Let's Encrypt on a Big-IP
Problem this snippet solves:
It is now possible to make use of Let's Encrypt certificates and maintain them on the Big-IP.
Code :
http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip
Published Dec 12, 2015
Version 1.0
Brad_BakerCirrus
I noticed this runs from a cron job. During firmware upgrades do cron jobs get retained? Or if we implemented this would we need to take care when upgrading our firmware to re-create the cron jobs? Anyone know?
- lnxgeek
MVP
I have just updated the solution with OCSP stapling.
After too many hours digging around getting OCSP to work properly on the BigIP I've made a small change to the hook script making it possible to get OCSP stapling working. For now it is only v.13 compatible but it should be a minor hack to get it working on other versions.
- lnxgeek
@SpaceLong most welcome :-)
I hope you get it going.
SpaceLong_28149Nimbostratus
Dear lnxgeek116, Thanks very much for your response! I will give it a try and see how it works. Thanks!
- lnxgeek
This is what you need to do to get it running:
- Create datagroup
- Create iRule (just copy from blog)
- Create clientssl profile matching your domains (see blog)
- Populate domain.txt with your domains
- Make appropriate changes to the config file
- Assign iRule to the VS which is assigned to your domains (basically this is where the challenge-response traffic is handled and where your DNS is pointed)
The certificates lives on the F5, this is the point with this script implementation. So there is no distribution of the certificates unless you put it into the hook script. The best way of using SSL/TLS is to have it handled in front of the web servers by the F5 and run cleartext against the servers. The script is completely independent of any device, server, service type you put the F5 in front. The dependency is tight to the F5.
Hope this helps.
- SpaceLong_28149
Hi all,
beyond the article, do you have a step by step tutorial for implementing this within F5 BIG IP?
How the flow works? F5 is passing the challenge to one specific web server to do the challenge/response or F5 itself is the one that carry this out?
Does this script distribute the new certificate (request or renew) to all the web servers in my farm?
It has any support to automatically configure IIS/Apache or other webservers or it only gets the certificate and is up to the administrator to configure the certificate on each web server?
Has this script any limitations in terms of webserver´s platforms or is independent?
Thanks in advance!
deerns_21573I changed also to dehydrated. My changes. uncommented WELLKNOWN in the config file. I also used the hook.sh from dehydrated and pasted the commands from the hook.sh of lnxgeek into the new hook.sh file. It is very obvious with commands you will need.
(for some reasons i cannot add the hook.sh i made here)
IvarMH_309752Could you update the installation instructions to include the use of dehydrated or is it just required to replace the letsencrypt.sh file with the new dehydrated file? Could you also please explain what needs to be updated with regards to WELLKNOWN and hook.sh?
- lnxgeek
Most welcome :-)
I just tested the latest version of the script (which now is called dehydrated) from Lukas and it works nicely. Remember to update WELLKNOWN variable and update the hook.sh file which has some minor changes to it.
- deerns_21573
Thanks for the scripts, worked like a charm. LTM 12.1.2
