Forum Discussion

Gary_Galehouse's avatar
Gary_Galehouse
Icon for Nimbostratus rankNimbostratus
Jun 03, 2020

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Hi,

I am trying to overwrite an existing cert and key within the LTM SSL Traffic cert and key using iControlREST. Here is the basic process, and result of each step.

  1. Upload key and cert PEM files to the uploads directory. I have tried this step both inside and outside of a transaction with the same result. This works fine.
  2. Create a transaction using the transaction REST endpoint. This works fine.
  3. Add a command to install the key over the desired SSL Traffic key referencing the local path from step 1 with the transaction id in the header. The command is set to install and from-local-file. Successfully added to the transaction commands.
  4. Add a command to install the key over the desired SSL Traffic cert referencing the local path from step 1 with the transaction id in the header.  The command is set to install and from-local-file.  Successfully added to the transaction commands.
  5. Get the transaction commands just to observe the contents. The commands are present, and the paths are correct per steps 3 & 4 above.
  6. Attempt to commit the transaction, and receive the failure with a message like the one below.

message=transaction failed:01070712:3: file (/var/system/tmp/tmsh/GexeqO/IIS-F5v13.key) expected to exist.

As you can see, F5 is looking in a different directory than specified in steps 3 & 4. I've closely examined all requests and responses using Fiddler, and there's no way to determine the randomly generated sub directory name ('GexeqO' in this particular case). It is different each transaction. Also note, this happens even when not overwriting existing entries. But I am using a transaction so that I don't get the 'key and certificate do not match' message. Any insights would be tremendously helpful.

Best,

Gary

  • Gary_GalehousejakauppilaHave you found the fix for the error? I have the same issue

    • Product     BIG-IP
    • Version     13.1.1
    • Build       0.0.4

    I would be very grateful if you could give me suggestions on how to resolve it.

    • jakauppila's avatar
      jakauppila
      Icon for Altostratus rankAltostratus

      mpelekhUnfortunately no solution for explicitly uploading the cert/key as they changed the behavior from v13 to v14+ via https://cdn.f5.com/product/bugtracker/ID535122.html.

      That being said, we kept with our previous existing logic of simply uploading the .pfx instead of the cert/key seperately.

      # Export the the x509CeritificateColllection with the passphrase; we will use this to upload it to the F5 appliance
      $x509Certificate2CollectionByteArray = $x509Certificate2Collection.Export('Pkcs12', $securePassword)
      
      $contentRange = "0-{0}/{1}" -f ($x509Certificate2CollectionByteArray.Length - 1), $x509Certificate2CollectionByteArray.Length
      
      $f5CertHeaders = @{ 'Authorization' = "Basic $f5Base64Auth"
        'Content-Length'                  = $x509Certificate2CollectionByteArray.Length
        'Content-Range'                   = $contentRange
      }
      
      # Upload the certificate as a PFX to the appliance, this drops it in /var/config/rest/downloads/
      Write-Verbose "Uploading '$F5CertificateName.pfx'"
      $uploadResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/shared/file-transfer/uploads/$F5CertificateName.pfx" -Method POST -Body $x509Certificate2CollectionByteArray -Headers $f5CertHeaders -ContentType "application/octet-stream" -ErrorAction Stop
            
      $certBody = [ordered]@{"command" = "install"
        "from-local-file"              = $uploadResponse.localFilePath
        "passphrase"                   = $securePassword
      } | ConvertTo-Json
      
      # Install the certificate by loading it from the file we just uploaded
      Write-Verbose "Importing certificate '$F5CertificateName.pfx'"
      $importResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/tm/sys/crypto/pkcs12/$F5CertificateName" -Method POST -Body $certBody -Headers $f5AuthHeader -ContentType 'application/json' -ErrorAction Stop
      
      $importResponse | Select-Object -Property * -ExcludeProperty 'passphrase' | Write-Verbose
      
      Write-Verbose "Successfully certificate '$F5CertificateName.pfx'"
      
      # Delete the file we uploaded above since it's no longer needed on the appliance
      $deleteBody = [ordered]@{"command" = "run"
        "utilCmdArgs"                    = " -c `"rm -f $($uploadResponse.localFilePath)`""
      } | ConvertTo-Json -Compress
      
      Write-Verbose "Deleting .pfx from appliance with $($deleteBody)"
      $deleteResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/tm/util/bash" -Method POST -Body $deleteBody -Headers $f5AuthHeader -ContentType 'application/json' -ErrorAction Stop
      $deleteResponse | Select-Object -Property * | Write-Verbose

       

      • mpelekh's avatar
        mpelekh
        Icon for Altostratus rankAltostratus

        Thank you, jakauppila , for your feedback. It's great that you have a workaround for this problem.
        I am observing a bit of a different issue than the one listed in the bug.
        I am using tmsh. When the certificate is going to be installed in the scope of the transaction, the following error occurs:

        # (echo create cli transaction; echo install sys crypto cert test-cert.crt from-local-file /tmp/test-crt.crt; echo submit cli transaction) | tmsh
        
        transaction failed: 01070712:3: file (/var/system/tmp/tmsh/X0rwba/test-crt.crt) expected to exist.

        I set the `from-local-file` option to `/tmp/test-cert.crt, but the error reads that file (/var/system/tmp/tmsh/X0rwba/test-cert.crt) expected to exist.

        The certificate is installed successfully when the command is launched outside of the transaction.

        # tmsh install sys crypto cert test-cert.crt from-local-file /tmp/test-cert.crt;
        # tmsh list /sys crypto cert test-cert2crt
        sys crypto cert test-cert.crt {
        ...
        }