F5's approach to this problem is poor. This problem must be widespread,
but is never adequately addressed, either here in the forum nor on the
support site or documentation.
Once again, the need for CRL updates has come up for us. In addition to downloading the CRL, we also had the following issues:
* The IP address of the CRL server cannot be known in advance (it
apparently changes from time to time). We need to use DNS to locate it
* We cannot download the file using the DNS name because the internet is not accessible through the default route domain.
* The CRL as downloaded is in DER format, so we need to convert it to PEM per the LTM's requirement
* Even when a new CRL is in place, the tmm does not read it, so we have to "touch" the config to force it to reload it.
We are currently using the following shell script, run once a day from
cron, to achieve this. Note that this uses the bigpipe utility, which
will not work in v11. It also needs a bit more error checking.
------------------------------------------------------------------------
!/bin/sh
cd /var/tmp
delete the old temporary files
rm demo.crl demo.pem
get the current IP address of the CRL server
CRLIP4=`dig demo.example.com A | grep '^demo.*[0-9]$' | awk '{print $5}'`
convert it to the IPv6 route domain 5 address
CRLIP6=`rdip $CRLIP4\%5`
if [ $? -eq 0 ]; then
download the CRL faking the host header because we're using an IP address in the request
curl -v -O -H 'Host: demo.example.com' -g http://[$CRLIP6]/crl/demo.crl
if [ -f demo.crl ]; then
convert the CRL from DER to PEM
openssl crl -inform der -in demo.crl -out demo.pem
rm demo.crl
mv demo.pem /config/ssl/ssl.crl/
set the administrative parition to update the config
bigpipe shell write partition mypartition
'touch' the clientssl profile so tmm re-reads the crl
bigpipe profile clientssl demo-clientssl crl file demo.pem
fi
fi
------------------------------------------------------------------------
The above script refers to a script "rdip", which we pinched from
elsewhere on the forums. It converts an IPv4 address with the route
domain number appended to the special IPv6 address.
This is shown below:
------------------------------------------------------------------------
!/bin/bash
F5_RD_HEADER="2620:0:c10:f501:0:"
F5_RD_HEADER="2610:0:c10:f501:0:"
HOST_ADDRESS=${1/\%*}
ROUTE_DOMAIN=${1/*\%}
if [ ! -z $ROUTE_DOMAIN ]; then
host_parts=($(echo $HOST_ADDRESS | grep -Po "\d+"))
printf "%s%x:%x:%x\n" $F5_RD_HEADER $ROUTE_DOMAIN
$(((${host_parts[0]} << 8) + ${host_parts[1]}))
$(((${host_parts[2]} << 8) + ${host_parts[3]}))
exit 0
fi
------------------------------------------------------------------------
I hope this helps