Forum Discussion
Faintly_Lucky
Nimbostratus
NimbostratusCert and Key files are not in /config/ssl/ssl.* subdirectories after 11.x to 11.x upgrade
I've searched around Dev Central and the KB and can't find any info on this. Maybe I haven't used the right search parameters, but there it is.
After doing an upgrade from any 11.x version to another 11.x version, the ssl certificate store (/config/ssl/ssl.crt) and key store (/config/ssl/ssl.key) don't contain ANY of the certificates/keys that I've imported. They only contain the system certs/keys.
The certs and keys can be found in the file store, of course, but haven't been populated in the traditional stores.
This has caused me some major issues when rebuilding boxes, not to mention that tmsh lists a file object that doesn't actually exist at the specified path.
Why aren't the files put in the proper place during the upgrade? Is this intentional? If so, why?
Thanks in advance for any insight.
Lucky
9 Replies
What_Lies_Bene1Cirrostratus
It is intentional but I'm afraid I don't know the reason why. Just out of interest what point release did you upgrade to?
Faintly_LuckyThis has happened when upgrading to every major revision and hotfix level.
11.0.0 to 11.0.0 HF*
11.1 to 11.1 HF*
11.0 to 11.1 HF*
11.1 to 11.2.0
11.1 to 11.2.0 HF*
11.2.0 to 11.2.0 HF*
I have no idea why this would be intentional. I don't mind the certificates and keys being put in the file store, but those of us (in my company) who know how to manage things via CLI and depend on it for the speed it provides aren't very happy about it, not to mention that it has caused a few problems when restoring configurations. I've got over 60 pairs of F5s that I'm responsible for and doing every single CSR request or renewal import through the GUI just won't work. That's why I've written tools to automate the process of CSR generation and cert/key installation via CLI.- What_Lies_Bene1Lucky, apologies but perhaps I've misunderstood. Are you saying that when you import certs/keys (via CLI or GUI) they are placed in the old location and then when you do an upgrade they get moved?
- Faintly_LuckySteve,
Process is:
Certificate and key are SCPed to the SSL.crt and SSL.key dirs.
I import certificate and key through CLI (create file objects) and create the SSL profiles.
I do an upgrade and those files are no longer present in those directories post-upgrade. They are only in the file store in the config directory.
The only way that I get them back in there is re-uploading them to each box individually. Those directories also no longer sync.
Thinking that this might have something to do with the UCS inclusion files, but I want to know why this is happening before I start messing around with anything.
Thanks for your quick replies thus far.
Lucky - Faintly_LuckyJust to clarify, I mean after rebooting into the newly installed volume when I say post-upgrade.
- What_Lies_Bene1Actually, I think I now remember that the directories changed due to Device Service Clustering and Device Groups, hence why the original folders don't sync.
Is there a reason you can't use the new directories and change your scripts as appropriate? I'd assume the upgrade is moving the files to the new directory automatically as that's where they should now go. 
hoolioHere's a thread on this:
http://devcentral.f5.com/community/groupdetails/tabid/1082223/aff/2221/default.aspx
I think Steve is right that only local certs are in the old pre-v11 directories. The rest are imported into the filestore. You'll need to modify your steps to copy the certs to a temp directory and then import them and reference them in SSL profiles via tmsh.
Aaron- Faintly_LuckyAaron and Steve:
Thank you for your replies on this.
It's not that I can't modify the scripts, but it's more the lack of time needed to do so. I was really hoping that there was a simple way to get around this. - Kevin_Stewart
Employee
The new locations are part of the CMI configuration in v11 (both for clustering and partitioning). As such, you need to use TMSH to move the files into the proper filesystem objects.
Here's a little shell script I wrote to copy/replace certs and keys in the filesystems. SCP the .p12 files up to a working directory and run this script from there.!/bin/bash if [ "$1" != "" ]; then passwd=$1 process .p12 files for g in *.p12 do extract the name from the .p12 file pname=`echo $g |awk -F.p12 '{ print $1 }'` export the private key openssl pkcs12 -in $g -out $pname.key -nodes -clcerts -nocerts -passin pass:$passwd export the public key openssl pkcs12 -in $g -out $pname.crt -nodes -clcerts -nokeys -passin pass:$passwd done process exported certificates for f in *.crt do extract the name from the cert file fname=`echo $f |awk -F.crt '{ print $1 }'` delete the old ones first tmsh delete sys crypto cert $fname tmsh delete sys crypto key $fname import the cert and key tmsh install sys crypto cert $fname from-local-file $fname.crt tmsh install sys crypto key $fname from-local-file $fname.key done echo "Done" else echo "" echo "Usage: certpush.sh <.p12 export password>" echo "" fi
