Modifying SSL Profile via REST API
Hello everyone,
Iam currently testing the REST API and having trouble with some simple changes on a SSL profile. Iam using local authentication, trying to modify a certificate used in a test profile, however iam getting an error. I do not find any documentation regarding the issue, hence i hope someone here could point me to the right direction.
My code looks as following (By the way, iam using Ruby.). Basically it is just pushing the data. I got the format via a GET request to be sure to have the right format. The values i changed in this request are: "certKeyChain" => "name", "cert" and "key".
@session = RestClient::Resource.new('https://10.70.235.105/mgmt/tm', :verify_ssl => false, :user => "admin", :password => "admin") open session
c = {"kind"=>"tm:ltm:profile:client-ssl:client-sslstate",
"name"=>"test_bastian",
"partition"=>"Common",
"fullPath"=>"/Common/test_bastian",
"generation"=>1702,
"selfLink"=>
"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~test_bastian?ver=12.1.2",
"alertTimeout"=>"indefinite",
"allowDynamicRecordSizing"=>"disabled",
"allowExpiredCrl"=>"disabled",
"allowNonSsl"=>"disabled",
"authenticate"=>"once",
"authenticateDepth"=>9,
"cacheSize"=>262144,
"cacheTimeout"=>3600,
"cert"=>"/Common/new_test.crt",
"certReference"=>
{"link"=>
"https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"},
"certExtensionIncludes"=>["basic-constraints", "subject-alternative-name"],
"certLifespan"=>30,
"certLookupByIpaddrPort"=>"disabled",
"chain"=>"/Common/new_test.crt",
"chainReference"=>
{"link"=>
"https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"},
"ciphers"=>"DEFAULT",
"defaultsFrom"=>"/Common/clientssl",
"defaultsFromReference"=>
{"link"=>
"https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~clientssl?ver=12.1.2"},
"forwardProxyBypassDefaultAction"=>"intercept",
"genericAlert"=>"enabled",
"handshakeTimeout"=>"10",
"inheritCertkeychain"=>"false",
"key"=>"/Common/new_test.key",
"keyReference"=>
{"link"=>
"https://localhost/mgmt/tm/sys/file/ssl-key/~Common~new_test.key?ver=12.1.2"},
"maxActiveHandshakes"=>"indefinite",
"maxAggregateRenegotiationPerMinute"=>"indefinite",
"maxRenegotiationsPerMinute"=>5,
"maximumRecordSize"=>16384,
"modSslMethods"=>"disabled",
"mode"=>"enabled",
"tmOptions"=>["dont-insert-empty-fragments"],
"peerCertMode"=>"ignore",
"peerNoRenegotiateTimeout"=>"10",
"proxySsl"=>"disabled",
"proxySslPassthrough"=>"disabled",
"renegotiateMaxRecordDelay"=>"indefinite",
"renegotiatePeriod"=>"indefinite",
"renegotiateSize"=>"indefinite",
"renegotiation"=>"enabled",
"retainCertificate"=>"true",
"secureRenegotiation"=>"require",
"sessionMirroring"=>"disabled",
"sessionTicket"=>"disabled",
"sessionTicketTimeout"=>0,
"sniDefault"=>"false",
"sniRequire"=>"false",
"sslForwardProxy"=>"disabled",
"sslForwardProxyBypass"=>"disabled",
"sslSignHash"=>"any",
"strictResume"=>"disabled",
"uncleanShutdown"=>"enabled",
"certKeyChain"=>
[{"name"=>"default",
"cert"=>"/Common/default.crt",
"certReference"=>
{"link"=>
"https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"},
"chain"=>"",
"chainReference"=>
{"link"=>
"https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"},
"key"=>"/Common/default.key",
"keyReference"=>
{"link"=>
"https://localhost/mgmt/tm/sys/file/ssl-key/~Common~new_test.key?ver=12.1.2"}}]} build data
c = c.to_json
push_profile = @session["ltm/profile/client-ssl/~Common~" + profile].put(c, :content_type => :json) push data
When running the script, i get the following errors:
RestClient.put "https://10.70.235.105/mgmt/tm/ltm/profile/client-ssl/~Common~test_bastian", 2467 byte(s) length, "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"2467", "Content-Type"=>"application/json", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
=> 400 BadRequest | application/json 145 bytes
{"code":400,"message":"010717e7:3: cert-key-chain and profile cert, key or chain options cannot be input together.","errorStack":[],"apiError":3}
would be nice to get some feedback 🙂
thanks for your feedback PK, but i found the issue:
- first of all, I pulled the whole profile, changed the settings and pushed it again. This does not work. You have to push only the values you want change, in this case "cert", "key", and "chain".
- second: i tried to change the mentioned values in "certKeyChain", however there are other key/value pairs within the hash I needed to change. It is a bit confusing, since they have the same name, and from my point of view, it makes more sense that the ones in the certKeyChain are the correct ones, but this is not the case.
so all i had to push is:
{"cert"=>"/Common/new_test.crt", "key"=>"//Common/new_test.key", "chain"=>"/Common/new_test.crt"}