Let's Encrypt on a Big-IP
Problem this snippet solves:
It is now possible to make use of Let's Encrypt certificates and maintain them on the Big-IP.
Code :
http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip
Published Dec 12, 2015
Version 1.0
SpaceLong_28149Nimbostratus
Hi all,
beyond the article, do you have a step by step tutorial for implementing this within F5 BIG IP?
How the flow works? F5 is passing the challenge to one specific web server to do the challenge/response or F5 itself is the one that carry this out?
Does this script distribute the new certificate (request or renew) to all the web servers in my farm?
It has any support to automatically configure IIS/Apache or other webservers or it only gets the certificate and is up to the administrator to configure the certificate on each web server?
Has this script any limitations in terms of webserver´s platforms or is independent?
Thanks in advance!
- lnxgeek
MVP
This is what you need to do to get it running:
- Create datagroup
- Create iRule (just copy from blog)
- Create clientssl profile matching your domains (see blog)
- Populate domain.txt with your domains
- Make appropriate changes to the config file
- Assign iRule to the VS which is assigned to your domains (basically this is where the challenge-response traffic is handled and where your DNS is pointed)
The certificates lives on the F5, this is the point with this script implementation. So there is no distribution of the certificates unless you put it into the hook script. The best way of using SSL/TLS is to have it handled in front of the web servers by the F5 and run cleartext against the servers. The script is completely independent of any device, server, service type you put the F5 in front. The dependency is tight to the F5.
Hope this helps.
- SpaceLong_28149
Dear lnxgeek116, Thanks very much for your response! I will give it a try and see how it works. Thanks!
- lnxgeek
@SpaceLong most welcome :-)
I hope you get it going.
- lnxgeek
I have just updated the solution with OCSP stapling.
After too many hours digging around getting OCSP to work properly on the BigIP I've made a small change to the hook script making it possible to get OCSP stapling working. For now it is only v.13 compatible but it should be a minor hack to get it working on other versions.
Brad_BakerCirrus
I noticed this runs from a cron job. During firmware upgrades do cron jobs get retained? Or if we implemented this would we need to take care when upgrading our firmware to re-create the cron jobs? Anyone know?
- lnxgeek
You are right, it is "upgrade sensitive" :-) It wish I could manage at the time. What you can do is make the call through an iScript, then it will move with the upgrade.
- lnxgeek
I finally got some time to finetune this script. I have added a section where I create an iScript which runs the wrapper script once a week.
This should defeat the need for cronjobs and survive upgrades and even synchronize between cluster members. What's not to like! :-)
Let me know if you have any problems with it.
caronm_311825- lnxgeek
Auch sorry!
Up and running again.
