Unable to update device cert
Working on a hobby project to manage F5 certificates using Kubernetes and cert-manager (Ref: https://community.f5.com/t5/technical-forum/kubernetes-cert-manager-letsencrypt-f5/td-p/299218). However, I have been running into problems when configuring httpd to use the new certificate+key.
Pretty much trying to follow https://support.f5.com/csp/article/K12522815
- Copied new cert
- Copied the new key
- Set the certificate + key via a REST call to /mgmt/tm/sys/httpd (like the article suggests)
- Next step is to restart httpd using a rest call to /mgmt/tm/sys/service but by then httpd is broken
Try to restart httpd via ssh:
# bigstart restart httpd
Stopping httpd: [ OK ]
Broadcast message from systemd-journald@bigip.xip.se (Tue 2022-08-02 13:13:51 PDT):
httpd[4453]: [ssl:emerg] [pid 4453] (13)Permission denied: AH02201: Init: Can't open server certificate file /config/httpd/conf/ssl.crt/management.crt
Starting httpd: [FAILED]
The certificate is there:
ls -la /config/httpd/conf/ssl.crt
total 28
drwx------. 2 root root 4096 Aug 2 13:12 .
drwxr-xr-x. 7 root root 4096 Aug 1 14:52 ..
-rw-r-----. 1 root apache 5582 Aug 2 13:12 management.crt
-rw-------. 1 root root 5582 Aug 2 12:28 server.crt
-rw-------. 1 root root 1521 Aug 2 12:27 server.crt.old
So is the key:
ls -la /config/httpd/conf/ssl.key
total 20
drw-------. 2 root root 4096 Aug 2 12:58 .
drwxr-xr-x. 7 root root 4096 Aug 1 14:52 ..
-rw-------. 1 root root 1674 Aug 2 12:58 management.key
-rw-------. 1 root root 1674 Aug 2 12:27 server.key
-rw-------. 1 root root 1675 Aug 2 12:27 server.key.old
They certificate and key matches:
# openssl x509 -noout -modulus -in /config/httpd/conf/ssl.crt/management.crt
# openssl rsa -noout -modulus -in /config/httpd/conf/ssl.key/management.key
If I run a "bigstart restart" AND "bigstart restart httpd" it suddenly works fine:
# bigstart restart
# bigstart status httpd
httpd (pid 20978) is running...
# bigstart restart httpd
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
I am guessing additional services needs to be restarted before httpd? What am I missing?
Kind regards,
Final solution:
def set_management_cert(self, cert_name, key_name): self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.crt/{cert_name}') self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.key/{key_name}') self.session.put( f'https://{self.device}/mgmt/tm/sys/httpd', json={ 'sslCertfile': '/config/httpd/conf/ssl.crt/management.crt', 'sslCertkeyfile': '/config/httpd/conf/ssl.key/management.key'} ) try: logger.info('Restarting httpd') self.run_bash_command('bigstart restart httpd; killall -9 httpd;bigstart restart httpd;') except: logger.info('Waiting for management interface to restart') time.sleep(3) httpd_config = self.get_httpd_config() if os.path.basename(httpd_config['sslCertfile']) == cert_name \ and os.path.basename(httpd_config['sslCertkeyfile']) == key_name: print('Certificate has been updated and the httpd interface is responding') else: raise Exception('Failed to update the certificate')
Thank you for the suggestions and tips Dario_Garrido . Definitely helped me find the solution!