Let's Encrypt on a Big-IP

Hello guys

I'm using BigIp V13 and everything is fine... i'm stuck on one "little" thing.

If my domains.txt contains a root domain and alias with the "-" char the challenge fails. In fiew words when the URL is build the script (or the BigIP) will add a extra "/" after the hostname

"uri": ";, "token": "LPZImMvrZKMb1DXZMsVtvV47Hc-Xyf-07MON0oHkBuo", "keyAuthorization": "LPZImMvrZKMb1DXZMsVtvV47Hc-Xyf-07MON0oHkBuo.Ud4XqcdRDfZs-sR2yjh5nW0ijSvQ9H-p_Tydfc2M3WM", "validationRecord": [ { "url": "http://www.test-domain.com//.well-known/acme-challenge/LPZImMvrZKMb1DXZMsVtvV47Hc-Xyf-07MON0oHkBuo", "hostname": ";, "port": "80", "addressesResolved": [ "X.X.X.X" ], "addressUsed": "X.X.X.X" },

Note the double "/" in the url: field

My domains.txt contains 5 rows, just 1 has the "-" char The file was created directly with VI on the BigIP.

Can someone help me? Thank you very much guys

Matteo

Lazy admin == smart admin :-)

Please share your updates, I've been planning for ideas but never found the time.

If you just start with this and download the latest dehydrated script it won't work. They now use the v2 version of Let's encrypt and that does not seem to work with the above scripts. You get a "Challenge invalid". When you uncomment the "CA" value in the config file (which is the url for version v1) it works just fine.

I'm now trying to modify the scripts to take care of the deletes as well. But also add/remove empty/new client-ssl profiles to the vs. I have a webserver with a lots of small sites which are added/deleted very frequently. I want zero manual work on the f5. Based on what the webserver is asking for in the domains.txt file, I add/delete the appropriate certificates. Lazy admin... :-)

This should do just that:

!/bin/bash
for i in $( grep -v "" domains.txt | awk '{ print $1}' ); do
  tmsh create ltm profile client-ssl auto_$i
  echo "Created  auto_$i client-ssl profile"
done

When using the script create-profiles.sh I receive errors because I use to deactivate domains or fqdn-entries in the domain.txt file How could I modify the create-profiles.sh to ignore lines beginning with a ?

!/bin/bash
for i in $( cat domains.txt | awk '{ print $1}' ); do
  tmsh create ltm profile client-ssl auto_$i
  echo "Created  auto_$i client-ssl profile"
done

How would you get this working in a active/active setup? Wouldnt using icall cause both units to run the script simultaneously, and then create a broken configsync, due to different certs being installed on each device?

In our setup we have two traffic groups, where each is active on one of the devices, with failover to the other. So a working setup for us could be to run dehydrated on each device at seperate times (in cron), and do a configsync after each run. Or am i missing something here?

Thanks for the quick response and for the work you put into this, great stuff. As for the privky and fullchain they do they do exist under the certs directory. I even went through the process of manually adding them to the f5 and re-running dehydrated as test but saw the same result. I’ll move the entire directory out of home as you suggest and try again.

Looking at some SElinux stuff it could be an explanation as to why it can't find the files. Just a thought.

Vince, you need to move the script out of "/home" as this filesystem is very small and not intended to be used like this. Use /shared instead and then make sure backup handles this as well.

I haven't seen your errors before but can you verify that the files are in order and exist?

Hoping someone might have come across this before or can point me in the right direction? I'm currently using VE of BIG-IP running 11.6.1 Build 0.0.317 Final. I have everything in place just like the article explains but I'm getting following messages.

01070712:3: file (/home/admin/dehydrated/shared/letsencrypt/certs/qa.pdaa.penton.com/privkey.pem) expected to exist.

01070712:3:file(/home/admin/dehydrated/shared/letsencrypt/certs/qa.pdaa.penton.com/fullchain.pem) expected to exist.

010717e3:3: Client SSL profile must have RSA certificate/key pair.