Is anyone using Certbot for F5 certificate automation? If not, what tool do you use?
Currently, I'm having to manually update certs on our F5 and I'm wondering what other people are using to automate this. We use Sectigo which supports the Certbot F5 plugin, but a fellow tech that tested it said it doesn't work when a vserver has more than one SSL profile assigned.
Is anyone using the Certbot tool? If not, what tool are you using? I like to be able to automate this (and be confident it "just works").
Thanks!
We're not yet in production with this. Testing certbot with patches from here:
https://github.com/timriker/certbot
and the bigip module to deploy from here:
https://github.com/open-networks/certbot-bigip
I'm looking for a system that will request certs using dns rfc 2136
https://datatracker.ietf.org/doc/html/rfc2136and then push to multiple f5s to get region redundancy.
Unfortunately there are issues. certbot does NOT handle CNAME entries in it's rfc-2136 support. We want this setup:
- _acme-challenge.example.net CNAME example.net._tls.example.com
- _acme-challenge.example.net CNAME example.net._tls.example.com
- _acme-challenge.example.org CNAME example.net._tls.example.com
zone _tls.example.com only has NS records pointing to locally hosted NS servers and is NOT replicated to DNS secondaries. TTL is set very low (300 seconds).
certbot out of the box documents this type of CNAME setup, but does NOT implement it in the rfc2136 module. My fork has this updated from hpa's original patch.
the existing certbot-bigip creates multiple certs on the f5s for SAN certs. This means a "wildcard" cert creates both of these:- example_org_Letsencrypt
- wildcard_example_org_Letsencrypt
where BOTH of these certs are the same cert supporting both names. This is a Bad Thing. the first would be enough. Also, we strongly prefer lowercase names, so "L"etsencrypt is a Bad Name. Also, rfc2136 can be used for multiple providers, not just letsencrypt. I'd prefer and uploaded cert with this naming:
auto_example.org
Let's Encrypt should support multiple wildcards in the same cert. So potentially I could have one cert covering:
- example.com
- *.example.com
- example.net
- *.example.net
- example.org
- *.example.org
which would all be contained in a cert called auto_example.com