Forum Discussion
Unable to update device cert
Hi!
Working on a hobby project to manage F5 certificates using Kubernetes and cert-manager (Ref: https://community.f5.com/t5/technical-forum/kubernetes-cert-manager-letsencrypt-f5/td-p/299218). How...
Final solution:
def set_management_cert(self, cert_name, key_name): self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.crt/{cert_name}') self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.key/{key_name}') self.session.put( f'https://{self.device}/mgmt/tm/sys/httpd', json={ 'sslCertfile': '/config/httpd/conf/ssl.crt/management.crt', 'sslCertkeyfile': '/config/httpd/conf/ssl.key/management.key'} ) try: logger.info('Restarting httpd') self.run_bash_command('bigstart restart httpd; killall -9 httpd;bigstart restart httpd;') except: logger.info('Waiting for management interface to restart') time.sleep(3) httpd_config = self.get_httpd_config() if os.path.basename(httpd_config['sslCertfile']) == cert_name \ and os.path.basename(httpd_config['sslCertkeyfile']) == key_name: print('Certificate has been updated and the httpd interface is responding') else: raise Exception('Failed to update the certificate')Thank you for the suggestions and tips Dario_Garrido . Definitely helped me find the solution!
Same thing happens if I update the cert via REST, pause the script and run:
tmsh modify sys httpd ssl-certfile /config/httpd/conf/ssl.crt/management.crt ssl-certkeyfile /config/httpd/conf/ssl.key/management.key
httpd[4571]: [ssl:emerg] [pid 4571] (13)Permission denied: AH02201: Init: Can't open server certificate file /config/httpd/conf/ssl.crt/management.crt
Came a bit further just now. Looks like SELinux might be making my life harder:
restorecon -RvF /var/config/rest/downloads/management.crt /config/httpd/conf/ssl.crt/
restorecon -RvF /var/config/rest/downloads/management.key /config/httpd/conf/ssl.key/
Then the permission error goes away but restarting the service does not work. Then the article Dario_Garrido gave came in handy:
bigstart restart httpd
killall -9 httpd
bigstart restart httpd;
Will see if I can solve this further tomorrow. Good input with https://support.f5.com/csp/article/K13292945 Dario_Garrido . Saved me quite some time!
Kind regards,
Patrik
Final solution:
def set_management_cert(self, cert_name, key_name): self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.crt/{cert_name}') self.run_bash_command(f'restorecon -RvF /config/httpd/conf/ssl.key/{key_name}') self.session.put( f'https://{self.device}/mgmt/tm/sys/httpd', json={ 'sslCertfile': '/config/httpd/conf/ssl.crt/management.crt', 'sslCertkeyfile': '/config/httpd/conf/ssl.key/management.key'} ) try: logger.info('Restarting httpd') self.run_bash_command('bigstart restart httpd; killall -9 httpd;bigstart restart httpd;') except: logger.info('Waiting for management interface to restart') time.sleep(3) httpd_config = self.get_httpd_config() if os.path.basename(httpd_config['sslCertfile']) == cert_name \ and os.path.basename(httpd_config['sslCertkeyfile']) == key_name: print('Certificate has been updated and the httpd interface is responding') else: raise Exception('Failed to update the certificate')Thank you for the suggestions and tips Dario_Garrido . Definitely helped me find the solution!
Great solution! Thanks mate 👏
- JRahm
Admin
Nice Patrik_Jonsson!! Curious what your helper functions look like (get_management_cert, run_bash_command)...
