Let's Encrypt on a Big-IP
Problem this snippet solves:
It is now possible to make use of Let's Encrypt certificates and maintain them on the Big-IP.
Code :
http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip
Published Dec 12, 2015
Version 1.0
Jens_DeprezNimbostratus
Hi,
I have the following issue at the moment. I managed to configure all the scripts, but I keep receiving the same error over and over again:
+ Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 1 authorizations URLs from the CA + Handling authorization for xxx + 1 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for xxx authorization... + Cleaning challenge tokens... + Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://xxx/.well-known/acme-challenge/kesLdLYVVVQGsd7Rk2n81uSydmi_2_1j7O62gIf8ZIg [0.0.0.0]: 404", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/dEatI1F43o_YbrmzOedlPNjKW3EjQazpOAAwPEcFzSY/12616604520", "token": "kesLdLYVVVQGsd7Rk2n81uSydmi_2_1j7O62gIf8ZIg", "validationRecord": [ { "url": "http://xxx/.well-known/acme-challenge/kesLdLYVVVQGsd7Rk2n81uSydmi_2_1j7O62gIf8ZIg", "hostname": "xxx", "port": "80", "addressesResolved": [ "0.0.0.0" ], "addressUsed": "0.0.0.0" } ]We are using a specific partition in our configuration, but this has been edited in all the scripts. So the correct datagroup is referenced in hook.sh. Anything I might be missing?
I have read that this can be due to the ACME version, but changing the default URL doesn't change anything. Both https://acme-v02.api.letsencrypt.org/directory and https://acme-v01.api.letsencrypt.org/directory give the same error.
I'm sure the datagroup is being check, this can be seen in the logs:
Rule /Default/Lets_Encrypt_ACME_iRule : Responding with 404 to ACME challenge YjMsNqw2uf5xbyqlB6uWF5jJcZqJ3azbPfksfUlxkzIThanks!
- lnxgeek
MVP
Hi Jens
Have you updated dehydrated to the latest version, I think I was hit by this as well.
- Jens_Deprez
Hey Inxgeek, yes I used the last dehydrated version. Pulled it from gitlab. So that version breaks stuff? Does anyone know of a working build?
- lnxgeek
Well I fixed it by taking the latest from github.
- Jens_Deprez
Just retried with a new fresh pull from Gitlab. Still the same error.
I have the feeling that the datagroup doesn't get populated. When I look in the local traffic logs I can see the 404 logs, but never a 200, so this might be the issue. Maybe I'm missing something in the config file?
- lnxgeek
Look in the hook.sh file it is here the tmsh commands inject the challenge into the datagroup. Maybe they need adjusting to the correct partitions?
- Jens_Deprez
I checked the hook.sh file, and changed the code so it reflects the correct paritions. This still seems to fail. A second check with a setup using the common partition also fails. Does anyone know if there is a certain setting that can prevent the population of the datagroup?
mperry44_281385Im getting Challenge is invalid which is understandable since DNS has not been updated with the TXT record. So my question is, after running the script, do I add the token value presented after "token": to the DNS server as TXT?
'
' ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:dns", "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.my.example.com", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/cdsuhihdfushduhfisuhuhsufhushdfauiiuf", "token": "jsifneriufhsfnasuhnfasnruafegigsi-si" })- Jens_Deprez
Hey guys, I managed to fix the issues. Seemed there was a typo in the hook.sh. An other factor that made the script fail was the location of hook.sh, it seems that the current Dehydrated doesn't look for it the same folder.
After editing the config I can request certificates without any issues. However Certifcates with SAN values still give an error, is this a known issue?
Cheers, Jens
FirewallyHi, thanks for the introduction to run letsencrypt on BIGIPs. What ist to do for syncing the /shared/letsencrypt and /var/www/dehydrated directories within the default sync and failover devicegroup or existing automatic sync-failover group to all groupmembers?
greetings Michael
