After upgrade to 6.4.5 or later , LB doesn't give an option to not select Service certificates under Server SSL
search cancel

After upgrade to 6.4.5 or later , LB doesn't give an option to not select Service certificates under Server SSL

book

Article ID: 317519

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

If the customer is using End to End SSL with no service certificates selected under Server SSL (6.4.5 or later ) or pool side ssl (6.4.4 or earlier) , and  If the Cert expires in LB while on 6.4.5 ; While using the replaced cert in the application profile , User would see the save button grayed out until Server SSL service certificates is selected.

Symptoms:
  • End to End SSL was not working after replacing expired certs on the LB . 
  • The pool monitor status, shows Down state with  SSL handshake failure .
  • Packet captures would show the backend responding with unknown CA / Unsupported CA.


  • SSL passthrough would bring up the Pool . 


Cause

Ideally for End to End SSL we need to have the service certificate selected on both Client SSL (6.4.5 or later) or Virtual server Certificate (6.4.4 or earlier) and Server SSL (6.4.5 or later) or Pool certificates (6.4.4 or earlier).

Basically the UI option has changed in 6.4.5 which doesn't let us NOT select Server ssl >> service certificates .

Resolution

There are 2 ways to fix the issue :

1. Either make sure that the backend understands the LB certs CA and SSL handshake works .
2. Disable certificate selected for Server ssl using API . 


Steps for option 2 :

GET /api/4.0/edges/edge-4/loadbalancer/config/applicationprofiles/applicationProfile-21

<applicationProfile>
    <applicationProfileId>applicationProfile-21</applicationProfileId>
    <name>WebApp-Profile</name>
    <insertXForwardedFor>false</insertXForwardedFor>
    <sslPassthrough>false</sslPassthrough>
    <template>HTTPS</template>
    <serverSslEnabled>true</serverSslEnabled>
    <clientSsl>
      <ciphers>DEFAULT</ciphers>
      <clientAuth>ignore</clientAuth>
      <serviceCertificate>certificate-39</serviceCertificate>
    </clientSsl>
    <serverSsl>
      <ciphers>DEFAULT</ciphers>
      <serviceCertificate>certificate-39</serviceCertificate>
      <serverAuth>false</serverAuth>


Remove the line <serviceCertificate>certificate-39</serviceCertificate> and perform a PUT

PUT api/4.0/edges/edge-4/loadbalancer/config/applicationprofiles/applicationProfile-21

<applicationProfile>
    <applicationProfileId>applicationProfile-21</applicationProfileId>
    <name>WebApp-Profile</name>
    <insertXForwardedFor>false</insertXForwardedFor>
    <sslPassthrough>false</sslPassthrough>
    <template>HTTPS</template>
    <serverSslEnabled>true</serverSslEnabled>
    <clientSsl>
      <ciphers>DEFAULT</ciphers>
      <clientAuth>ignore</clientAuth>
      <serviceCertificate>certificate-39</serviceCertificate>
    </clientSsl>
    <serverSsl>
      <ciphers>DEFAULT</ciphers>
      <serverAuth>false</serverAuth>

 


Powered by Wolken Software