Let's Encrypt on a Big-IP
Problem this snippet solves:
It is now possible to make use of Let's Encrypt certificates and maintain them on the Big-IP.
Code :
http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip
Published Dec 12, 2015
Version 1.0
stein_87754Nimbostratus
How would you get this working in a active/active setup? Wouldnt using icall cause both units to run the script simultaneously, and then create a broken configsync, due to different certs being installed on each device?
In our setup we have two traffic groups, where each is active on one of the devices, with failover to the other. So a working setup for us could be to run dehydrated on each device at seperate times (in cron), and do a configsync after each run. Or am i missing something here?
FirewallyWhen using the script create-profiles.sh I receive errors because I use to deactivate domains or fqdn-entries in the domain.txt file How could I modify the create-profiles.sh to ignore lines beginning with a ?
!/bin/bash for i in $( cat domains.txt | awk '{ print $1}' ); do tmsh create ltm profile client-ssl auto_$i echo "Created auto_$i client-ssl profile" done- lnxgeek
MVP
This should do just that:
!/bin/bash for i in $( grep -v "" domains.txt | awk '{ print $1}' ); do tmsh create ltm profile client-ssl auto_$i echo "Created auto_$i client-ssl profile" done 
Leon_137165If you just start with this and download the latest dehydrated script it won't work. They now use the v2 version of Let's encrypt and that does not seem to work with the above scripts. You get a "Challenge invalid". When you uncomment the "CA" value in the config file (which is the url for version v1) it works just fine.
I'm now trying to modify the scripts to take care of the deletes as well. But also add/remove empty/new client-ssl profiles to the vs. I have a webserver with a lots of small sites which are added/deleted very frequently. I want zero manual work on the f5. Based on what the webserver is asking for in the domains.txt file, I add/delete the appropriate certificates. Lazy admin... :-)
- lnxgeek
Lazy admin == smart admin :-)
Please share your updates, I've been planning for ideas but never found the time.
Matteo_MarziliaHello guys
I'm using BigIp V13 and everything is fine... i'm stuck on one "little" thing.
If my domains.txt contains a root domain and alias with the "-" char the challenge fails. In fiew words when the URL is build the script (or the BigIP) will add a extra "/" after the hostname
"uri": ";, "token": "LPZImMvrZKMb1DXZMsVtvV47Hc-Xyf-07MON0oHkBuo", "keyAuthorization": "LPZImMvrZKMb1DXZMsVtvV47Hc-Xyf-07MON0oHkBuo.Ud4XqcdRDfZs-sR2yjh5nW0ijSvQ9H-p_Tydfc2M3WM", "validationRecord": [ { "url": "http://www.test-domain.com//.well-known/acme-challenge/LPZImMvrZKMb1DXZMsVtvV47Hc-Xyf-07MON0oHkBuo", "hostname": ";, "port": "80", "addressesResolved": [ "X.X.X.X" ], "addressUsed": "X.X.X.X" },
Note the double "/" in the url: field
My domains.txt contains 5 rows, just 1 has the "-" char The file was created directly with VI on the BigIP.
Can someone help me? Thank you very much guys
Matteo
- lnxgeek
It is the dehydrated script which makes the challenges, so that the culprit. I haven't had a domain which a dash in it that's why I've never come across it.
What you can try is to take the latest edition and point it to the v1 endpoint. It would seem that v2 endpoint require some modification to the Bigip setup.
If it isn't fixed there we need to take a look in the bash script itself.
- Matteo_Marzilia
I think i'm already pointing to the V1 endpoint, as suggested by Leon i've uncommented the CA line in the Config file. I'm not skilled in linux scripting, any suggestions would be appreciated ;)
meanwhile i'll look at the script with some collegue. I'll keep you updated
- Adam_McKay_3593
Not 100% relevant to the topic (but figured it wasn't worth a topic of it's own), if you want to create & update Le certificates on an F5 automatically without running scripts directly on the appliance itself, this project on GitHub uses the Python f5-sdk and acme.sh to run either standalone or in a Docker container.
https://github.com/farces/acme-f5-deploy/
In this case you'd need to use the DNS API for verification as it won't have access to the hosting web server to provision the well-known URI. The list of supported DNS providers is increasing, and if your provider has no API (or you're not willing to give your API Key to the script) you can use an 'alias' DNS on a supported host (Cloudflare is free for example) for the purpose of validation only.
It doesn't touch any VServers - it'll only create a certificate and certificate chain, and a single Client SSL profile once (and only if it doesn't already exist), ready to be customized and applied to a VServer.
Has worked well for us so I thought I'd put it somewhere other people could use (and revise, as needed!).
- Colin_Stubbs
For anyone interested, I have created a series of dehydrated hooks to address multiple Let's Encrypt/ACME against F5 BIGIP situations. Options available to use HTTP-01 or DNS-01 based validation, and to obtain/deploy/redeploy traffic OR management interface certs.
Get 'em here: https://github.com/colin-stubbs/dehydrated-bigip
I'm keen for feedback too. Let you know if something doesn't work or you think it could be improved.
