Let's Encrypt on a Big-IP
Problem this snippet solves:
It is now possible to make use of Let's Encrypt certificates and maintain them on the Big-IP.
Code :
http://wiki.lnxgeek.org/doku.php/howtos:let_s_encrypt_-_how_to_issue_certificates_from_a_bigip
Published Dec 12, 2015
Version 1.0
Brad_BakerCirrus
Awesome - I hadn't realized lets-encrypt.sh was really just dehydrated. I've swapped them out. Thanks for the help!
Nicolas_RossNimbostratus
This is a hook script for the dehydrated shell script to interace with Let's Encrypt. Use a recent version of the client and it will already support acme v2. https://github.com/dehydrated-io/dehydrated
- Brad_Baker
We just recently received a notice from Lets Encrypt that they are discontinuing their ACMEv1 API endpoint and we have to switch to ACMEv2. Are there any plans to modify this to support ACMEv2?
- lnxgeek
MVP
Hi Luca
Thanks for the feedback :-)
What I would do regarding the mail script is to run it manually. Take out the send_mail parts of the wrapper script and just make a dummy one and see how far you get.
Also check that the log file is not blank and that you are using the right one when you send the mail.
/Thomas
Luca_ComesDear all, I've configured this procedure on my Big IP and it works fine, great job! I have only an issue with the send_mail script, it seems to work but the email it sends me is empty. I've tried to enable expect logging log_user=1 and I can see the correct connection to the mail server have you any idea what can I check?
Thank you in advance
Luca
- lnxgeek
Hi Michael
There are a lot of limitations to what you can do on the filesystem as SElinux blocks for execution, so you can't just put files where ever you like (tried it :-) ).
What I do is sync the content manually. I think you can make it more automatically by including this in the hook file as an action after deployment of the certificates.
/Thomas
FirewallyHi, thanks for the introduction to run letsencrypt on BIGIPs. What ist to do for syncing the /shared/letsencrypt and /var/www/dehydrated directories within the default sync and failover devicegroup or existing automatic sync-failover group to all groupmembers?
greetings Michael
Jens_DeprezHey guys, I managed to fix the issues. Seemed there was a typo in the hook.sh. An other factor that made the script fail was the location of hook.sh, it seems that the current Dehydrated doesn't look for it the same folder.
After editing the config I can request certificates without any issues. However Certifcates with SAN values still give an error, is this a known issue?
Cheers, Jens
mperry44_281385Im getting Challenge is invalid which is understandable since DNS has not been updated with the TXT record. So my question is, after running the script, do I add the token value presented after "token": to the DNS server as TXT?
'
' ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:dns", "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.my.example.com", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/cdsuhihdfushduhfisuhuhsufhushdfauiiuf", "token": "jsifneriufhsfnasuhnfasnruafegigsi-si" })- Jens_Deprez
I checked the hook.sh file, and changed the code so it reflects the correct paritions. This still seems to fail. A second check with a setup using the common partition also fails. Does anyone know if there is a certain setting that can prevent the population of the datagroup?
