Is custom BIG-IP device certificates renewal via cli or ansible-modules possible?

You can use the TMSH command to run a bash command. In this case, openssl to generate the device self certificate (K9114 article). May be best however to create a file to feed into openssl with your required inputs such as CN, locality, etc and run the openssl command against this. Ansible supports running TMSH commands and running commands on the linux command line. I use that for setting master keys across devices 🙂

Thank you for your input. I do use tmsh to set master keys as well (I also wrote an article about that here https://community.f5.com/t5/codeshare/ansible-running-bash-commands-with-bigip-command-module-how-it-s/ta-p/311593).
I hoped there was a more elegant way of achieving my goal by following the ansible way of life.

Hello again,

I'd like to supply some information and strange issues I run into.

1. I followed article K9114 and found a way to provide all the inputs like CN in a bash oneliner:

openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -sha256 -keyout /config/httpd/conf/ssl.key/server.key -out /config/httpd/conf/ssl.crt/server.crt -subj '/emailAddress=mymail@example.com/C=XX/ST=MyState/L=MyTown/O=MyOrganisation/OU=MyDivision/CN=MyDevice.example.com'

2. I then wrote an ansible Task that executes the obove command on the LTM

# Ref https://my.f5.com/manage/s/article/K9114
- name: Renew Device Certificate
  f5networks.f5_modules.bigip_command:
    commands: run /util bash -c "openssl req -x509 -nodes -days 3652 -newkey rsa:248 -sha256 -keyout /config/httpd/conf/ssl.key/server.key -out /config/httpd/conf/ssl.crt/server.crt -subj '/emailAddress=mymail@example.com/C=XX/ST=MyState/L=MyTown/O=MyOrganisation/OU=MyDivision/CN=MyDevice.example.com'"
    provider: "{{ bigip_provider }}"
  delegate_to: localhost

- name: Update Device-Trust
  f5networks.f5_modules.bigip_command:
    commands: run /util bash -c "cat /config/httpd/conf/ssl.crt/server.crt > /config/big3d/client.crt"
    provider: "{{ bigip_provider }}"
  delegate_to: localhost

(sorry about the format. I tried to break the lines wir "\", but ansible didn't like that)

3. After running the Task, one has to restart HTTPD.
- Unfortunately this can't be achieved via iControl Rest (see https://my.f5.com/manage/s/article/K13292945).

- Fortunately some legend created a Python script that builds a shell script on the LTM tun restart the httpd process (https://community.f5.com/t5/codeshare/creating-a-tmsh-script-with-icontrol-rest-and-using-it-to/ta-p/290984)

- Unfortunately there is a typo (or outdated code) in line 34, so the script did not run (at least for me). Beeing a complete and utter python noob,  I was able to fix (at least for me) and store it in my ansible file-structure under assets/restart_httpd.py:

#Troublesome Line 34
values = json.dumps(values)

#Change it to
values = json.dumps(values).encode('utf-8')

4. So the complete task sequence to renew the device-certificate and restart the http process loos like this:

# Ref https://my.f5.com/manage/s/article/K9114
- name: Renew Device Certificate
  f5networks.f5_modules.bigip_command:
    commands: run /util bash -c "openssl req -x509 -nodes -days 3652 -newkey rsa:248 -sha256 -keyout /config/httpd/conf/ssl.key/server.key -out /config/httpd/conf/ssl.crt/server.crt -subj '/emailAddress=mymail@example.com/C=XX/ST=MyState/L=MyTown/O=MyOrganisation/OU=MyDivision/CN=MyDevice.example.com'"
    provider: "{{ bigip_provider }}"
  delegate_to: localhost

- name: Update Device-Trust
  f5networks.f5_modules.bigip_command:
    commands: run /util bash -c "cat /config/httpd/conf/ssl.crt/server.crt > /config/big3d/client.crt"
    provider: "{{ bigip_provider }}"
  delegate_to: localhost
  
# HTTPD restart via iControl Rest not possible: https://my.f5.com/manage/s/article/K13292945
# Solution: https://community.f5.com/t5/codeshare/creating-a-tmsh-script-with-icontrol-rest-and-using-it-to/ta-p/290984
- name: Restart HTTPD Process
  no_log: true
  ansible.builtin.script:
    cmd: assets/restart_httpd.py {{ ansible_host }} {{ admin_user }} {{ admin_password }}
  args:
    executable: python3
  delegate_to: localhost

- name: Wait for HTTPD
  f5networks.f5_modules.bigip_wait:
    delay: 10
    provider: "{{ bigip_provider }}"
  delegate_to: localhost

5. Unfortunately my test devices now behave strangely. On first climpse everything is fine. But, after randomly navigating to "System -> Certificate Management -> SSL Certificate List" the web-frontend froze, and after some time my browser lost connection. BigIQ also lost connection...took quite some time but they came back eventually.

I did not find any related log messages that would explain what was going on. The fact that both test-devices had the same behaviour after navigating to the certificate section, leaves me thinking, something in the guts is now kind of broken. I have intermitten timeouts when navigating toward the Certificate Management section.

I don't feel confident, to release this in production.

EDIT

Captain's Log, supplemental:

I found some entries in httpd_error log that match this article: https://my.f5.com/manage/s/article/K14310611
I'm not quite sure if this is really the issue, since the recommended action is excactly what I was doing in the first place.

After restarting restjavad, tomcat and restnoded as well, it seems better now. The thing is, restjavad cannot be restarted using iControl Rest as well, so one had to use a slightly modified python script...hello rabbit hole, I'm coming.