Let's Encrypt on a Big-IP
Problem this snippet solves:
It is now possible to make use of Let's Encrypt certificates and maintain them on the Big-IP.
Code :
http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip
Published Dec 12, 2015
Version 1.0
Matt_58992Nimbostratus
Having some issues deploying this on a 12.1 VE. Does anyone have a more thorough walk through of the deployment process to get this working?
thoang_295780Just tried this and am having a strange problem. On my dev F5 it works without any issues. However, on my prod F5 I get an error.
During the deploy_cert stage when it tries to install the key/cert it gives the error
01070712:3: file (/opt/letsencrypt/certs/somedomain/privkey.pem) expected to exist.
privkey.pem is a symlink to privkey-{timestamp}.key. Testing the install command in the cli with the real file works. Using the symlink gives the above error. Are there permissions settings somewhere I'm missing which would result in the above error?
dev V11.6.0
prod V11.6.1
Jonathan_GaikwaWorks perfectly, thanks!
uzi_260320Thanks a lot for putting this together. Does anyone know if there needs to be a tweak made to get this working for v11.2.1? When the script reaches the following tmsh modify command: ** tmsh modify ltm profile client-ssl ${profile} cert-key-chain replace-all-with { default { key $key cert $cert } } ** it gives me the error: ** Syntax Error: "default" unknown property **
Christopher_Ba1Excellent scripts. works really well :) Thanks heaps for putting this together!- lnxgeek
MVP
I've just updated the scripts to support the latest version of the letsencrypt script from GitHub. - Mark_CuroleI'm on 11.5.1. I had to update the ca-bundle.crt in /etc/pki/tls/certs to get the curl command to validate the trust
- lnxgeekThe F5 must have access to the Internet (or just Lets Encrypt's servers), as it communicates with the CA.
Delta_Force_270I get ERROR: Problem connecting to server (curl returned with 60)- Nicolas_RossGreat, it's working ! I was already using this shell script extensivly on autonomus servers. I was even able to scp and ssh into a remote unit to update its certificate by modifying the hook script.
