Forum Discussion
Replacing key/certs via iControl
I'm using key_import_from_pem() and certificate_import_from_pem() to update cert/key stored in a partition folder. I set the overwrite flag when making the call and both API calls succeed without exception.
Debug logs from F5:
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::certificate_import_from_pem ( ) called by user "yayaya"
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Cert: wildcard.xyzzy.com
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes
Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:+++++++++++++++++++++++++++++++++++++
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::key_import_from_pem ( ) called by user "yayaya"
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Key: wildcard.xyzzy.com
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes
Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------
Everything looks good in the logs and no exception is thrown via the API.
However, the new certificate/key IS NOT what we see in the certificate_d folder for the partition.
If I turn off the overwrite function, it DOES throw an exception that it would be replacing a file. So I _know_ it should be replacing the file in that location.
Something is amiss...
What is the appropriate way for replacing cert/keys via iControl? IE. We've got expiring certs that need replacement, or the cert has been modified to include an additional item in its subject alternative name, etc.
Thanks!
- mhite_60883CirrocumulusAlso, we notice in the actual config stanza the revision number increments each time I upload the new cert/key via iControl but the contents of the file remain unchanged.
- mbyerly_59620NimbostratusAnyone have any ideas here?
- hoolioCirrostratusMatt(s),
- mhite_60883CirrocumulusAt the risk of sounding naive, I've never had to explicitly issue a save command after an iControl operation. And I've written a boat load of API control code for managing VIPs, data groups, pools, nodes, health checks, certificates/keys, etc. (I know if you want to force a sync operation between HA nodes, you can issue a command to do so. In general, we run with device-group sync across active/active clusters members.) So I'm not really following you -- what API call should I be looking at?
- mbyerly_59620NimbostratusHoolio,
- mhite_60883CirrocumulusOk, Hoolio, just digging through the API and found this:
- mhite_60883CirrocumulusSorry, wrong link:
- mbyerly_59620NimbostratusWe received word back from F5 that this is a recently discovered bug being tracked under ID 388590.
- hoolioCirrostratusThanks for the info. That's an odd bug...
- mhite_60883CirrocumulusF5 folks, any ideas on workarounds?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com