Forum Discussion
Is anyone using Certbot for F5 certificate automation? If not, what tool do you use?
- Sep 11, 2024
We're not yet in production with this. Testing certbot with patches from here:
https://github.com/timriker/certbot
and the bigip module to deploy from here:
https://github.com/open-networks/certbot-bigip
I'm looking for a system that will request certs using dns rfc 2136
https://datatracker.ietf.org/doc/html/rfc2136and then push to multiple f5s to get region redundancy.
Unfortunately there are issues. certbot does NOT handle CNAME entries in it's rfc-2136 support. We want this setup:
- _acme-challenge.example.net CNAME example.net._tls.example.com
- _acme-challenge.example.net CNAME example.net._tls.example.com
- _acme-challenge.example.org CNAME example.net._tls.example.com
zone _tls.example.com only has NS records pointing to locally hosted NS servers and is NOT replicated to DNS secondaries. TTL is set very low (300 seconds).
certbot out of the box documents this type of CNAME setup, but does NOT implement it in the rfc2136 module. My fork has this updated from hpa's original patch.
the existing certbot-bigip creates multiple certs on the f5s for SAN certs. This means a "wildcard" cert creates both of these:- example_org_Letsencrypt
- wildcard_example_org_Letsencrypt
where BOTH of these certs are the same cert supporting both names. This is a Bad Thing. the first would be enough. Also, we strongly prefer lowercase names, so "L"etsencrypt is a Bad Name. Also, rfc2136 can be used for multiple providers, not just letsencrypt. I'd prefer and uploaded cert with this naming:
auto_example.org
Let's Encrypt should support multiple wildcards in the same cert. So potentially I could have one cert covering:
- example.com
- *.example.com
- example.net
- *.example.net
- example.org
- *.example.org
which would all be contained in a cert called auto_example.com
We're not yet in production with this. Testing certbot with patches from here:
https://github.com/timriker/certbot
and the bigip module to deploy from here:
https://github.com/open-networks/certbot-bigip
I'm looking for a system that will request certs using dns rfc 2136
https://datatracker.ietf.org/doc/html/rfc2136
and then push to multiple f5s to get region redundancy.
Unfortunately there are issues. certbot does NOT handle CNAME entries in it's rfc-2136 support. We want this setup:
- _acme-challenge.example.net CNAME example.net._tls.example.com
- _acme-challenge.example.net CNAME example.net._tls.example.com
- _acme-challenge.example.org CNAME example.net._tls.example.com
zone _tls.example.com only has NS records pointing to locally hosted NS servers and is NOT replicated to DNS secondaries. TTL is set very low (300 seconds).
certbot out of the box documents this type of CNAME setup, but does NOT implement it in the rfc2136 module. My fork has this updated from hpa's original patch.
the existing certbot-bigip creates multiple certs on the f5s for SAN certs. This means a "wildcard" cert creates both of these:
- example_org_Letsencrypt
- wildcard_example_org_Letsencrypt
where BOTH of these certs are the same cert supporting both names. This is a Bad Thing. the first would be enough. Also, we strongly prefer lowercase names, so "L"etsencrypt is a Bad Name. Also, rfc2136 can be used for multiple providers, not just letsencrypt. I'd prefer and uploaded cert with this naming:
auto_example.org
Let's Encrypt should support multiple wildcards in the same cert. So potentially I could have one cert covering:
- example.com
- *.example.com
- example.net
- *.example.net
- example.org
- *.example.org
which would all be contained in a cert called auto_example.com
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com