Morten Kallesøe Posted January 4 Share Posted January 4 I am just playing around with in my lab, and there seems to be some caveats that you need to know of.for example the website www.dr.dk is not allowing me to run through a proxy, but www.tv2.dk is just fineI get a weird reset for dr.dk Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted January 4 Author Share Posted January 4 maybe someone with alot of knowledge knows if the following is supported in forward proxy. Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted January 4 Author Share Posted January 4 After enabling alot of logs in various places, i have something which is not undocumented error codes. (2570752 and 2523392)Jan 4 15:06:57 <local0.info> 192.168.30.9 01/04/2024:15:06:57 GMT 0-PPE-0 : default SSLI DROPPED_LOG 8884 0 : Source 172.16.1.149:49869 - Destination 95.100.155.17:443 User: - Domain: www.dr.dk - Category: 0 Action: Connection dropped - Reason: Origin server certificate verification failed - server certificate has expiredBut when looking in trace with wireshark, the cert thats been sent, is valid. Link to comment Share on other sites More sharing options...
Hemang Raval Posted January 8 Share Posted January 8 Hello Morten,I just validated it in my lab and both websites are working fine via transparent proxy. Please raise issue with support to troubleshoot further.Thanks and regards,Hemang Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted January 8 Author Share Posted January 8 Hi Hemang, thanks for the test.Is it possible to add more debugging on to the logs?i mean, it would be great with a print out of the origin server certificate that was used for the validation, and also, why is that certificate deemed "expired" (when in wireshark it looks vaild, and time is correct on NetScaler)There could easily be a proxy on the other end, that handles my request differently for some reason. Link to comment Share on other sites More sharing options...
Hemang Raval Posted January 8 Share Posted January 8 There is no role of certificate on NetScaler in Transparent proxy mode. You can even run it without binding any certificate. Also forward proxy on NS leverages existing LB/SSL infra. There is a possibility that it is issue on client. Is behaviour tested with multiple clients? Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted January 8 Author Share Posted January 8 when i connect directly to www.dr.dk from the client - there is no problem. and its only with that specific website. others work just fine via the proxy.i dont have a certificate bound to the forward proxy.I have a support session later today Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted January 8 Author Share Posted January 8 could the failure of the Root CA also trigger this alert? Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted January 29 Author Share Posted January 29 Hi Hemang, i am just testing with 1 client at the moment. but its still a problem. I also saw a similar error in a production setup, and i suspect the RootCA integrated list is not quite up-2-date with the LetsEncrypt CA's. Can you confirm this? Link to comment Share on other sites More sharing options...
Solution Morten Kallesøe Posted February 27 Author Solution Share Posted February 27 Just for anyone else out there, this was a problem related to the CA bundle that NetScaler ships with. They have not updated the LetsEncrypt CA Certificates. So, the error message is in understandable terms "your CA has expired, and the certificate sent by the server is sing this CA, therefor its rejected" and what it should say is "please update your CA certs" Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now