Forum Discussion
Overwriting or adding LTM SSL Traffic cert and key using iControlREST
Hi,
I am trying to overwrite an existing cert and key within the LTM SSL Traffic cert and key using iControlREST. Here is the basic process, and result of each step.
- Upload key and cert PEM files to the uploads directory. I have tried this step both inside and outside of a transaction with the same result. This works fine.
- Create a transaction using the transaction REST endpoint. This works fine.
- Add a command to install the key over the desired SSL Traffic key referencing the local path from step 1 with the transaction id in the header. The command is set to install and from-local-file. Successfully added to the transaction commands.
- Add a command to install the key over the desired SSL Traffic cert referencing the local path from step 1 with the transaction id in the header. The command is set to install and from-local-file. Successfully added to the transaction commands.
- Get the transaction commands just to observe the contents. The commands are present, and the paths are correct per steps 3 & 4 above.
- Attempt to commit the transaction, and receive the failure with a message like the one below.
message=transaction failed:01070712:3: file (/var/system/tmp/tmsh/GexeqO/IIS-F5v13.key) expected to exist.
As you can see, F5 is looking in a different directory than specified in steps 3 & 4. I've closely examined all requests and responses using Fiddler, and there's no way to determine the randomly generated sub directory name ('GexeqO' in this particular case). It is different each transaction. Also note, this happens even when not overwriting existing entries. But I am using a transaction so that I don't get the 'key and certificate do not match' message. Any insights would be tremendously helpful.
Best,
Gary
- mpelekhAltostratus
Gary_GalehousejakauppilaHave you found the fix for the error? I have the same issue
- Product BIG-IP
- Version 13.1.1
- Build 0.0.4
I would be very grateful if you could give me suggestions on how to resolve it.
- jakauppilaAltostratus
mpelekhUnfortunately no solution for explicitly uploading the cert/key as they changed the behavior from v13 to v14+ via https://cdn.f5.com/product/bugtracker/ID535122.html.
That being said, we kept with our previous existing logic of simply uploading the .pfx instead of the cert/key seperately.
# Export the the x509CeritificateColllection with the passphrase; we will use this to upload it to the F5 appliance $x509Certificate2CollectionByteArray = $x509Certificate2Collection.Export('Pkcs12', $securePassword) $contentRange = "0-{0}/{1}" -f ($x509Certificate2CollectionByteArray.Length - 1), $x509Certificate2CollectionByteArray.Length $f5CertHeaders = @{ 'Authorization' = "Basic $f5Base64Auth" 'Content-Length' = $x509Certificate2CollectionByteArray.Length 'Content-Range' = $contentRange } # Upload the certificate as a PFX to the appliance, this drops it in /var/config/rest/downloads/ Write-Verbose "Uploading '$F5CertificateName.pfx'" $uploadResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/shared/file-transfer/uploads/$F5CertificateName.pfx" -Method POST -Body $x509Certificate2CollectionByteArray -Headers $f5CertHeaders -ContentType "application/octet-stream" -ErrorAction Stop $certBody = [ordered]@{"command" = "install" "from-local-file" = $uploadResponse.localFilePath "passphrase" = $securePassword } | ConvertTo-Json # Install the certificate by loading it from the file we just uploaded Write-Verbose "Importing certificate '$F5CertificateName.pfx'" $importResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/tm/sys/crypto/pkcs12/$F5CertificateName" -Method POST -Body $certBody -Headers $f5AuthHeader -ContentType 'application/json' -ErrorAction Stop $importResponse | Select-Object -Property * -ExcludeProperty 'passphrase' | Write-Verbose Write-Verbose "Successfully certificate '$F5CertificateName.pfx'" # Delete the file we uploaded above since it's no longer needed on the appliance $deleteBody = [ordered]@{"command" = "run" "utilCmdArgs" = " -c `"rm -f $($uploadResponse.localFilePath)`"" } | ConvertTo-Json -Compress Write-Verbose "Deleting .pfx from appliance with $($deleteBody)" $deleteResponse = Invoke-RestMethod -Uri "https://$F5Appliance/mgmt/tm/util/bash" -Method POST -Body $deleteBody -Headers $f5AuthHeader -ContentType 'application/json' -ErrorAction Stop $deleteResponse | Select-Object -Property * | Write-Verbose
- mpelekhAltostratus
Thank you, jakauppila , for your feedback. It's great that you have a workaround for this problem.
I am observing a bit of a different issue than the one listed in the bug.
I am using tmsh. When the certificate is going to be installed in the scope of the transaction, the following error occurs:# (echo create cli transaction; echo install sys crypto cert test-cert.crt from-local-file /tmp/test-crt.crt; echo submit cli transaction) | tmsh transaction failed: 01070712:3: file (/var/system/tmp/tmsh/X0rwba/test-crt.crt) expected to exist.
I set the `from-local-file` option to `/tmp/test-cert.crt, but the error reads that file (/var/system/tmp/tmsh/X0rwba/test-cert.crt) expected to exist.
The certificate is installed successfully when the command is launched outside of the transaction.# tmsh install sys crypto cert test-cert.crt from-local-file /tmp/test-cert.crt; # tmsh list /sys crypto cert test-cert2crt sys crypto cert test-cert.crt { ... }
- jakauppilaAltostratus
Gary_Galehouse Did you ever find a solution for this? I'm encountering the exact same issue.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com