Let's Encrypt on a Big-IP

Does all the parameters points to the correct paths/files?

Updated my BIGIP to 11.6.1. That seems to have resolved the SSL issue. I ran the script again and now it alerted me that the LICENSE pdf was outdated so I updated it to the lates version and tried to run the script again.

  ./letsencrypt.sh -c
: No such file or directory

Running ls lets me know the file is there.

     letsencrypt  ls -a -l
total 59
drwxr-xr-x  3 root root  1024 Feb 14 11:33 .
drwxr-xr-x 28 root root  1024 Feb 14 11:18 ..
drwxr-xr-x  2 root root  1024 Feb 14 11:24 .acme-challenges
-rwxr-xr-x  1 root root  3529 Feb 10 14:14 config
-rwxr-xr-x  1 root root    32 Feb 14 11:21 domains.txt
-rwxr-xr-x  1 root root  3429 Jan 11 16:10 hook.sh
-rwxr-xr-x  1 root root 37807 Feb 14 11:29 letsencrypt.sh
-rwxr-xr-x  1 root root   390 May 29  2016 wrapper.sh

What is wrong here?

Could it be that you're being SSL intercepted going out onto the Internet?

This is my output from the BIGIP

curl -v https://acme-v01.api.letsencrypt.org
* About to connect() to acme-v01.api.letsencrypt.org port 443 (0)
*   Trying 104.123.211.71... connected
* Connected to acme-v01.api.letsencrypt.org (104.123.211.71) port 443 (0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS alert, Server hello (2):
} [data not shown]
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection 0

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Googling the error gives:

CURLE_SSL_CACERT (60) Peer certificate cannot be authenticated with known CA certificates.

How does it look if you run: curl -v https://acme-v01.api.letsencrypt.org

from the Bigip?

I'm having the same problem as Delta Force

 ./letsencrypt.sh -c
 INFO: Using main config file /letsencrypt/config
ERROR: Problem connecting to server (curl returned with 60)

I can ping acme-v01.api.letsencrypt.org from the the same shell. I'm running 11.6.0 Any ideas?

Good point James, thanks.

Also in hook.sh, those not in the US may want to change the date format in the certificate name as it appears in the GUI, from

now=$(date +%Y-%d-%m)

to

now=$(date +%Y-%m-%d)

The hook.sh in the zip file I downloaded from wiki.lnxgeek.org includes the following lines:

scp ${BASEDIR}/certs/$domain/privkey.pem root@9.0.0.4:/etc/ssl/letsencrypt/${domain}.key
scp ${BASEDIR}/certs/$domain/fullchain.pem  root@9.0.0.4:/etc/ssl/letsencrypt/${domain}.crt

You may want to comment these out

Matt what is your problem, does it report any errors? I'm running it without problems on 12.1.1.