Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ
| The functionality to automate the import of SSL cert & key from BIG-IP to BIG-IQ is available in the product starting BIG-IQ 7.0 and above. This script should not be used on BIG-IQ 7.0+ as it has not been tested on those versions. |
This script will import all supported SSL Certificate, Key & CRL that exist as unmanaged objects on this BIG-IQ which can be found on the target BIG-IP.
Steps performed by the script:
- Gather certificate and key metadata (including cache-path) from BIG-IPs
- Download certificate and key file data from BIG-IPs
- Upload certificate and key file data to BIG-IQ
Prerequisite: Discover and import LTM services before using this script.The target BIG-IP will be accessed over ssh using the BIG-IP root account.
Installation: The script must be installed in BIG-IQ under /shared/scripts:
# mkdir /shared/scripts# chmod +x /shared/scripts/import-bigip-cert-key-crl.pyCommand example:
# ./import-bigip-cert-key-crl.py <big-ip IP address>Enter the root user's password if prompted.
Allowed command line options: -h show this help message and exit -l LOG_FILE, log to the given file name --log-level {debug,info,warning,error,critical}, set logging to the given level (default: info) -p PORT BIG-IP ssh port (default: 22)
Result: Configuration > Certificate Management > Certificates & Keys
Before running the script:
After running the script:
Location of the scripts on GitHub: https://github.com/f5devcentral/f5-big-iq-pm-team
In case you BIG-IQ is running on Hardware:
Step 1: Install packages using pip, targeting a location of your choice
# mkdir py-modules# pip install --target py-modules requests argparseStep 2: Run using python2.7, adding py-modules to the python path
# PYTHONPATH=py-modules python2.7 import-bigip-cert-key-crl.py <big-ip IP address>Updated Jun 06, 2023
Version 3.0
Hello @fwadmin, Yes it should work with BIG-IQ 6.1. Best Regards, Roman
fwadminAltostratus
Hello,
We keep getting errors on line 27-37 command not found then 40 FILE_IMPORT_DIR: command not found and 42 IMPORT_TASK_PATH: command not found
fwadmin, please double-check how you are running the script, and ensure that it hasn't been modified from the original. From the info you've given, it sounds like the wrong interpreter is being invoked. The error messages sound like what you would get from a command shell (such as bash) not what you would expect to get from python.
The script should be run on BIG-IQ, from the directory that contains the script, using "./import-bigip-cert-key-crl.py" (followed by arguments).
It looks you missed the first line in the script when you copy/past.
!/usr/bin/env pythonI just tested the script on a BIG-IQ 6.1 and it worked for me.
- fwadmin
Adjusted that now getting the below Repeat with additional target BIG-IPs to import more file objects. ./import-bigip-cert-key-crl.py x.x.x.x Traceback (most recent call last): File "./import-bigip-cert-key-crl.py", line 651, in sys.exit(main()) File "./import-bigip-cert-key-crl.py", line 639, in main with SshConnection(arguments.bigip, arguments.port) as conn: File "./import-bigip-cert-key-crl.py", line 308, in init self._start_master_proc() File "./import-bigip-cert-key-crl.py", line 424, in _start_master_proc "ssh connection failed, exit code: %d" % master_rc) StandardError: ssh connection failed, exit code: 255
Do you have SSH (port 22) open between BIG-IQ and BIG-IP?
Could you manually ssh your BIG-IP from BIG-IQ to confirm there are no communication issue?
- fwadmin
That was it thanks for your help! Script Works Great!
megakoreshNimbostratus
Helow, we have also issue running the script on BigIQ. When we run the script from bigiq, it throws pickle EOF exception. So we took the lines that are to be evaluated on the BigIP:
import f5.mcp, pickle; Include only the few attributes we care about, since not everything can be pickled/unpickled. attrs=["cache_path","name","checksum","passphrase"]; Function to translate objects into a pickleable form. m=lambda d: dict((k,v) for (k,v) in d.items() if k in attrs); Stub just to test object_type = 'certificate_key_file_object' r=f5.mcp.MCPConnection().query_all("' + object_type + '"); print pickle.dumps([m(o) for o in r])And tried running that on BigIP to see what happens and got
r=f5.mcp.MCPConnection().query_all("' + object_type + '"); File "/usr/lib/python2.6/f5/mcp/__init__.py", line 182, in __call__ raise McpError, "Incompatible Version" _pymcp.McpError: Incompatible VersionGoogle is for once completely useless, seems we are the first to have this issue. The mcp submodule does not have any documentation either. Can you help? We have around 500 certs on 20+ loadbalancers and we really need this script to bulk-import them all.
@megakoresh,
- Could you share the exception you are facing (copy/past output)?
- Could you confirm you can ssh the BIG-IPs from BIG-IQ?
- Could you confirm you have !/usr/bin/env python in the first line of the file?
- Which version of BIG-IQ and BIG-IP are you using?
Thanks & Regards, Roman
megakoresh, there's a problem with your test script that is producing the Incompatible Version error. Change this line:
r=f5.mcp.MCPConnection().query_all("' + object_type + '");To:
r=f5.mcp.MCPConnection().query_all(object_type);And see if that produces properly pickled output.
