For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mhite_60883's avatar
mhite_60883
Icon for Cirrocumulus rankCirrocumulus
Aug 23, 2012

Replacing key/certs via iControl

I'm using key_import_from_pem() and certificate_import_from_pem() to update cert/key stored in a partition folder. I set the overwrite flag when making the call and both API calls succeed without exception.

 

 

Debug logs from F5:

 

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::certificate_import_from_pem ( ) called by user "yayaya"

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Cert: wildcard.xyzzy.com

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN CERTIFICATE-----

 

 

-----END CERTIFICATE-----

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------

 

 

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:+++++++++++++++++++++++++++++++++++++

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::key_import_from_pem ( ) called by user "yayaya"

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Key: wildcard.xyzzy.com

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN RSA PRIVATE KEY-----

 

 

-----END RSA PRIVATE KEY-----

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------

 

 

 

Everything looks good in the logs and no exception is thrown via the API.

 

 

 

However, the new certificate/key IS NOT what we see in the certificate_d folder for the partition.

 

 

 

If I turn off the overwrite function, it DOES throw an exception that it would be replacing a file. So I _know_ it should be replacing the file in that location.

 

 

 

 

Something is amiss...

 

 

What is the appropriate way for replacing cert/keys via iControl? IE. We've got expiring certs that need replacement, or the cert has been modified to include an additional item in its subject alternative name, etc.

 

 

 

Thanks!

 

 

 

 

 

dev
devops
iControl

11 Replies

  • mhite_60883's avatar
    mhite_60883
    Icon for Cirrocumulus rankCirrocumulus
    Aug 23, 2012
    Also, we notice in the actual config stanza the revision number increments each time I upload the new cert/key via iControl but the contents of the file remain unchanged.

     

     

    (ie. "revision 6")

     

     

  • mbyerly_59620's avatar
    mbyerly_59620
    Icon for Nimbostratus rankNimbostratus
    Aug 27, 2012
    Anyone have any ideas here?

     

     

    We can consistently reproduce the issue against v11 and have opened a ticket with F5 Support. In the past we've been asked to query the folks over in DevCentral for such issues from support.

     

     

    Appreciate any kind of input.

     

     

    Thanks,

     

    Matt
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 28, 2012
    Matt(s),

     

     

    Are you saving the config from memory to disk after importing the cert and key? If not, the filesystem wouldn't get updated even though the config running in memory has been updated.

     

     

    Aaron
  • mhite_60883's avatar
    mhite_60883
    Icon for Cirrocumulus rankCirrocumulus
    Aug 28, 2012
    At the risk of sounding naive, I've never had to explicitly issue a save command after an iControl operation. And I've written a boat load of API control code for managing VIPs, data groups, pools, nodes, health checks, certificates/keys, etc. (I know if you want to force a sync operation between HA nodes, you can issue a command to do so. In general, we run with device-group sync across active/active clusters members.) So I'm not really following you -- what API call should I be looking at?
  • mbyerly_59620's avatar
    mbyerly_59620
    Icon for Nimbostratus rankNimbostratus
    Aug 28, 2012
    Hoolio,

     

     

    We've attempted 'tmsh save sys config partitions all' after the API has ran and the cert/key are still referencing the old PEM data inside the files. So that doesn't appear to be it...

     

     

    Matt
  • mhite_60883's avatar
    mhite_60883
    Icon for Cirrocumulus rankCirrocumulus
    Aug 28, 2012
    Ok, Hoolio, just digging through the API and found this:

     

     

    https://devcentral.f5.com/wiki/iControl.System__ConfigSync__SaveMode.ashx

     

     

    Implemented code to do a high_level save, still no luck. (In addition to the tmsh stuff Matt B. mentioned above.)
  • mhite_60883's avatar
    mhite_60883
    Icon for Cirrocumulus rankCirrocumulus
    Aug 28, 2012
    Sorry, wrong link:

     

     

    https://devcentral.f5.com/wiki/iControl.System__ConfigSync__save_configuration.ashx
  • mbyerly_59620's avatar
    mbyerly_59620
    Icon for Nimbostratus rankNimbostratus
    Aug 29, 2012
    We received word back from F5 that this is a recently discovered bug being tracked under ID 388590.

     

     

    I haven't asked about an ETA for a fix, but there you have it...

     

     

    Thanks,

     

    Matt
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 30, 2012
    Thanks for the info. That's an odd bug...

     

     

    Aaron