Let's Encrypt on a Big-IP

Hi,

it seems the link changes. I found the documentation on this URL:

http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip

Thank you lnxgeek for this solution. it is very helpful!

I had some difficulties to understand how to what to do with all these files, so I here is a little installation guide:

1. Create the data group
2. Copy irule and assign it to the HTTP virtual server which destination address is resolved for each elements in domains.txt
3. Create the directory /shared/letsencrypt (it is used in call). all files may be created in this directory
4. Create /shared/letsencrypt/domains.txt
5. Create the script to create profiles (I called it create-profiles.sh)
6. Create config, wrapper.sh, send_mail from code
7. Retrieve dehydrated from Lukas Schauer github
8. Make all script executable :

   chmod 755 hook.sh wrapper.sh send_mail dehydrated create-profiles.sh

9. Create /var/www/dehydrated directory :

   mkdir /var/www/dehydrated

10. Accept let encrypt terms of license

    ./dehydrated --register --accept-terms

11. execute the script to create certificate

    ./dehydrated -c

12. Assign clientssl profiles
13. Install an iScript

Most welcome :-)

You have made a nice "dehydrated" version of my article....;-)

Where can I get the 11.4 hook.sh & dehydrated scripts? I get error: + Done! + Creating fullchain.pem... Syntax Error: "default" unknown property

Looks like 11.4 using older syntax: ltm profile client-ssl /Common/clientssl { ca-file none cert /Common/default.crt cert-lifespan 30 cert-lookup-by-ipaddr-port disabled chain none client-cert-ca none crl-file none handshake-timeout 10 key /Common/default.key

while newer versions indeed using the "default" statement: app-service none cert /Common/default.crt cert-key-chain { default { cert /Common/default.crt key /Common/default.key } } chain none inherit-certkeychain true key /Common/default.key passphrase none }

I guess this script was written in newer version and does not exist for version 11.4

try to edit the following command in tmsh and find what is not working and change the hook script.

modify ltm profile client-ssl ${profile} cert-key-chain replace-all-with { default { key $key cert $cert } }

if you frequently add subdomains you can save yourself a little effort by building your domains list dynamically (this assumes that your vips are named for the fqdn so , shop.example.com, etc):

tmsh -q -c "cd /;list ltm virtual recursive" | awk 'BEGIN {RS="\n}"} !/\ none/ {print}'| grep ^ltm | awk '{print "/" $3}' | grep "domain$" | cut -d'/' -f3 | xargs

Hello,

If anyone have this error :

 ./dehydrated -c
 INFO: Using main config file .. config
: No such file or directory

In my case, this is hook file with bad encoding of end of line because file are created on Windows.

Hoping someone might have come across this before or can point me in the right direction? I'm currently using VE of BIG-IP running 11.6.1 Build 0.0.317 Final. I have everything in place just like the article explains but I'm getting following messages.

01070712:3: file (/home/admin/dehydrated/shared/letsencrypt/certs/qa.pdaa.penton.com/privkey.pem) expected to exist.

01070712:3:file(/home/admin/dehydrated/shared/letsencrypt/certs/qa.pdaa.penton.com/fullchain.pem) expected to exist.

010717e3:3: Client SSL profile must have RSA certificate/key pair.

Vince, you need to move the script out of "/home" as this filesystem is very small and not intended to be used like this. Use /shared instead and then make sure backup handles this as well.

I haven't seen your errors before but can you verify that the files are in order and exist?

Looking at some SElinux stuff it could be an explanation as to why it can't find the files. Just a thought.

Thanks for the quick response and for the work you put into this, great stuff. As for the privky and fullchain they do they do exist under the certs directory. I even went through the process of manually adding them to the f5 and re-running dehydrated as test but saw the same result. I’ll move the entire directory out of home as you suggest and try again.