Forum Discussion
CirrusF5 BIGIP & XC certbot plugin
Hi!
As I maintain the certbot-f5bigip plugin to enable the certbot as ACME client to validate and install certificates, I now published the certbot-f5xc plugin! Currently only DNS validation with the DNS01 challenge is supported, so if you use F5 XC for DNS, you can use this plugin to verify domains for your certificates and use the certificate then for other infrastructure beside XC HTTP LBs (which can do auto-cert provisioning already).
I will add an installer next, so certificates can be uploaded / installed to XC and re-used with HTTP LBs, so stay tuned!
Here are the links to the repositories on gitlab.com:
https://gitlab.com/emalzer/certbot-f5bigip
https://gitlab.com/emalzer/certbot-f5xc
https://gitlab.com/emalzer/certbot-ansible
15 Replies
emalzerThe certbot-f5xc plugin can now also be used as an installer!
- emalzer
hey! the plugin checks all bigips in the cluster and identifies which one is active for the provided VS. so, that should be already the case. did you observe otherwise?
- lnxgeek
MVP
Hey :-)
I just need to read your documentation where you write that you handle HA just nicely 😆
I'm waiting for a server to be setup for me, so I haven't tried it out just yet.
But can you help me understand two flags you have in your example:
"-a f5-bigip-auth" and "-i f5-bigip-inst"
what do they mean?
- emalzer
sure! the ACME process is split into two parts: authentication and installation. so you can define how you wana do the authentication / validation part and how to do the installation. you can do both on the bigip and then you need to define the f5-bigip-auth-* and the f5-bigip-inst-* parameters. you can also for example do the validation / authentication via a public DNS provider (google, ...) and do the installation to the bigip. so you would need to apply the google-dns parameters and only the f5-bigip-inst-* parameters.
is it more clear to you now?
if you want, take a look into the https://gitlab.com/emalzer/certbot-ansible repo, there you can manage the required parameters for certbot via a yaml file and let ansible render a shell script that executes then the certbot commands with all the parameters.
- lnxgeek
Just to get to all the slow minds on board 😅
So, if I just want to install the certificate on the BigiP I only need f5-bigip-inst? And if I want to have the Bigip to be part of the certificate validation process I use f5-bigip-auth?
- emalzer
yes, true. if your certbot already has a certificate, you can just use the f5-bigip-inst parameters to install this existing and via certbot managed certificate to the bigip.
- lnxgeek
Hi again emalzer
Is it correct that you are using basic auth when you upload the certificates?
I believe that if you change that to the token based auth instead you don't need to use a administrator for the task. JRahm can you confirm?
I have a customer which uses certificate vendor and they only need a certificate manager role to do the updating.
- emalzer
Hi!
No, the plugin does not use Basic auth, it uses token based auth.
And If you user the plugin to install the cert/key/chain and create the ClientSSL profile, you need the administrator role.
You can user the `--f5-bigip-inst-disable-clientssl-profile true` and `--f5-bigip-inst-add-chain-to-certificate true` options to only create / update the certificates.
I just did a quick test on my lab cluster an the certificate manager role is still not enough, as the plugin uploads the cert/key via the "/mgmt/shared/file-transfer/uploads/" API and this role does not have the right to use this endpoint.
So currently I'm not aware of how to update / upload cert & key via the API with only the certificate manager role.
- emalzer
I also found this article (https://my.f5.com/manage/s/article/K000152667) which mentions that the 'certificate-manager' role cannot perform certificate management tasks via the API.
- lnxgeek
You are right, I must have been dreaming 😆
We will have to wait for a release addressing this shortcoming.
