ACE–why certificate names matter!!

I learned a lesson last night helping a co-worker with an ACE problem. The lesson was the importance of certificate names on ACE load balancers–specifically in an active/passive configuration.

Lets say you define your proxy service like this:

ssl-proxy service MyProxy
  key MyKey-2048
  cert My_Fun_cert.crt
  chaingroup MyChain
  ssl advanced-options MyCipher

In this configuration the certificate is called My_Fun_cert.crt. This exists on the ACE where it was defined and everything is happy. However, it may not on the passive ACE (our passive ACE the cert was a different name). This is easier to overlook when upgrading certs. If you upgrade and forget to upgrade the passive as well, big trouble is on the way…

In the scenario that I witnessed; the active ACE had its certificate upgraded, the passive did also, but it was named differently.

The primary ACE that was running happily for months decided to crash, causing a failover to the passive node. When this happened the certificate defined in the shared configuration did not exist in the passive ACE. Uh oh!! If you opened a browser connection to the VIP, specifically Firefox, you got the following error:

ssl_error_rx_record_too_long

Kind of cryptic, but it told me there was a problem with SSL proxying.

We realized that the certificate was in-fact updated, but it did not match what was on the primary ACE (sh crypto files, show crypto certificates file). Once that was straightened out:

crypto export WrongNameCert.crt
--Copy to notepad and paste to:
crypto import RightNameCert.crt
crypto delete WrongNameCert.crt

When the passive became the primary and things were not working, we moved again to the primary. Still no luck… After some time of analyzing the config, we realized that the proxy service definition was removed from all policy-maps!

So when the passive became the active without the right certificate names, the running-configuration was changed by the ACE.

The end-solution was to

  1. Fix the problem with the certificate names
  2. Add the correct certificate name to the proxy-service
  3. Re-add the proxy-service definitions to the policy-maps that need SSL encryption.
Advertisements
ACE–why certificate names matter!!