Identify and cleanse expired and soon to expire certs from BIG-IP

I am unable to find specific explanation on execution procedure. can you please guide? This will help me as well as many other users as well who wants to try this.

Could you clarify what you mean by execution procedure? Are you asking how to get the script to execute at a basic level? If so, either make it executable (chmod +x ...) and then run it (./f5_old_cert_key_profile_cleanup.py -h") or run it as an argument to python (e.g. "python f5_old_cert_key_profile_cleanup.py -h").

Can i run it from BIGIQ on my LB inventory?

it doesn't leverage BIG-IQ inventory. Theoretically you could run it from BIG-IQ system command line, but it has no BIG-IQ interaction.

Hi Chad,

I figured out how to run this script. Its working. However, can you add one condition here. If clientssl profile is attached with VS and has expired cert/key, can we get option to detach SSL profile from VS and then delete?

Thanks a lot for the script !

OR is there any way to change the cert & key to any of the defaults cert/key in clientssl profile(who has old cert/key)? Sorry but this is really a road block at this moment for last 2 companies where i worked to prune the SSL cert/key configuration.

Naumin, it seems based on your request that you have a large number of virtual servers that have a client-ssl profile attached to them that points to an expired SSL certificate. This seems highly unexpected as clients accessing the virtual servers would see problems because of the expired certificates. Do you have a large number of virtual servers in this state? I'd think resolving them manually by altering the virtual server to point to a client ssl profile that has a valid (unexpired) cert would be an urgent configuration change you should make.

It certainly is possible to enhance the script to do what you are requesting, but I wouldn't expect many F5 users to have active virtual servers that have an expired certificate attached (via a client-ssl profile).

Thanks Chad. Yeah i will do it manually, however, just observed backup is not working if we say Yes to delete SSL profile/cert/key. i know mybackup() function was called but its not working. will debug the script and keep you posted with my results. Thanks for the script ! Its really helpful.

Hi Chad,

Looks like iControl Rest API calls are not working in TMOS 11.x as we are getting below error while trying to run on 11.5.1 & 11.6.0 devices. 1. we are using correct credentials and same is working on higher version. 2. We have tried admin(local user) also, but it is still not working and getting same error msg.

As per the script print msg, it is stating we are getting HTTP 401 code.

Please help or advice, if any workaround is available.

py f5_old_cert_key_profile_cleanup.py --user xxx --bigip --reportonly Password for xxx: attempt to obtain authentication token failed due to invalid credentials Traceback (most recent call last): File "f5_old_cert_key_profile_cleanup.py", line 104, in for cert in retrievedcerts['items']: KeyError: 'items'

are you certain credentials are correct? Additionally, is the user account you are attempting to use local to the BIG-IP or contained in a directory (e.g. LDAP) that the BIG-IP is pointed to. If this is the case, then there are known challenges with use of iControl REST with remote users in old versions of TMOS (e.g. 11.x). Workaround is to either use a local user account or upgrade to newer TMOS.

https://cdn.f5.com/product/bugtracker/ID471136.html