Skip to main content
techevo
techevo
New Member
April 15, 2015
Solved

virtual server ssl offload after upgrade to 5.2.3

  • April 15, 2015
  • 4 replies
  • 5972 views

I have a virtual server setup from a public ip to an internal server ( owa ) with ssloffload.  The server has the necessary fortigate certificate and the fortigate is presenting the original server certificate to the clients coming from the web.  It used to work well in 5.0.9 but since I upgraded to 5.2.3 it's no longer working.  Web browser give bad certificate error.   I cannot open the page at all.  Where there any change in the way ssl or certificate are processed in 5.2.x that need to be manually adjusted ?

 

The certificate is not expired.

 

Any idea what could have happened?

 

Thanks

    Best answer by Christopher_McMullan

    If you replace the previous certificate configuration with an SSL/SSH inspection profile set to 'protect server' instead of perform deep inspection, you could likely add the proper certificate back in successfully.

    4 replies

    Christopher_McMullan
    Staff
    Christopher_McMullanAnswer
    Staff
    April 15, 2015

    If you replace the previous certificate configuration with an SSL/SSH inspection profile set to 'protect server' instead of perform deep inspection, you could likely add the proper certificate back in successfully.

    techevo
    techevoAuthor
    New Member
    April 15, 2015

    Thanks it does work!

     

    Still not quite sure why the virtual server that was working in 5.0.x is not in 5.2.3 ?  Your solution is more simple as long as we still have only one OWA server!

     

    Thanks.

    Christopher_McMullan
    Staff
    Christopher_McMullan
    Staff
    April 16, 2015

    Well, you can define different SSL/SSH inspection profiles, one per policy, in order to serve different certificates.

     

    I'm not sure how the 5.0 configuration would have been modified when upgrading between there and 5.2, in terms of what was stripped out. It may be that the VIP was retained, but the certificate was not moved to its own inspection profile automatically.

    Christopher_McMullan
    Staff
    Christopher_McMullan
    Staff
    April 24, 2015

    I may have been fed the wrong information earlier. It seemed that 'protect server' profiles replaced SSL offloading, but that may not be the case.

     

    Could you check the defined certificate you had entered in 5.0 now that you're running 5.2, and see if it's the value you expected?

     

    config firewall vip

    edit <vip_name>

    get | grep ssl-certificate

    end

    Terms & ConditionsAccessibility statement