Let's Encrypt on a Big-IP

I'm having the same problem as Delta Force

 ./letsencrypt.sh -c
 INFO: Using main config file /letsencrypt/config
ERROR: Problem connecting to server (curl returned with 60)

I can ping acme-v01.api.letsencrypt.org from the the same shell. I'm running 11.6.0 Any ideas?

Googling the error gives:

CURLE_SSL_CACERT (60) Peer certificate cannot be authenticated with known CA certificates.

How does it look if you run: curl -v https://acme-v01.api.letsencrypt.org

from the Bigip?

This is my output from the BIGIP

curl -v https://acme-v01.api.letsencrypt.org
* About to connect() to acme-v01.api.letsencrypt.org port 443 (0)
*   Trying 104.123.211.71... connected
* Connected to acme-v01.api.letsencrypt.org (104.123.211.71) port 443 (0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS alert, Server hello (2):
} [data not shown]
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection 0

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Could it be that you're being SSL intercepted going out onto the Internet?

Updated my BIGIP to 11.6.1. That seems to have resolved the SSL issue. I ran the script again and now it alerted me that the LICENSE pdf was outdated so I updated it to the lates version and tried to run the script again.

  ./letsencrypt.sh -c
: No such file or directory

Running ls lets me know the file is there.

     letsencrypt  ls -a -l
total 59
drwxr-xr-x  3 root root  1024 Feb 14 11:33 .
drwxr-xr-x 28 root root  1024 Feb 14 11:18 ..
drwxr-xr-x  2 root root  1024 Feb 14 11:24 .acme-challenges
-rwxr-xr-x  1 root root  3529 Feb 10 14:14 config
-rwxr-xr-x  1 root root    32 Feb 14 11:21 domains.txt
-rwxr-xr-x  1 root root  3429 Jan 11 16:10 hook.sh
-rwxr-xr-x  1 root root 37807 Feb 14 11:29 letsencrypt.sh
-rwxr-xr-x  1 root root   390 May 29  2016 wrapper.sh

What is wrong here?

Does all the parameters points to the correct paths/files?

Thanks for the scripts, worked like a charm. LTM 12.1.2

Most welcome :-)

I just tested the latest version of the script (which now is called dehydrated) from Lukas and it works nicely. Remember to update WELLKNOWN variable and update the hook.sh file which has some minor changes to it.

Could you update the installation instructions to include the use of dehydrated or is it just required to replace the letsencrypt.sh file with the new dehydrated file? Could you also please explain what needs to be updated with regards to WELLKNOWN and hook.sh?

I changed also to dehydrated. My changes. uncommented WELLKNOWN in the config file. I also used the hook.sh from dehydrated and pasted the commands from the hook.sh of lnxgeek into the new hook.sh file. It is very obvious with commands you will need.

(for some reasons i cannot add the hook.sh i made here)