Forum Discussion
AltocumulusBIGIP device certificate - Ansible Error
Hi,
I am trying to use bigip Ansible module for managing self-signed device certificates `bigip_device_certificate`
Here is the snippet of task:
- name: Device HTTPs certificate
bigip_device_certificate:
cert_name: "server.crt"
key_name: "server.key"
days_valid: 365
key_size: 4096
force: no
new_cert: no
issuer:
country: "{{ device_cert.issuer_country }}"
state: "{{ device_cert.issuer_state }}"
organization: "{{ device_cert.issuer_org }}"
division: "{{ device_cert.issuer_division }}"
email: "{{ device_cert.issuer_email }}"
locality: "{{ device_cert.issuer_locality }}"
common_name: "{{ device_cert.common_name }}"
provider:
server: "{{ ansible_host }}"
user: "{{ bigip_username }}"
password: "{{ bigip_password }}"
transport: cli
server_port: 22
ssh_keyfile: ~/.ssh/id_rsa
delegate_to: localhost
So, the certificate on bigip isn't expired. But, for some reason, the above task fails for one of the devices (have two - worked on 1 of them) with below error:
"/tmp/ansible_bigip_device_certificate_payload_lazf97h6/ansible_bigip_device_certificate_payload.zip/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_device_certificate.py\", line 452, in expired\nTypeError: '>' not supported between instances of 'int' and 'NoneType'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
I tried toggling the values for `force` and `new_cert` without any success.
As per the error , seems something fails at `bigip_device_certificate.py` line 452. Below is the snippet of function around it:
def expired(self):
self.have = self.read_current_certificate()
current_epoch = int(datetime.now().timestamp())
if current_epoch > self.have.epoch:
return True
return False
Any ideas?
- To clarify a bit:
Firepass / APM have multiple modes of access.
1- SSL VPN
2- Application Tunnels (both Java and Active X)
3- Portal Access
4- LTM+APM
5- Terminal Servers
It is not possible to have two simultaneous SSL VPN connections open at once, either to the same organization or two different organizations. However you may have one SSL VPN tunnel open to Company A and an Application Tunnel open to Company B simultaneously (using different credentials if you like). Application Tunnels can satisfy most limited-port applications, for example an RDP or MS-SQL connection. If you can clarify your use case more fully, perhaps we can help with a strategy. 
Kevin_Hazlett_1Nimbostratus
Are there any updates on this problem? We just encountered this same problem and wonder if anyone has worked around it. For instance, is there a server version of the F5 client that would solve this?
RichYou can get around this. But, you have to think about it differently. You can do this by setting up LAN to LAN (Network Access) VPN tunnels to the external organizations. Then your user can use a single VPN client to connect to your network. Then you route the user to whatever organization they need to connect to.
- Hi Whit,
Thanks for your question.
You have an interesting business problem to solve--unfortunately, our SSL VPN solution may not be able to suit your needs completely.
You are correct in your findings where one instance per machine is concerned. Our SSL VPN solution allows one session, but within that session allows multiple application tunnels. The rub there is that the tunnels require the same credentials across the board.
I'm sorry that's not a more satisfactory answer.
If you have further questions, please contact your local F5 sales representative.
Cheers,
Helen
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
