For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gary_Galehouse's avatar
Gary_Galehouse
Icon for Nimbostratus rankNimbostratus
Jun 03, 2020

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Hi, I am trying to overwrite an existing cert and key within the LTM SSL Traffic cert and key using iControlREST. Here is the basic process, and result of each step. Upload key and cert PEM files...
application delivery
BIG-IP
devops
iControlREST
mpelekh's avatar
mpelekh
Icon for Altostratus rankAltostratus
Apr 18, 2024

Gary_GalehousejakauppilaHave you found the fix for the error? I have the same issue

  • Product     BIG-IP
  • Version     13.1.1
  • Build       0.0.4

I would be very grateful if you could give me suggestions on how to resolve it.

  • jakauppila's avatar
    jakauppila
    Icon for Altostratus rankAltostratus
    Apr 18, 2024

    mpelekhUnfortunately no solution for explicitly uploading the cert/key as they changed the behavior from v13 to v14+ via https://cdn.f5.com/product/bugtracker/ID535122.html.

    That being said, we kept with our previous existing logic of simply uploading the .pfx instead of the cert/key seperately.

    # Export the the x509CeritificateColllection with the passphrase; we will use this to upload it to the F5 appliance
$x509Certificate2CollectionByteArray = $x509Certificate2Collection.Export('Pkcs12', $securePassword)

$contentRange = "0-{0}/{1}" -f ($x509Certificate2CollectionByteArray.Length - 1), $x509Certificate2CollectionByteArray.Length

$f5CertHeaders = @{ 'Authorization' = "Basic $f5Base64Auth"
  'Content-Length'                  = $x509Certificate2CollectionByteArray.Length
  'Content-Range'                   = $contentRange
}

# Upload the certificate as a PFX to the appliance, this drops it in /var/config/rest/downloads/
Write-Verbose "Uploading '$F5CertificateName.pfx'"
$uploadResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/shared/file-transfer/uploads/$F5CertificateName.pfx" -Method POST -Body $x509Certificate2CollectionByteArray -Headers $f5CertHeaders -ContentType "application/octet-stream" -ErrorAction Stop
      
$certBody = [ordered]@{"command" = "install"
  "from-local-file"              = $uploadResponse.localFilePath
  "passphrase"                   = $securePassword
} | ConvertTo-Json

# Install the certificate by loading it from the file we just uploaded
Write-Verbose "Importing certificate '$F5CertificateName.pfx'"
$importResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/tm/sys/crypto/pkcs12/$F5CertificateName" -Method POST -Body $certBody -Headers $f5AuthHeader -ContentType 'application/json' -ErrorAction Stop

$importResponse | Select-Object -Property * -ExcludeProperty 'passphrase' | Write-Verbose

Write-Verbose "Successfully certificate '$F5CertificateName.pfx'"

# Delete the file we uploaded above since it's no longer needed on the appliance
$deleteBody = [ordered]@{"command" = "run"
  "utilCmdArgs"                    = " -c `"rm -f $($uploadResponse.localFilePath)`""
} | ConvertTo-Json -Compress

Write-Verbose "Deleting .pfx from appliance with $($deleteBody)"
$deleteResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/tm/util/bash" -Method POST -Body $deleteBody -Headers $f5AuthHeader -ContentType 'application/json' -ErrorAction Stop
$deleteResponse | Select-Object -Property * | Write-Verbose

     

    • mpelekh's avatar
      mpelekh
      Icon for Altostratus rankAltostratus
      Apr 19, 2024

      Thank you, jakauppila , for your feedback. It's great that you have a workaround for this problem.
      I am observing a bit of a different issue than the one listed in the bug.
      I am using tmsh. When the certificate is going to be installed in the scope of the transaction, the following error occurs:

      # (echo create cli transaction; echo install sys crypto cert test-cert.crt from-local-file /tmp/test-crt.crt; echo submit cli transaction) | tmsh

transaction failed: 01070712:3: file (/var/system/tmp/tmsh/X0rwba/test-crt.crt) expected to exist.

      I set the `from-local-file` option to `/tmp/test-cert.crt, but the error reads that file (/var/system/tmp/tmsh/X0rwba/test-cert.crt) expected to exist.

      The certificate is installed successfully when the command is launched outside of the transaction.

      # tmsh install sys crypto cert test-cert.crt from-local-file /tmp/test-cert.crt;
# tmsh list /sys crypto cert test-cert2crt
sys crypto cert test-cert.crt {
...
}

       

      • jakauppila's avatar
        jakauppila
        Icon for Altostratus rankAltostratus
        Apr 19, 2024

        mpelekhGot it, looking back through my support requests, that was where I had started too. Supposedly that was fixed in 14.0.0, https://cdn.f5.com/product/bugtracker/ID468505.html

        We were trying to find a solution that worked for both v13 and v15+ as we were transitioning to new appliances which is why we needed something that worked on both versions.

        Since the pfx route is really just, upload, import, delete, there wasn't really a need to use a transaction. We push the cert to the appliance and then use Terraform for the actual tenant configurations.