I am trying to setup an SSL reverse proxy using wildcard certificate (issued by GoDaddy) which is previously loaded using:
request security pki local-certificate load certificate-id FIREWALL key certificate.key filename certificate.pem
SSL Proxy configuration:
enable-flow-tracing;
protocol-version all;
preferred-ciphers strong;
server-certificate FIREWALL;
actions {
log {
all;
errors;
}
renegotiation allow;
}
which is applied to a policy:
from-zone untrust to-zone trust {
policy LDAP {
match {
source-address LDAP-SOURCE;
destination-address [ DC01 DC02 ];
application [ LDAP-636 junos-ldap LDAP-3269 ];
}
then {
permit {
application-services {
ssl-proxy {
profile-name PUBLIC-SSL-PROXY;
}
}
}
log {
session-init;
session-close;
}
}
}
}
basically I am trying to proxy incoming LDAPS requests (terminate on the firewall) and hit the local ldap server.
The issue that I am running into is that the wildcard certificate is never presented:
openssl s_client -connect ldap.domain.com:3269
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 99 bytes and written 679 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
traceoptions from the ssl service:
Sep 27 13:58:31 13:58:31.167154:CID-0:RT:junos-ssl-term jssl_config_tbl_init_ssl_ctx[1694]: Setting up proxy mode for the profile PUBLIC-SSL-PROXY_65537_proxy_t
Sep 27 13:58:37 13:58:37.083571:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 10966]: Handshake started.SSL state 0x2e, flags 0x20c0400010a4444, reneg count 0
Sep 27 13:58:37 13:58:37.083571:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 11005]: Out of handshake. Return -1, error code 1, state 0x2e, flags 0x20c0400010a4544, log cat
Sep 27 13:58:37 13:58:37.162308:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 11005]: Out of handshake. Return -50, error code 11, state 0x33, flags 0x20c0400010a4544, log ca
Sep 27 13:58:37 13:58:37.211725:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_serv_pkey_table_lookup: 463]: failed to retrive server cert info ~
Sep 27 13:58:37 13:58:37.211725:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_get_server_priv_key: 504]: failed to retrive server cert info from hash table
Sep 27 13:58:37 13:58:37.211725:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_proxy_recv_srvr_auth_info_evt: 5913]: Could not find server private key
Sep 27 13:58:37 13:58:37.212199:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 11005]: Out of handshake. Return -51, error code 12, state 0x33, flags 0x1c0400011a4544, log cat
Sep 27 13:58:37 13:58:37.212199:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 11195]: Handshake aborted. result=12
Sep 27 13:58:37 13:58:37.212199:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
Sep 27 13:58:37 13:58:37.212199:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_shutdown: 12117]: Calling SSL_shutdown for sessionid 32, dir 25989
Sep 27 13:58:37 13:58:37.281600:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
Sep 27 13:58:37 13:58:37.281600:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12193]: In jssl_black_hole, ctrl buf session 32
Sep 27 13:58:37 13:58:37.281600:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
Sep 27 13:58:37 13:58:37.285616:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
Sep 27 13:58:37 13:58:37.285616:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12193]: In jssl_black_hole, ctrl buf session 32
Sep 27 13:58:37 13:58:37.285689:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
Sep 27 13:58:40 13:58:40.815557:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_handle_session_destroy: 13332]: Session destroy: SSL state 0x74999738, ref count 1 sessionid 32
The certificate is clearly loaded in the system:
show security pki local-certificate certificate-id FIREWALL
LSYS: root-logical-system
Certificate identifier: FIREWALL
Issued to: *.domain.com, Issued by: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity:
Not before: 04-24-2023 20:23 UTC
Not after: 05-25-2024 20:23 UTC
Public key algorithm: rsaEncryption(2048 bits)
Keypair Location: Keypair generated locally
GoDaddy's CA and CRL are also loaded:
show security pki ca-certificate ca-profile GoDaddy
LSYS: root-logical-system
CA profile: GoDaddy
Certificate identifier: GoDaddy
Issued to: Go Daddy Secure Certificate Authority - G2, Issued by: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Validity:
Not before: 05- 3-2011 07:00 UTC
Not after: 05- 3-2031 07:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
Keypair Location: Keypair generated locally
CA profile: GoDaddy
CRL version: V2 (0x1)
CRL issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Effective date: 09-25-2023 20:46 UTC
Next update: 10- 2-2023 20:46 UTC
Last-Download: 09-27-2023 17:00:07 UTC
- Why is the SSL Service reporting that it can not find server key ?
- Is there a limitation that I am using a wildcard cert in this situation ?
- NAT is in order, i.e. if is already tested with tcp/389 and works fine so I can pin point the issue with the SSL Reverse Proxy.
thanks!