I am having issues with the reverse proxy functionality.
Model: SRX5400 Junos: 18.3R2.7
The SSL certificate was requested via CSR generated on Digicert tool, this was exported, with the key and imported onto SRX, this certificate imported fine :
We have a load balancer on the back end, but regardless of wheter the NAT is to the LB VIP (pass through) or one of the back end servers directly (servers have a local domain certificate installed) we ge the same issues.
initially we received the error "certificate error: authority and issuer serial number mismatch":
But after removing certificate / re-adding, removing config etc, the only error we seem to getting is "non ssl session ignored":
And then we are served with the internal domian certificate to the browser from the server directly when testing externally.
The configuration is:
As above, the certificate looks fine and the key checks out, parity in SSL cert/key/csr is proven in openSSL and other methods.
And as I understand it, this should be working in this manner:
"Terminates client SSL on the SRX Series device and initiates a new SSL connection with a server. Decrypts SSL traffic from the client/server and encrypts again (after inspection) before sending to the server/client."
I have done the following in order to try and make this work:
- Added internal CA root certificate to ca-profile. - tried configuring an SSL initiation profile using the internal CA profile in case the issue is the SRX not trusting the certificate on the back end servers.
- Tried adding the Digicert Root CA as a seperate profile to the exiting one (Jweb_40) - removed, re-added certificate and key (local-certificate certificate id) , proxy profile, all config, re-adding numerous times.
It just seems the proxy profile is completey ignored and the traffic just NAT'd to the back end and the back end serves the internal certificate which is not ideal.
Any help on this matter would be much apprecitated. Am I missing something fundamental here? Am I missing a pre-requisite that isn't documented anywhere? Are there firewall functions that we maybe using that cannot work in conjuntion with SSL Reverse proxy, and if so what are they?
We need to first make sure the session that's established in the firewall is identified as an SSL session, for which the application-identification service has to up and running. If possible please provide the output of the following:
show services application-identification status
show services application-identification application-system-cache (match with the source-ip address from where the connection is initiated and make sure it is identified as SSL session)