Jump to content
Welcome to our new Citrix community!

Has someone done a SSL Forward proxy transparent setup, with complicated rules for entreprise users, where netscaler is inline? (its default route for my client)


Go to solution Solved by Morten Kallesøe,

Recommended Posts

After enabling alot of logs in various places, i have something which is not undocumented error codes. (2570752 and 2523392)

Jan 4 15:06:57 <local0.info> 192.168.30.9 01/04/2024:15:06:57 GMT 0-PPE-0 : default SSLI DROPPED_LOG 8884 0 : Source 172.16.1.149:49869 - Destination 95.100.155.17:443 User: - Domain: www.dr.dk - Category: 0 Action: Connection dropped - Reason: Origin server certificate verification failed - server certificate has expired

But when looking in trace with wireshark, the cert thats been sent, is valid.

Link to comment
Share on other sites

Hi Hemang, thanks for the test.

Is it possible to add more debugging on to the logs?

i mean, it would be great with a print out of the origin server certificate that was used for the validation, and also, why is that certificate deemed "expired" (when in wireshark it looks vaild, and time is correct on NetScaler)

There could easily be a proxy on the other end, that handles my request differently for some reason.

Link to comment
Share on other sites

There is no role of certificate on NetScaler in Transparent proxy mode. You can even run it without binding any certificate.

Also forward proxy on NS leverages existing LB/SSL infra.

There is a possibility that it is issue on client. Is behaviour tested with multiple clients?

Link to comment
Share on other sites

  • 3 weeks later...
  • 4 weeks later...
  • Solution

Just for anyone else out there, this was a problem related to the CA bundle that NetScaler ships with. They have not updated the LetsEncrypt CA Certificates.

So, the error message is in understandable terms "your CA has expired, and the certificate sent by the server is sing this CA, therefor its rejected" and what it should say is "please update your CA certs"

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...