For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
Nov 23, 2023

Is custom BIG-IP device certificates renewal via cli or ansible-modules possible?

Hello fellow F5ers, this article (https://my.f5.com/manage/s/article/K47052252) explanes how to manually reset the Device Trust Certificates on BIG-IP system using the web configuration utility. I ...
application delivery
devops
Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
Nov 27, 2023

Hello again,

I'd like to supply some information and strange issues I run into.

1. I followed article K9114 and found a way to provide all the inputs like CN in a bash oneliner:

 

 

 

openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -sha256 -keyout /config/httpd/conf/ssl.key/server.key -out /config/httpd/conf/ssl.crt/server.crt -subj '/emailAddress=mymail@example.com/C=XX/ST=MyState/L=MyTown/O=MyOrganisation/OU=MyDivision/CN=MyDevice.example.com'

 

 

 

2. I then wrote an ansible Task that executes the obove command on the LTM

 

 

 

# Ref https://my.f5.com/manage/s/article/K9114
- name: Renew Device Certificate
  f5networks.f5_modules.bigip_command:
    commands: run /util bash -c "openssl req -x509 -nodes -days 3652 -newkey rsa:248 -sha256 -keyout /config/httpd/conf/ssl.key/server.key -out /config/httpd/conf/ssl.crt/server.crt -subj '/emailAddress=mymail@example.com/C=XX/ST=MyState/L=MyTown/O=MyOrganisation/OU=MyDivision/CN=MyDevice.example.com'"
    provider: "{{ bigip_provider }}"
  delegate_to: localhost

- name: Update Device-Trust
  f5networks.f5_modules.bigip_command:
    commands: run /util bash -c "cat /config/httpd/conf/ssl.crt/server.crt > /config/big3d/client.crt"
    provider: "{{ bigip_provider }}"
  delegate_to: localhost

 

 

 

(sorry about the format. I tried to break the lines wir "\", but ansible didn't like that)

3. After running the Task, one has to restart HTTPD.
- Unfortunately this can't be achieved via iControl Rest (see https://my.f5.com/manage/s/article/K13292945).

- Fortunately some legend created a Python script that builds a shell script on the LTM tun restart the httpd process (https://community.f5.com/t5/codeshare/creating-a-tmsh-script-with-icontrol-rest-and-using-it-to/ta-p/290984)

- Unfortunately there is a typo (or outdated code) in line 34, so the script did not run (at least for me). Beeing a complete and utter python noob,  I was able to fix (at least for me) and store it in my ansible file-structure under assets/restart_httpd.py:

 

 

 

#Troublesome Line 34
values = json.dumps(values)

#Change it to
values = json.dumps(values).encode('utf-8')

 

 

 

4. So the complete task sequence to renew the device-certificate and restart the http process loos like this:

 

 

 

# Ref https://my.f5.com/manage/s/article/K9114
- name: Renew Device Certificate
  f5networks.f5_modules.bigip_command:
    commands: run /util bash -c "openssl req -x509 -nodes -days 3652 -newkey rsa:248 -sha256 -keyout /config/httpd/conf/ssl.key/server.key -out /config/httpd/conf/ssl.crt/server.crt -subj '/emailAddress=mymail@example.com/C=XX/ST=MyState/L=MyTown/O=MyOrganisation/OU=MyDivision/CN=MyDevice.example.com'"
    provider: "{{ bigip_provider }}"
  delegate_to: localhost

- name: Update Device-Trust
  f5networks.f5_modules.bigip_command:
    commands: run /util bash -c "cat /config/httpd/conf/ssl.crt/server.crt > /config/big3d/client.crt"
    provider: "{{ bigip_provider }}"
  delegate_to: localhost
  
# HTTPD restart via iControl Rest not possible: https://my.f5.com/manage/s/article/K13292945
# Solution: https://community.f5.com/t5/codeshare/creating-a-tmsh-script-with-icontrol-rest-and-using-it-to/ta-p/290984
- name: Restart HTTPD Process
  no_log: true
  ansible.builtin.script:
    cmd: assets/restart_httpd.py {{ ansible_host }} {{ admin_user }} {{ admin_password }}
  args:
    executable: python3
  delegate_to: localhost

- name: Wait for HTTPD
  f5networks.f5_modules.bigip_wait:
    delay: 10
    provider: "{{ bigip_provider }}"
  delegate_to: localhost

 

 

 

5. Unfortunately my test devices now behave strangely. On first climpse everything is fine. But, after randomly navigating to "System -> Certificate Management -> SSL Certificate List" the web-frontend froze, and after some time my browser lost connection. BigIQ also lost connection...took quite some time but they came back eventually.

I did not find any related log messages that would explain what was going on. The fact that both test-devices had the same behaviour after navigating to the certificate section, leaves me thinking, something in the guts is now kind of broken. I have intermitten timeouts when navigating toward the Certificate Management section.

I don't feel confident, to release this in production.

EDIT

Captain's Log, supplemental:

I found some entries in httpd_error log that match this article: https://my.f5.com/manage/s/article/K14310611
I'm not quite sure if this is really the issue, since the recommended action is excactly what I was doing in the first place.

After restarting restjavad, tomcat and restnoded as well, it seems better now. The thing is, restjavad cannot be restarted using iControl Rest as well, so one had to use a slightly modified python script...hello rabbit hole, I'm coming.