Identify and cleanse expired and soon to expire certs from BIG-IP

Hi Chad,

What a Perfect catch! yes this is the cause, my credentials were correct but it uses remote authentication via RADIUS, and as you suggested for workaround by using local admin account resolves this issue. Thanks for sharing BUGID. Just to update, there is one issue with using this script, we have to disassociate serverssl profile from VIPs manually. As for VIPs who are used for SSL bridging(contains clientssl and serverssl) will be impacted if we disassociate only clientssl profile.

So I am working on addition in your code(may be you can help) to disassociate respective serverssl profile(if any) for the VIPs who are having clientssl profile with expired certs, but stuck on data formatting part, the way you did is just perfect.

Thanks for your swift response!

The reason I didn’t tackle dissociating clientssl profile with an expired cert from a virtual is that in my opinion that’s something that needs fixing outside of the script and then once fixed you would then run the cleanup script.

understood, but atleast we can add function in reportonly "for loops" to pull serverssl profile for those VIPs who are using Expired/expiring soon clientssl profile?

so what you are proposing is that when the script encounters a profile that is associated with an expired cert AND the virtual server has a server SSL profile, it would remove both the clientssl and serverssl profile and the hope would be that clients who connect would accept whatever cert the back-end server is offering?

I'm curious; how did your BIG-IP get to a state where there are numerous clientssl profiles that point to expired certs? Seems to me that not long after the cert expires, you'd get user reports complaining about expired cert and then you'd fix it, such that few BIG-IPs that are actively used will have expired certs attached to clientssl profiles attached to active virtual servers.

"so what you are proposing is that when the script encounters a profile that is associated with an expired cert AND the virtual server has a server SSL profile, it would remove both the clientssl and serverssl profile and the hope would be that clients who connect would accept whatever cert the back-end server is offering?"

Yes, We want this, however it is ok to not remove them/untag them from VS config via script but atleast can get those names when use "--reportonly".

"I'm curious; how did your BIG-IP get to a state where there are numerous clientssl profiles that point to expired certs?"

I know it sound weird but sadly answer is Yes, we have many VSs who are UP and using expired cert profiles. Seems like those are not used by app teams. Ideally those VSs should be decommissioned but instead of following up with individuals for decommission those VIPs, we want to silently removing SSL offloading from LB side so that there applications will work as it was working before this activity.

Nice job, Chad! Using this today!

Hi Chad, 

Thanks  for sharing the script. However I am facing some issue while running the script.snippets are attached can you help me with this.

This script marks certs with expiration date more than one month as soontoexpired also.

I run it with arg days equal 1 (and 0) and received result in picture.
Can you fix it? Thank you.

VE/BIG-IP 15.1.7 Build 0.0.6 Final