05-14-2010 01:55 PM
When load balancing to servers using HTTPS, the client often gets a warning page stating that it is an untrusted connection. In Firefox it is usually a statement such as “Certificate belongs to a different site, which could indicate an identity theft.” I’m assuming that this is due to the fact that the client is engaging the load balancer with a certain IP address or name and the certificate from the real server has a different name – usually the name of the server embedded in the certificate.
So my question is how to accommodate the different names on the servers. In the case of self-signed certificates should we just put the VIP name in all of the certs on all the servers? In the case of purchased certificates, can they be copied once the VIP name is entered?
The application people and server people that I work with don’t seem to have any expertise regarding the use of certs in a load balanced environment.
Keep in mind that this is all being done via SI450’s. There is no SSL manipulation that we can do. We’re just handling this at layer 4 using simple SSL health-checks.
Any help would be appreciated.
05-14-2010 03:23 PM
The normal is place the certs on the 450's. ip address for cert is the VIP. Server nsame is the public FQDN of the site.
The 450's then connected to the client by SSL. The 450's connect to the web servers via HTTP. No client connects directly to the web server.
Using this setup you have offloaded the heavey lifting of SSL from the web servers - you should also make sure that the 450's are only boxes that can connect to the web server for security.
Hope this helps you.
05-18-2010 02:18 PM
thanks for the response. but again, this is on a non-ssl terminating si450. i am just doing simple https health-checks here. also, due to pci compliance, we have to maintain https back to the servers. load balancing ssl is not the issue. the issue is that the certs (living on the servers) will have the server name and address which doesn't match the client request for the VIP name and address. how do we work around this?
05-21-2010 12:26 AM
What is the CN within the certificates?
CN must be the DNS name for the VIP or the VIP IP if you do not use DNS.
Can you check this?