doing in F5 no idea.

Can someone throw the lights?

Andy Jazz
  • 49,178
  • 17
  • 136
  • 220
Akash Joseph
  • 1
  • 1

1 Answers1

-1

If you're setting up a bridging config, you need both an SSL Client Profile (typically you take your Apache key/cert/chain) and an SSL Server Profile, and both are chosen on the Virtual Server configuration.

For the Client Profile you first need to import the private key, the certificate(s) and of course you have to see on the Certificates screen that the private key matches the certificate.

Usually for the Server Profile, if we know that we can trust the backend server, instead of setting up something with certificates of your own, we just choose the unsecure-compatible profile and it will work in almost all cases.

If there is no need to setup SNI, it's enough to make it work.

Eugène Adell
  • 3,089
  • 2
  • 18
  • 34