Forum Discussion
Gary_Galehouse
Nimbostratus
NimbostratusOverwriting or adding LTM SSL Traffic cert and key using iControlREST
Hi, I am trying to overwrite an existing cert and key within the LTM SSL Traffic cert and key using iControlREST. Here is the basic process, and result of each step. Upload key and cert PEM files...
mpelekh
Altostratus
AltostratusGary_GalehousejakauppilaHave you found the fix for the error? I have the same issue
- Product BIG-IP
- Version 13.1.1
- Build 0.0.4
I would be very grateful if you could give me suggestions on how to resolve it.
- jakauppila
mpelekhUnfortunately no solution for explicitly uploading the cert/key as they changed the behavior from v13 to v14+ via https://cdn.f5.com/product/bugtracker/ID535122.html.
That being said, we kept with our previous existing logic of simply uploading the .pfx instead of the cert/key seperately.
# Export the the x509CeritificateColllection with the passphrase; we will use this to upload it to the F5 appliance $x509Certificate2CollectionByteArray = $x509Certificate2Collection.Export('Pkcs12', $securePassword) $contentRange = "0-{0}/{1}" -f ($x509Certificate2CollectionByteArray.Length - 1), $x509Certificate2CollectionByteArray.Length $f5CertHeaders = @{ 'Authorization' = "Basic $f5Base64Auth" 'Content-Length' = $x509Certificate2CollectionByteArray.Length 'Content-Range' = $contentRange } # Upload the certificate as a PFX to the appliance, this drops it in /var/config/rest/downloads/ Write-Verbose "Uploading '$F5CertificateName.pfx'" $uploadResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/shared/file-transfer/uploads/$F5CertificateName.pfx" -Method POST -Body $x509Certificate2CollectionByteArray -Headers $f5CertHeaders -ContentType "application/octet-stream" -ErrorAction Stop $certBody = [ordered]@{"command" = "install" "from-local-file" = $uploadResponse.localFilePath "passphrase" = $securePassword } | ConvertTo-Json # Install the certificate by loading it from the file we just uploaded Write-Verbose "Importing certificate '$F5CertificateName.pfx'" $importResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/tm/sys/crypto/pkcs12/$F5CertificateName" -Method POST -Body $certBody -Headers $f5AuthHeader -ContentType 'application/json' -ErrorAction Stop $importResponse | Select-Object -Property * -ExcludeProperty 'passphrase' | Write-Verbose Write-Verbose "Successfully certificate '$F5CertificateName.pfx'" # Delete the file we uploaded above since it's no longer needed on the appliance $deleteBody = [ordered]@{"command" = "run" "utilCmdArgs" = " -c `"rm -f $($uploadResponse.localFilePath)`"" } | ConvertTo-Json -Compress Write-Verbose "Deleting .pfx from appliance with $($deleteBody)" $deleteResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/tm/util/bash" -Method POST -Body $deleteBody -Headers $f5AuthHeader -ContentType 'application/json' -ErrorAction Stop $deleteResponse | Select-Object -Property * | Write-Verbose- mpelekh
Thank you, jakauppila , for your feedback. It's great that you have a workaround for this problem.
I am observing a bit of a different issue than the one listed in the bug.
I am using tmsh. When the certificate is going to be installed in the scope of the transaction, the following error occurs:# (echo create cli transaction; echo install sys crypto cert test-cert.crt from-local-file /tmp/test-crt.crt; echo submit cli transaction) | tmsh transaction failed: 01070712:3: file (/var/system/tmp/tmsh/X0rwba/test-crt.crt) expected to exist.I set the `from-local-file` option to `/tmp/test-cert.crt, but the error reads that file (/var/system/tmp/tmsh/X0rwba/test-cert.crt) expected to exist.
The certificate is installed successfully when the command is launched outside of the transaction.# tmsh install sys crypto cert test-cert.crt from-local-file /tmp/test-cert.crt; # tmsh list /sys crypto cert test-cert2crt sys crypto cert test-cert.crt { ... }- jakauppila
mpelekhGot it, looking back through my support requests, that was where I had started too. Supposedly that was fixed in 14.0.0, https://cdn.f5.com/product/bugtracker/ID468505.html
We were trying to find a solution that worked for both v13 and v15+ as we were transitioning to new appliances which is why we needed something that worked on both versions.
Since the pfx route is really just, upload, import, delete, there wasn't really a need to use a transaction. We push the cert to the appliance and then use Terraform for the actual tenant configurations.
