Let's Encrypt on a Big-IP
Problem this snippet solves:
It is now possible to make use of Let's Encrypt certificates and maintain them on the Big-IP.
Code :
http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip
Published Dec 12, 2015
Version 1.0
Nicolas_COLLETNimbostratus
Hello,
If anyone have this error :
./dehydrated -c INFO: Using main config file .. config : No such file or directoryIn my case, this is hook file with bad encoding of end of line because file are created on Windows.
if you frequently add subdomains you can save yourself a little effort by building your domains list dynamically (this assumes that your vips are named for the fqdn so , shop.example.com, etc):
tmsh -q -c "cd /;list ltm virtual recursive" | awk 'BEGIN {RS="\n}"} !/\ none/ {print}'| grep ^ltm | awk '{print "/" $3}' | grep "domain$" | cut -d'/' -f3 | xargs
Stanislas_Piro2Cumulonimbus
I guess this script was written in newer version and does not exist for version 11.4
try to edit the following command in tmsh and find what is not working and change the hook script.
modify ltm profile client-ssl ${profile} cert-key-chain replace-all-with { default { key $key cert $cert } }
Dmitry_ShermanWhere can I get the 11.4 hook.sh & dehydrated scripts? I get error: + Done! + Creating fullchain.pem... Syntax Error: "default" unknown property
Looks like 11.4 using older syntax: ltm profile client-ssl /Common/clientssl { ca-file none cert /Common/default.crt cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain none client-cert-ca none crl-file none handshake-timeout 10 key /Common/default.key
}while newer versions indeed using the "default" statement: app-service none cert /Common/default.crt cert-key-chain { default { cert /Common/default.crt key /Common/default.key } } chain none inherit-certkeychain true key /Common/default.key passphrase none }
- lnxgeek
MVP
Most welcome :-)
You have made a nice "dehydrated" version of my article....;-)
- Stanislas_Piro2
Hi,
it seems the link changes. I found the documentation on this URL:
http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip
Thank you lnxgeek for this solution. it is very helpful!
I had some difficulties to understand how to what to do with all these files, so I here is a little installation guide:
- Create the data group
- Copy irule and assign it to the HTTP virtual server which destination address is resolved for each elements in domains.txt
- Create the directory /shared/letsencrypt (it is used in call). all files may be created in this directory
- Create /shared/letsencrypt/domains.txt
- Create the script to create profiles (I called it create-profiles.sh)
- Create config, wrapper.sh, send_mail from code
- Retrieve dehydrated from Lukas Schauer github
- Make all script executable :
chmod 755 hook.sh wrapper.sh send_mail dehydrated create-profiles.sh - Create /var/www/dehydrated directory :
mkdir /var/www/dehydrated - Accept let encrypt terms of license
./dehydrated --register --accept-terms - execute the script to create certificate
./dehydrated -c - Assign clientssl profiles
- Install an iScript
- lnxgeek
Auch sorry!
Up and running again.
caronm_311825- lnxgeek
I finally got some time to finetune this script. I have added a section where I create an iScript which runs the wrapper script once a week.
This should defeat the need for cronjobs and survive upgrades and even synchronize between cluster members. What's not to like! :-)
Let me know if you have any problems with it.
- lnxgeek
You are right, it is "upgrade sensitive" :-) It wish I could manage at the time. What you can do is make the call through an iScript, then it will move with the upgrade.
