SSL/TLS Configuration
F5 XC staging environments and organizations with custom certificate authorities may require SSL/TLS configuration adjustments.
Staging Environment Certificate Issue
Section titled “Staging Environment Certificate Issue”F5 XC staging environments use URLs like
tenant.staging.console.ves.volterra.io, but the SSL certificate only
covers *.console.ves.volterra.io. Wildcards only match a single
subdomain level, so tenant.staging fails validation.
Hostname/IP does not match certificate's altnames:Host: tenant.staging.console.ves.volterra.ioCert covers: DNS:*.console.ves.volterra.io, DNS:console.ves.volterra.ioOption 1: Custom CA Bundle (Recommended)
Section titled “Option 1: Custom CA Bundle (Recommended)”If your organization uses a custom CA:
export F5XC_CA_BUNDLE=/path/to/your/ca-bundle.crtOption 2: Disable Verification (Development Only)
Section titled “Option 2: Disable Verification (Development Only)”export F5XC_TLS_INSECURE=trueSSL Error Reference
Section titled “SSL Error Reference”| Error | Cause | Solution |
|---|---|---|
Hostname/IP does not match certificate's altnames | Staging URL mismatch | Use F5XC_TLS_INSECURE=true or custom CA |
self signed certificate | Custom CA not trusted | Set F5XC_CA_BUNDLE |
certificate has expired | Expired certificate | Contact F5 XC admin |
unable to verify the first certificate | Missing intermediate CA | Add intermediates to CA bundle |
Best Practices
Section titled “Best Practices”- Prefer
F5XC_CA_BUNDLEoverF5XC_TLS_INSECURE- maintains validation while trusting your organization’s certificates - Contact F5 Support for staging environments to request the official staging CA certificate
- Never use
F5XC_TLS_INSECURE=truein production - Rotate credentials regularly according to your organization’s security policies