What do you have in your Crypto Validation Credential? Should be just the Root Certificate(s) from just the Certificate Authority(s) that you choose to trust for this connection. Certificate Validation Mode should be PKIX. The parent SSL Client Profile would then have "Validate server host name" set to Yes. Now the SSL Server can renew their cert every day if they want, with new Intermediates if they want, with no action required on the SSL Client's (DataPower) side.
------------------------------
Peter Potkay
------------------------------
Original Message:
Sent: Wed August 25, 2021 04:11 AM
From: Thomas Berg
Subject: Dealing with Letsencrypt
Thanks, Stephanie. I was hoping that there was another way of doing this -:) Will look into it redpaper and see how to automate this.
Regards
Thomas
------------------------------
Thomas Berg
Original Message:
Sent: Wed August 18, 2021 01:46 PM
From: Stephanie Wilkerson
Subject: Dealing with Letsencrypt
Hi Thomas,
Have you checked out this redbook? It was recommend by one of our experts with this answer. https://www.redbooks.ibm.com/redpapers/pdfs/redp4446.pdf
Usually customers build their own solution to automate certificate changes as DataPower doesn't support the letsencrypt feature to automatically update its certificates.
For example, SOMA could submit config updates to DP to reflect new certs/keys.
Hope this helps!
------------------------------
Stephanie Wilkerson
IBM
Original Message:
Sent: Mon August 02, 2021 06:44 AM
From: Thomas Berg
Subject: Dealing with Letsencrypt
Hi.
At a couple of customer sites I have some issues communicating with services that are using Letsencrypt for renewing certificates for TLS transport.
Problem is that these Letsencrypt secured services automatically renew their host certificate and even sometimes the intermediate certificate. This makes my Validation Credential to break.
Any suggestions on how to deal with this?
Regards
Thomas Berg
------------------------------
Thomas Berg
------------------------------