Forum Discussion
andy_12_5042
Nimbostratus
Dec 29, 2010pycontrol to set certificate/key for ssl profile
Sorry for the triple post last question...... My browser appeared to timeout so I thought submission was failing..
I have noticed that it is not possible to create a new profile and set the key,certificate, and passphrase via icontrol. these calls are seperate and would need to be in parallel to be able to work. I have gotten around this in 2 ways.
1) I create a new profile that has the private key, passphrase that I will be using on all ssl profiles. When I use icontrol to create any new profile, I set the default parent profile to the one that I created above and am able to set the cert to whatever I want and avoid the PEM mismatch errors.
2) I can use python and make calls to run bigpipe commands on the f5 as these calls are in parallel and dont have the issue with PEM errors. I use ssh keys for security but I still am not a fan of doing stuff like this.
Does anyone know of a better way to do this? Is there some magic with newer version that dont have this issue in icontrol? I have looked everywhere and found an old cached thread where someone had same issue and F5 stated it wold be fixed in later version, but it is still an issue. Am I stuck with doing it as I am above or is there something better?
Thanks
Andy
- L4L7_53191
Nimbostratus
Andy: I'll take a quick look at this and get back. - L4L7_53191
Nimbostratus
I have a feeling I'm missing what you're trying to do Andy. Anyhow - here's an example of create() with set_passphrase():In [78]: cert_ob = ssl.typefactory.create('LocalLB.ProfileString') In [79]: key_ob = ssl.typefactory.create('LocalLB.ProfileString') In [80]: cert_ob.value = 'default.crt' In [81]: key_ob.value = 'default.key' In [82]: cert_ob.default_flag,key_ob.default_flag = True,True In [83]: ssl.create(profile_names = ['via-pycontrol'], keys = [key_ob], certs=[cert_ob]) Now set the passphrase on our new profile. In [84]: phrase = ssl.typefactory.create('LocalLB.ProfileString') In [85]: phrase.default_flag = False In [86]: phrase.value = 'L4L7' In [87]: ssl.set_passphrase(['via-pycontrol'],passphrases=[phrase]) Confirm we have a profile, and a passphrase: In [88]: ssl.get_passphrase(['via-pycontrol']) Out[88]: [(LocalLB.ProfileString){ value = "$M$61$5qbNv9PnBOcvfUIwFnkyWQ==" default_flag = False }]
- andy_12_5042
Nimbostratus
the problem is that I would want to specify a customer certificate and private key which is not the default on the F5. So you have created a profile and set the pass-phrase in a similar way that I do initially, however, now setting a certificate and a private key are 2 separate methods that have to be called together to work, which they cant be and you will get PEM errors due to that fact. - L4L7_53191
Nimbostratus
Isn't the PEM error indicative of an error, like a key/cert mismatch? - andy_12_5042
Nimbostratus
yes exactly. And since you cant set these 2 values at the same time, there is no way around it. It is only a mismatch because in the call you are trying to set one of those values without setting the other. No matter what a profile you create will have these values inherited or set from somewhere. I think a better solution would be to have a create_profile method that could set the cert,key, and pass-phrase at same time. It is not possible to create a profile and let it inherit the defaults and then go back and change the cert/key pair as they are separate calls. This is not an issue with pycontrol but an issue with icontrol itself. - andy_12_5042
Nimbostratus
I found a thread with someone having same type of issue here in this forum. I believe you have already responded to this and it looks like this is a known bug or issue in icontrol.. Sorry if I was not more clear in my descriptions above. So based on this other thread, is it correct to assume there is no way around this? - andy_12_5042
Nimbostratus
what would be nice is the ability to do the same thing as I can via bigpipe with icontrol: - L4L7_53191
Nimbostratus
Andy: yep, looks like you've tracked it down, thanks for the link. Can you do us a favor? Open up a case with support and request that you be attached to CR70232. This will help move it along (the more customers we hang off of these the better).
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects