Error: Reverse proxy key XXXX.YYY doesn't match certificate isssued to <> in System Logs
Symptom
Resolution
To verify this behavior:
- Take a packet capture on the client or the firewall for the entire transaction: How to Run a Packet Capture
- Find the packet which contains the SSL handshake message “Certificate” (Coming from Server to Client)
- Expand the packet, locate the certificate/s and take a note of the serialNumber of the Server Certificate.
- Or you can right click on the certificate that you want and select on Export selected packet bytes and then save it with a name.
- Match the serial number and validity in this certificate with the serial number/ validity of the certificate loaded into the firewall and used in the decryption policy.
NOTE:
If you are hosting multiple servers on the same machine 1.2.3.4 (same IP), then make sure that the SSL decryption policies are not configured with IP address as match condition.
For example:
SSL Decryption Policy 1
Source : Any
Destination : 1.2.3.4
Service : service-https
Action : Decrypt with certificate example.com
SSL Decryption Policy 2
Source : Any
Destination : 1.2.3.4
Service : service-https
Action : Decrypt with certificate example1.com
In this case, if a traffic comes for example1.com, when SSL decryption policy will be looked up, it will always match the first policy, even though the policy is binded to Certificate with hostname as example.com. The certificate is not a valid match condition for firewall for policy lookup.
Thereby when the example1.com will present its certificate it will not match with the certificate loaded which is for example.com
Resolution
To avoid this situation, create custom URL categories for each URL and use them in the match conditions.
SSL Decryption Policy 1
Source : Any
Destination : 1.2.3.4
Service : service-https
URL Category: Category_Example (contains example.com)
Action : Decrypt with certificate example.com
SSL Decryption Policy 2
Source : Any
Destination : 1.2.3.4
Service : service-https
URL Category: Category_Example1 (contains example1.com)
Action : Decrypt with certificate example1.com