Forum Discussion

andy_12_5042's avatar
andy_12_5042
Icon for Nimbostratus rankNimbostratus
Dec 29, 2010

pycontrol to set certificate/key for ssl profile

Sorry for the triple post last question...... My browser appeared to timeout so I thought submission was failing..

 

 

I have noticed that it is not possible to create a new profile and set the key,certificate, and passphrase via icontrol. these calls are seperate and would need to be in parallel to be able to work. I have gotten around this in 2 ways.

 

 

1) I create a new profile that has the private key, passphrase that I will be using on all ssl profiles. When I use icontrol to create any new profile, I set the default parent profile to the one that I created above and am able to set the cert to whatever I want and avoid the PEM mismatch errors.

 

 

2) I can use python and make calls to run bigpipe commands on the f5 as these calls are in parallel and dont have the issue with PEM errors. I use ssh keys for security but I still am not a fan of doing stuff like this.

 

 

 

Does anyone know of a better way to do this? Is there some magic with newer version that dont have this issue in icontrol? I have looked everywhere and found an old cached thread where someone had same issue and F5 stated it wold be fixed in later version, but it is still an issue. Am I stuck with doing it as I am above or is there something better?

 

 

 

Thanks

 

Andy

 

8 Replies

  • Andy: I'll take a quick look at this and get back.

     

     

    PS - thanks for the useful info on the cipher list!

     

     

    -Matt
  • I have a feeling I'm missing what you're trying to do Andy. Anyhow - here's an example of create() with set_passphrase():

    
    In [78]:  cert_ob =  ssl.typefactory.create('LocalLB.ProfileString')
    In [79]: key_ob =  ssl.typefactory.create('LocalLB.ProfileString')
    
    In [80]:  cert_ob.value = 'default.crt'
    In [81]: key_ob.value = 'default.key'
    In [82]: cert_ob.default_flag,key_ob.default_flag = True,True
    In [83]: ssl.create(profile_names = ['via-pycontrol'], keys = [key_ob], certs=[cert_ob])
    
     Now set the passphrase on our new profile.
    In [84]: phrase = ssl.typefactory.create('LocalLB.ProfileString')
    In [85]: phrase.default_flag = False
    In [86]: phrase.value = 'L4L7'
    In [87]: ssl.set_passphrase(['via-pycontrol'],passphrases=[phrase])
    
    Confirm we have a profile, and a passphrase:
    In [88]: ssl.get_passphrase(['via-pycontrol'])
    Out[88]:
    [(LocalLB.ProfileString){
       value = "$M$61$5qbNv9PnBOcvfUIwFnkyWQ=="
       default_flag = False
     }]
    

    Is this what you are after? For me, the key piece to set the passphrase was to set the default_flag to False. Using True wouldn't allow me to set the value.

    -Matt

  • the problem is that I would want to specify a customer certificate and private key which is not the default on the F5. So you have created a profile and set the pass-phrase in a similar way that I do initially, however, now setting a certificate and a private key are 2 separate methods that have to be called together to work, which they cant be and you will get PEM errors due to that fact.

     

     

    So to do what I am looking for there would need to be a new function that could both set the certificate and the private key in parallel.. So far I can only make it work by creating the profile by letting it inherit the default and then changing the default pool on the new profile to be the one that holds my private key and pass-phrase settings already with a certificate that has been created with that same key as a placeholder. (this works because I am using the same private key and pass-phrase for most profiles) Then I can change the certificate with no headache as the key is already set.

     

     

    Hope that makes some sense. Picture a customer environment where I have many profiles and certificates for different domains.......

     

     

  • Isn't the PEM error indicative of an error, like a key/cert mismatch?

     

    -Matt
  • yes exactly. And since you cant set these 2 values at the same time, there is no way around it. It is only a mismatch because in the call you are trying to set one of those values without setting the other. No matter what a profile you create will have these values inherited or set from somewhere. I think a better solution would be to have a create_profile method that could set the cert,key, and pass-phrase at same time. It is not possible to create a profile and let it inherit the defaults and then go back and change the cert/key pair as they are separate calls. This is not an issue with pycontrol but an issue with icontrol itself.

     

     

    I have even created a ticket with F5 on this as I have support on many of my F5's. I did not read the fine print though as icontrol is not supported as I am told... That is frustrating and hence why I use the workarounds that I stated in the beginning.
  • I found a thread with someone having same type of issue here in this forum. I believe you have already responded to this and it looks like this is a known bug or issue in icontrol.. Sorry if I was not more clear in my descriptions above. So based on this other thread, is it correct to assume there is no way around this?

     

     

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/51/afv/topic/aft/790662/aff/1/showtab/groupforums/Default.aspx

     

  • what would be nice is the ability to do the same thing as I can via bigpipe with icontrol:

     

     

    b profile clientssl test {key "keyfile" cert "ssl-certificate" passphrase "passphrase"}

     

     

     

    It is actually cleaner to use pyhthon with ssh keys and call bigpipe to do this one piece of the automation. Otherwise I have to go through all of this headache with default parent profiles and multiple calls. This way is one single call and I can use this to create a new profile or renew the certificate of an existing profile without all the hassles. The only thing is it would be nice to build a little web app that is all web service via CGI and not have to hack with system calls directly on the F5 via os.system....

     

     

     

    Something like this (seems to work good but is kind of hacky. Again I am using ssh PKI to keep secure and only allow from internal)

     

     

    remotehost='icontrol@' + host

     

    command= " b profile clientssl " + profname + " {defaults from userl key " + "\" " + key + "\" " + " cert " + "\" " + cert + "\" " + "}"

     

    os.system(' ssh "%s" "%s"' % (remotehost, command) )

     

     

     

    Anyway, hopefully there will be some fix in icontrol soon. I still enjoy using pycontrol and appreciate all your help...
  • Andy: yep, looks like you've tracked it down, thanks for the link. Can you do us a favor? Open up a case with support and request that you be attached to CR70232. This will help move it along (the more customers we hang off of these the better).

     

     

    The work around isn't ideal, for sure. BUT, good work working around it anyhow! It's good to know that at the very least it won't be a show stopper for you. For future work, and for whenever this gets fixed (currently targeted for our next feature release), I'd suggest wrapping this up in a def so you can change it later without any heavy rework of the stuff you're writing now.

     

     

    Thanks again for your activity, sleuth work, and using pyControl. I've got a new version ready to finish off and ship, but I've got no ETA as of now because of my dayjob...either way, the big 'add' is support for our ARX systems so it won't affect what you're doing now.

     

     

    -Matt